From c10b7854902cec504b5bc5139d9a56e489c00b16 Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Mon, 8 Feb 2021 16:52:57 +1000
Subject: [PATCH] llvmpipe: fix use after free with fs variant cleanup

item->base will be freed for the NULL reference write
so just use a temporary to avoid it.

This was found with asan and lavapipe:
dEQP-VK.api.copy_and_blit.core.blit_image*

Reviewed-by: Adam Jackson <ajax@redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8912>
---
 src/gallium/drivers/llvmpipe/lp_state_fs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/gallium/drivers/llvmpipe/lp_state_fs.c b/src/gallium/drivers/llvmpipe/lp_state_fs.c
index b151efcd798..ec77d3cee33 100644
--- a/src/gallium/drivers/llvmpipe/lp_state_fs.c
+++ b/src/gallium/drivers/llvmpipe/lp_state_fs.c
@@ -4235,7 +4235,8 @@ llvmpipe_update_fs(struct llvmpipe_context *lp)
             assert(item);
             assert(item->base);
             llvmpipe_remove_shader_variant(lp, item->base);
-            lp_fs_variant_reference(lp, &item->base, NULL);
+            struct lp_fragment_shader_variant *variant = item->base;
+            lp_fs_variant_reference(lp, &variant, NULL);
          }
       }