Module: Mesa Branch: staging/21.2 Commit: bfed48b382e2181c065f300bdd33df1fe35a51b0 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=bfed48b382e2181c065f300bdd33df1fe35a51b0
Author: Alyssa Rosenzweig <[email protected]> Date: Mon Aug 23 20:18:25 2021 -0400 panfrost: Fix NULL dereference in allowlist code If a user attempts to run Panfrost on an unsupported GPU (e.g. Mali T604), Panfrost will refuse to load and will destroy the screen immediately, allowing for a graceful fallback to a software rasterizer. However, the screen destroy code calls a screen_destroy function in the GenXML vtbl -- and this function is still NULL when the allowlist is checked. This manifests as crashes on unsuported GPUs. Issue tracked down with Icecream95's mad Ghidra skills. Closes: #5269 Fixes: 88dc4db6be7 ("panfrost: Init/destroy blitter from per-gen file") Signed-off-by: Alyssa Rosenzweig <[email protected]> Reported-by: Icecream95 <[email protected]> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/12512> (cherry picked from commit 2d31d469f771b5ef617c88b8b50dff97288284fe) --- .pick_status.json | 2 +- src/gallium/drivers/panfrost/pan_screen.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.pick_status.json b/.pick_status.json index e530dc299d5..7c2f17999c3 100644 --- a/.pick_status.json +++ b/.pick_status.json @@ -238,7 +238,7 @@ "description": "panfrost: Fix NULL dereference in allowlist code", "nominated": true, "nomination_type": 1, - "resolution": 0, + "resolution": 1, "main_sha": null, "because_sha": "88dc4db6be7e21dee525ce1dd4e411664ebc33d6" }, diff --git a/src/gallium/drivers/panfrost/pan_screen.c b/src/gallium/drivers/panfrost/pan_screen.c index 6df27b4cdd5..432351ba72d 100644 --- a/src/gallium/drivers/panfrost/pan_screen.c +++ b/src/gallium/drivers/panfrost/pan_screen.c @@ -701,7 +701,8 @@ panfrost_destroy_screen(struct pipe_screen *pscreen) panfrost_pool_cleanup(&screen->blitter.desc_pool); pan_blend_shaders_cleanup(dev); - screen->vtbl.screen_destroy(pscreen); + if (screen->vtbl.screen_destroy) + screen->vtbl.screen_destroy(pscreen); if (dev->ro) dev->ro->destroy(dev->ro);
