Mesa (staging/21.2): panfrost: Fix NULL dereference in allowlist code

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Aug 24 20:29:58 UTC 2021 

Module: Mesa
Branch: staging/21.2
Commit: bfed48b382e2181c065f300bdd33df1fe35a51b0
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=bfed48b382e2181c065f300bdd33df1fe35a51b0

Author: Alyssa Rosenzweig <alyssa at collabora.com>
Date:   Mon Aug 23 20:18:25 2021 -0400

panfrost: Fix NULL dereference in allowlist code

If a user attempts to run Panfrost on an unsupported GPU (e.g. Mali
T604), Panfrost will refuse to load and will destroy the screen
immediately, allowing for a graceful fallback to a software rasterizer.
However, the screen destroy code calls a screen_destroy function in the
GenXML vtbl -- and this function is still NULL when the allowlist is
checked. This manifests as crashes on unsuported GPUs.

Issue tracked down with Icecream95's mad Ghidra skills.

Closes: #5269
Fixes: 88dc4db6be7 ("panfrost: Init/destroy blitter from per-gen file")
Signed-off-by: Alyssa Rosenzweig <alyssa at collabora.com>
Reported-by: Icecream95 <ixn at disroot.org>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/12512>
(cherry picked from commit 2d31d469f771b5ef617c88b8b50dff97288284fe)

---

 .pick_status.json                         | 2 +-
 src/gallium/drivers/panfrost/pan_screen.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index e530dc299d5..7c2f17999c3 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -238,7 +238,7 @@
         "description": "panfrost: Fix NULL dereference in allowlist code",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "88dc4db6be7e21dee525ce1dd4e411664ebc33d6"
     },
diff --git a/src/gallium/drivers/panfrost/pan_screen.c b/src/gallium/drivers/panfrost/pan_screen.c
index 6df27b4cdd5..432351ba72d 100644
--- a/src/gallium/drivers/panfrost/pan_screen.c
+++ b/src/gallium/drivers/panfrost/pan_screen.c
@@ -701,7 +701,8 @@ panfrost_destroy_screen(struct pipe_screen *pscreen)
         panfrost_pool_cleanup(&screen->blitter.desc_pool);
         pan_blend_shaders_cleanup(dev);
 
-        screen->vtbl.screen_destroy(pscreen);
+        if (screen->vtbl.screen_destroy)
+                screen->vtbl.screen_destroy(pscreen);
 
         if (dev->ro)
                 dev->ro->destroy(dev->ro);

More information about the mesa-commit mailing list