Mesa (staging/21.3): dri: avoid NULL deref of DrawBuffer on flush

Sat Feb 12 02:31:50 UTC 2022

Module: Mesa
Branch: staging/21.3
Commit: df32e4729f875f8368a15aea835cffb774b406d8
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=df32e4729f875f8368a15aea835cffb774b406d8

Author: Jonathan Gray <jsg at jsg.id.au>
Date:   Fri Feb 11 14:47:12 2022 +1100

dri: avoid NULL deref of DrawBuffer on flush

The same problem with 17e62a3c23f68df802bcbfdab947dff4226fa281
fixed for i965 with 6bc710d7694bf1f0ae019326407f7d32af043852
exists with other drivers.

With Mesa 21.3.6 on radeon r100 it shows as:
_mesa_is_winsys_fbo (fb=0x0)
radeonFlush
_mesa_make_current
_mesa_free_context_data
radeonDestroyContext
driDestroyContext
dri2_destroy_context
glx_display_free
__glXCloseDisplay
XCloseDisplay

Follow the i965 change and add a NULL test before flush for
radeon, i915 and nouveau.

Fixes: 17e62a3c23f ("mesa: (correctly) flush more in _mesa_make_current")
Reviewed-by: Adam Jackson <ajax at redhat.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/14989>

---

 src/mesa/drivers/dri/i915/intel_context.c     | 3 ++-
 src/mesa/drivers/dri/nouveau/nouveau_driver.c | 2 +-
 src/mesa/drivers/dri/radeon/radeon_common.c   | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/mesa/drivers/dri/i915/intel_context.c b/src/mesa/drivers/dri/i915/intel_context.c
index 186887f615a..7e5bb4bb5c4 100644
--- a/src/mesa/drivers/dri/i915/intel_context.c
+++ b/src/mesa/drivers/dri/i915/intel_context.c
@@ -111,7 +111,8 @@ intel_flush_front(struct gl_context *ctx)
     __DRIdrawable *driDrawable = driContext->driDrawablePriv;
     __DRIscreen *const screen = intel->intelScreen->driScrnPriv;
 
-    if (intel->front_buffer_dirty && _mesa_is_winsys_fbo(ctx->DrawBuffer)) {
+    if (intel->front_buffer_dirty && ctx->DrawBuffer &&
+        _mesa_is_winsys_fbo(ctx->DrawBuffer)) {
       if (flushFront(screen) &&
           driDrawable &&
           driDrawable->loaderPrivate) {
diff --git a/src/mesa/drivers/dri/nouveau/nouveau_driver.c b/src/mesa/drivers/dri/nouveau/nouveau_driver.c
index 1165786a284..f242eb557e9 100644
--- a/src/mesa/drivers/dri/nouveau/nouveau_driver.c
+++ b/src/mesa/drivers/dri/nouveau/nouveau_driver.c
@@ -71,7 +71,7 @@ nouveau_flush(struct gl_context *ctx, unsigned gallium_flush_flags)
 
 	PUSH_KICK(push);
 
-	if (_mesa_is_winsys_fbo(ctx->DrawBuffer) &&
+	if (ctx->DrawBuffer && _mesa_is_winsys_fbo(ctx->DrawBuffer) &&
 	    ctx->DrawBuffer->_ColorDrawBufferIndexes[0] == BUFFER_FRONT_LEFT) {
 		__DRIscreen *screen = nctx->screen->dri_screen;
 		const __DRIdri2LoaderExtension *dri2 = screen->dri2.loader;
diff --git a/src/mesa/drivers/dri/radeon/radeon_common.c b/src/mesa/drivers/dri/radeon/radeon_common.c
index 047f8559d7e..02f5eca19d9 100644
--- a/src/mesa/drivers/dri/radeon/radeon_common.c
+++ b/src/mesa/drivers/dri/radeon/radeon_common.c
@@ -544,7 +544,8 @@ void radeonFlush(struct gl_context *ctx, unsigned gallium_flush_flags)
 		rcommonFlushCmdBuf(radeon, __func__);
 
 flush_front:
-	if (_mesa_is_winsys_fbo(ctx->DrawBuffer) && radeon->front_buffer_dirty) {
+	if (ctx->DrawBuffer && _mesa_is_winsys_fbo(ctx->DrawBuffer) &&
+	    radeon->front_buffer_dirty) {
 		__DRIscreen *const screen = radeon->radeonScreen->driScreen;
 
 		if (screen->dri2.loader && (screen->dri2.loader->base.version >= 2)

