[Mesa-stable] [PATCH] egl/drm: ensure the backing gbm is set before using it

Fri Jul 5 21:58:41 UTC 2019

On Friday, 2019-07-05 11:21:41 +0100, Emil Velikov wrote:
> From: Emil Velikov <emil.velikov at collabora.com>
> 
> Currently, if we error out before gbm_dri is set (say due to a different
> name of the backing GBM implementation, or otherwise) the tear down will
> trigger a NULL ptr deref and crash out.
> 
> Move the gbm_dri initialization as early as possible. To be on the extra
> safe side add a NULL check in the teardown.
> 
> Reported-by: Christian Gmeiner <christian.gmeiner at gmail.com>
> Cc: Christian Gmeiner <christian.gmeiner at gmail.com>
> Cc: Eric Engestrom <eric.engestrom at intel.com>
> Cc: mesa-stable at lists.freedesktop.org
> Signed-off-by: Emil Velikov <emil.velikov at collabora.com>
> ---
> Supersedes https://gitlab.freedesktop.org/mesa/mesa/merge_requests/1182
> ---
>  src/egl/drivers/dri2/platform_drm.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/egl/drivers/dri2/platform_drm.c b/src/egl/drivers/dri2/platform_drm.c
> index a811834114d..3e2124ad39c 100644
> --- a/src/egl/drivers/dri2/platform_drm.c
> +++ b/src/egl/drivers/dri2/platform_drm.c
> @@ -704,6 +704,7 @@ dri2_initialize_drm(_EGLDisplay *disp)
>           goto cleanup;
>        }
>     }
> +   dri2_dpy->gbm_dri = gbm_dri_device(gbm);
>  
>     if (strcmp(gbm_device_get_backend_name(gbm), "drm") != 0) {
>        err = "DRI2: gbm device using incorrect/incompatible backend";
> @@ -718,7 +719,6 @@ dri2_initialize_drm(_EGLDisplay *disp)
>  
>     disp->Device = dev;
>  
> -   dri2_dpy->gbm_dri = gbm_dri_device(gbm);
>     dri2_dpy->driver_name = strdup(dri2_dpy->gbm_dri->driver_name);
>  
>     dri2_dpy->dri_screen = dri2_dpy->gbm_dri->screen;
> @@ -777,6 +777,6 @@ cleanup:
>  void
>  dri2_teardown_drm(struct dri2_egl_display *dri2_dpy)
>  {
> -   if (dri2_dpy->own_device)
> +   if (dri2_dpy->own_device && dri2_dpy->gbm_dri)

This would only be reachable by eglTerminate()ing an uninitialised
display, which is explicitly invalid anyway.

I think you can drop this check.

The gbm_dri_device(gbm) move above is:
Reviewed-by: Eric Engestrom <eric.engestrom at intel.com>

>        gbm_device_destroy(&dri2_dpy->gbm_dri->base);
>  }
> -- 
> 2.21.0
> 