Skip to content

lima: fix NULL pointer dereference on error path in lima_context_destroy

When the following code path happens:

  • lima_context_create
    • lima_submit_create
      • drmSyncobjCreate: can fail here
    • Thus ctx->pp_submit and ctx->gp_submit are NULL
    • lima_context_destroy
      • lima_submit_free: will access submit->in_sync_fd

It triggers a segfault in mesa because we are trying to derefence both ctx->pp_submit and ctx->gp_submit which are NULL.

Merge request reports

Loading