mesa: Fix use after free.

Reset the pointer to the earlier free st_context.
Check the st_context pointer before st_glFlush.

Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/8195

Signed-off-by: Mykola Piatykop <mykola.piatykop@globallogic.com>
Reviewed-by: Marek Olšák <marek.olsak@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21656>

diff --git a/src/mesa/main/context.c b/src/mesa/main/context.c
index 2b810b0..dcae7f6 100644 (file)
--- a/src/mesa/main/context.c
+++ b/src/mesa/main/context.c
@@ -1502,7 +1502,9 @@ _mesa_make_current( struct gl_context *newCtx,
        curCtx->Const.ContextReleaseBehavior ==
        GL_CONTEXT_RELEASE_BEHAVIOR_FLUSH) {
       FLUSH_VERTICES(curCtx, 0, 0);
-      st_glFlush(curCtx, 0);
+      if (curCtx->st){
+         st_glFlush(curCtx, 0);
+      }
    }
 
    if (!newCtx) {

diff --git a/src/mesa/state_tracker/st_context.c b/src/mesa/state_tracker/st_context.c
index 6f430ed..c61aa17 100644 (file)
--- a/src/mesa/state_tracker/st_context.c
+++ b/src/mesa/state_tracker/st_context.c
@@ -371,6 +371,7 @@ st_destroy_context_priv(struct st_context *st, bool destroy_pipe)
    if (st->pipe && destroy_pipe)
       st->pipe->destroy(st->pipe);
 
+   st->ctx->st = NULL;
    FREE(st);
 }