drisw: do not destroy the winsys on screen creation failure
This is the wrong place to free the winsys. The winsys is allocated inside
pipe_loader_probe
and gets deallocated inside pipe_loader_release
.
We shouldn't play "smart" tricks by deallocating inside
pipe_loader_create_screen
.
Fixes a heap-use-after-free:
==2524830==ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x607000002160 thread T0
#0 0x7ffff22c1269 in pipe_loader_sw_release ../src/gallium/auxiliary/pipe-loader/pipe_loader_sw.c:385
#1 0x7ffff22bf615 in pipe_loader_release ../src/gallium/auxiliary/pipe-loader/pipe_loader.c:75
...
0x607000002160 is located 0 bytes inside of 80-byte region [0x607000002160,0x6070000021b0)
freed by thread T0 here:
#0 0x7ffff78b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7ffff22d5181 in null_sw_destroy ../src/gallium/winsys/sw/null/null_sw_winsys.c:128
#2 0x7ffff22c149a in pipe_loader_sw_create_screen ../src/gallium/auxiliary/pipe-loader/pipe_loader_sw.c:428
#3 0x7ffff22bfe58 in pipe_loader_create_screen_vk ../src/gallium/auxiliary/pipe-loader/pipe_loader.c:171
#4 0x7ffff22bfeb9 in pipe_loader_create_screen ../src/gallium/auxiliary/pipe-loader/pipe_loader.c:177
...
previously allocated by thread T0 here:
#0 0x7ffff78ba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x7ffff22d5197 in null_sw_create ../src/gallium/winsys/sw/null/null_sw_winsys.c:137
#2 0x7ffff22c0e11 in pipe_loader_sw_probe_null ../src/gallium/auxiliary/pipe-loader/pipe_loader_sw.c:318
#3 0x7ffff22c0f6e in pipe_loader_sw_probe ../src/gallium/auxiliary/pipe-loader/pipe_loader_sw.c:340
#4 0x7ffff22bf547 in pipe_loader_probe ../src/gallium/auxiliary/pipe-loader/pipe_loader.c:64
...
Fixes: 1e6e3427 ("drisw: don't leak the winsys")
/cc @zmike
Edited by Karol Herbst