From 6ba3c5263d979209af3b6f2bf4546b158362b0fe Mon Sep 17 00:00:00 2001
From: Matt Coster <matt.coster@imgtec.com>
Date: Tue, 3 Oct 2023 14:23:06 +0100
Subject: [PATCH] pvr: Fix ds subtile alignment NULL pointer dereference

pvr_cmd_buffer_end_sub_cmd() sets the current sub-command to NULL. This was
causing list_move_to(), which is called immediately after this, to access a NULL
pointer. Fix this by storing the current sub command before calling
pve_cmd_buffer_end_sub_cmd() so that this can be used instead when modifying the
list.

Fixes: d1b17a5edcd ("pvr: Implement ZLS subtile alignment")
Signed-off-by: Matt Coster <matt.coster@imgtec.com>
Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31679>
---
 src/imagination/vulkan/pvr_cmd_buffer.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/imagination/vulkan/pvr_cmd_buffer.c b/src/imagination/vulkan/pvr_cmd_buffer.c
index 4d6f529e649..daa36e95f4d 100644
--- a/src/imagination/vulkan/pvr_cmd_buffer.c
+++ b/src/imagination/vulkan/pvr_cmd_buffer.c
@@ -1168,6 +1168,7 @@ pvr_sub_cmd_gfx_align_ds_subtiles(struct pvr_cmd_buffer *const cmd_buffer,
     */
    assert(list_last_entry(&cmd_buffer->sub_cmds, struct pvr_sub_cmd, link) ==
           prev_sub_cmd);
+   assert(prev_sub_cmd == cmd_buffer->state.current_sub_cmd);
 
    if (!pvr_ds_attachment_requires_zls(ds))
       return VK_SUCCESS;
@@ -1222,6 +1223,8 @@ pvr_sub_cmd_gfx_align_ds_subtiles(struct pvr_cmd_buffer *const cmd_buffer,
    };
 
    if (ds->load.d || ds->load.s) {
+      struct pvr_sub_cmd *new_sub_cmd;
+
       cmd_buffer->state.current_sub_cmd = NULL;
 
       result =
@@ -1229,6 +1232,8 @@ pvr_sub_cmd_gfx_align_ds_subtiles(struct pvr_cmd_buffer *const cmd_buffer,
       if (result != VK_SUCCESS)
          return result;
 
+      new_sub_cmd = cmd_buffer->state.current_sub_cmd;
+
       result = pvr_copy_image_to_buffer_region_format(cmd_buffer,
                                                       ds_image,
                                                       buffer->dev_addr,
@@ -1238,7 +1243,7 @@ pvr_sub_cmd_gfx_align_ds_subtiles(struct pvr_cmd_buffer *const cmd_buffer,
       if (result != VK_SUCCESS)
          return result;
 
-      cmd_buffer->state.current_sub_cmd->transfer.serialize_with_frag = true;
+      new_sub_cmd->transfer.serialize_with_frag = true;
 
       result = pvr_cmd_buffer_end_sub_cmd(cmd_buffer);
       if (result != VK_SUCCESS)
@@ -1247,8 +1252,7 @@ pvr_sub_cmd_gfx_align_ds_subtiles(struct pvr_cmd_buffer *const cmd_buffer,
       /* Now we have to fiddle with cmd_buffer to place this transfer command
        * *before* the target gfx subcommand.
        */
-      list_move_to(&cmd_buffer->state.current_sub_cmd->link,
-                   &prev_sub_cmd->link);
+      list_move_to(&new_sub_cmd->link, &prev_sub_cmd->link);
 
       cmd_buffer->state.current_sub_cmd = prev_sub_cmd;
    }