From patchwork Mon Mar 11 23:08:38 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Plattner X-Patchwork-Id: 2264901 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork2.kernel.org (Postfix) with ESMTP id 7DC65DF215 for ; Wed, 13 Mar 2013 20:20:58 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 70730E5F23 for ; Wed, 13 Mar 2013 13:20:58 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from hqemgate04.nvidia.com (hqemgate04.nvidia.com [216.228.121.35]) by gabe.freedesktop.org (Postfix) with ESMTP id 4697BE61FC for ; Mon, 11 Mar 2013 16:08:43 -0700 (PDT) Received: from hqnvupgp07.nvidia.com (Not Verified[216.228.121.13]) by hqemgate04.nvidia.com id ; Mon, 11 Mar 2013 16:08:38 -0700 Received: from hqemhub01.nvidia.com ([172.17.108.22]) by hqnvupgp07.nvidia.com (PGP Universal service); Mon, 11 Mar 2013 16:08:42 -0700 X-PGP-Universal: processed; by hqnvupgp07.nvidia.com on Mon, 11 Mar 2013 16:08:42 -0700 Received: from tenor.nvidia.com (172.20.144.16) by hqemhub01.nvidia.com (172.20.150.30) with Microsoft SMTP Server (TLS) id 8.3.298.1; Mon, 11 Mar 2013 16:08:42 -0700 From: Aaron Plattner To: Date: Mon, 11 Mar 2013 16:08:38 -0700 Message-ID: <1363043318-17238-1-git-send-email-aplattner@nvidia.com> X-Mailer: git-send-email 1.8.1.5 X-NVConfidentiality: public MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 13 Mar 2013 13:20:48 -0700 Cc: Aaron Plattner Subject: [Intel-gfx] [PATCH] intel: don't crash when freeing an uninitialized screen X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org Errors-To: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org When intel_scrn_create creates a screen, it sets scrn->driverPrivate to (void *)(match_data | 1). Normally, this is read by I830PreInit and then replaced with a pointer to the intel_screen_private structure. However, it's possible for the server to delete the screen before initializing it, which leads to a crash in I830FreeScreen when it tries to interpret the unaligned match_data pointer as a pointer to a intel_screen_private. Fix this by checking the low bit of the pointer and skipping the teardown code if it's set. Signed-off-by: Aaron Plattner --- src/intel_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/intel_driver.c b/src/intel_driver.c index 7f11978..ae2e31e 100644 --- a/src/intel_driver.c +++ b/src/intel_driver.c @@ -1093,7 +1093,7 @@ static void I830FreeScreen(FREE_SCREEN_ARGS_DECL) SCRN_INFO_PTR(arg); intel_screen_private *intel = intel_get_screen_private(scrn); - if (intel) { + if (intel && !((uintptr_t)intel & 1)) { intel_mode_fini(intel); intel_close_drm_master(intel); intel_bufmgr_fini(intel);