From patchwork Tue Mar 12 19:45:58 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Plattner X-Patchwork-Id: 2258491 Return-Path: X-Original-To: patchwork-intel-gfx@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork2.kernel.org (Postfix) with ESMTP id 19D1EDF23A for ; Tue, 12 Mar 2013 19:47:09 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id B4FCAE5C0E for ; Tue, 12 Mar 2013 12:47:08 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from hqemgate04.nvidia.com (hqemgate04.nvidia.com [216.228.121.35]) by gabe.freedesktop.org (Postfix) with ESMTP id E1F6BE5C0E for ; Tue, 12 Mar 2013 12:46:58 -0700 (PDT) Received: from hqnvupgp08.nvidia.com (Not Verified[216.228.121.13]) by hqemgate04.nvidia.com id ; Tue, 12 Mar 2013 12:46:54 -0700 Received: from hqemhub03.nvidia.com ([172.17.108.22]) by hqnvupgp08.nvidia.com (PGP Universal service); Tue, 12 Mar 2013 12:40:25 -0700 X-PGP-Universal: processed; by hqnvupgp08.nvidia.com on Tue, 12 Mar 2013 12:40:25 -0700 Received: from tenor.nvidia.com (172.20.144.16) by hqemhub03.nvidia.com (172.20.150.15) with Microsoft SMTP Server (TLS) id 8.3.298.1; Tue, 12 Mar 2013 12:46:58 -0700 From: Aaron Plattner To: Date: Tue, 12 Mar 2013 12:45:58 -0700 Message-ID: <1363117558-19966-1-git-send-email-aplattner@nvidia.com> X-Mailer: git-send-email 1.8.1.5 X-NVConfidentiality: public MIME-Version: 1.0 Subject: [Intel-gfx] [PATCH] intel: don't crash when freeing an uninitialized screen X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org Errors-To: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org When intel_scrn_create creates a screen, it sets scrn->driverPrivate to (void *)(match_data | 1). Normally, this is read by I830PreInit and then replaced with a pointer to the intel_screen_private structure. However, it's possible for the server to delete the screen before initializing it, which leads to a crash in I830FreeScreen when it tries to interpret the unaligned match_data pointer as a pointer to a intel_screen_private. Fix this by checking the low bit of the pointer and skipping the teardown code if it's set. Signed-off-by: Aaron Plattner --- src/intel_driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/intel_driver.c b/src/intel_driver.c index 7f11978..ae2e31e 100644 --- a/src/intel_driver.c +++ b/src/intel_driver.c @@ -1093,7 +1093,7 @@ static void I830FreeScreen(FREE_SCREEN_ARGS_DECL) SCRN_INFO_PTR(arg); intel_screen_private *intel = intel_get_screen_private(scrn); - if (intel) { + if (intel && !((uintptr_t)intel & 1)) { intel_mode_fini(intel); intel_close_drm_master(intel); intel_bufmgr_fini(intel);