uxa: don't crash when freeing an uninitialized screen

When intel_scrn_create creates a screen, it sets scrn->driverPrivate to (void *)(match_data | 1). Normally, this is read by I830PreInit and then replaced with a pointer to the intel_screen_private structure. However, it's possible for the server to delete the screen before initializing it, which leads to a crash in I830FreeScreen when it tries to interpret the unaligned match_data pointer as a pointer to a intel_screen_private. Fix this by checking the low bit of the pointer and skipping the teardown code if it's set. Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
author: Aaron Plattner <aplattner@nvidia.com> 2013-03-12 12:45:58 -0700
committer: Chris Wilson <chris@chris-wilson.co.uk> 2013-03-12 20:20:51 +0000
commit: ee0ed88a09bc2f8ebe49b1d7f7e209a73e02fee0 (patch)
tree: 96a69ebde9b7a03aab23d6bbdce68f1dd10b3219
parent: b1952e79021759927361d284b157713a651a10b1 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/intel_driver.c b/src/intel_driver.c
index 7f11978d..ae2e31e8 100644
--- a/src/intel_driver.c
+++ b/src/intel_driver.c
@@ -1093,7 +1093,7 @@ static void I830FreeScreen(FREE_SCREEN_ARGS_DECL)
 	SCRN_INFO_PTR(arg);
 	intel_screen_private *intel = intel_get_screen_private(scrn);
 
-	if (intel) {
+	if (intel && !((uintptr_t)intel & 1)) {
 		intel_mode_fini(intel);
 		intel_close_drm_master(intel);
 		intel_bufmgr_fini(intel);
author	Aaron Plattner <aplattner@nvidia.com>	2013-03-12 12:45:58 -0700
committer	Chris Wilson <chris@chris-wilson.co.uk>	2013-03-12 20:20:51 +0000
commit	ee0ed88a09bc2f8ebe49b1d7f7e209a73e02fee0 (patch)
tree	96a69ebde9b7a03aab23d6bbdce68f1dd10b3219
parent	b1952e79021759927361d284b157713a651a10b1 (diff)