From 6db1e5231b7a0e79611f771d4efea686f7849e04 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Wed, 2 Jun 2010 20:43:49 +0100 Subject: [PATCH] dri: Protect against NULL dereference following GPU hang. References: Bug 28361 - "glresize" causes server segfault with single buffering. https://bugs.freedesktop.org/show_bug.cgi?id=28361 [ 14528.767] (EE) intel(0): Failed to submit batch buffer, expect rendering corruption or even a frozen display: Input/output error. [ 14528.767] (EE) intel(0): Disabling acceleration. [ 14528.788] Backtrace: [ 14528.858] 0: /usr/bin/X (xorg_backtrace+0x28) [0x491818] [ 14528.858] 1: /usr/bin/X (0x400000+0x65ca9) [0x465ca9] [ 14528.858] 2: /lib/libpthread.so.0 (0x7f9df2dc9000+0xedf0) [0x7f9df2dd7df0] [ 14528.858] 3: /usr/local/lib/libdrm_intel.so.1 (drm_intel_bo_flink+0x0) [0x7f9defd60c60] [ 14528.858] 4: /usr/local/lib/xorg/modules/drivers/intel_drv.so (0x7f9deff6a000+0x2fdfd) [0x7f9deff99dfd] [ 14528.858] 5: /usr/lib/xorg/modules/extensions/libdri2.so (0x7f9df01b8000+0x19e7) [0x7f9df01b99e7] [ 14528.858] 6: /usr/lib/xorg/modules/extensions/libdri2.so (0x7f9df01b8000+0x1fdb) [0x7f9df01b9fdb] [ 14528.858] 7: /usr/lib/xorg/modules/extensions/libdri2.so (DRI2GetBuffersWithFormat+0x10) [0x7f9df01ba250] [ 14528.858] 8: /usr/lib/xorg/modules/extensions/libdri2.so (0x7f9df01b8000+0x3834) [0x7f9df01bb834] [ 14528.858] 9: /usr/bin/X (0x400000+0x2fc2c) [0x42fc2c] [ 14528.858] 10: /usr/bin/X (0x400000+0x24da5) [0x424da5] [ 14528.858] 11: /lib/libc.so.6 (__libc_start_main+0xe6) [0x7f9df1d60a26] [ 14528.858] 12: /usr/bin/X (0x400000+0x24959) [0x424959] [ 14528.858] Segmentation fault at address 0x20 [ 14528.858] Fatal server error: [ 14528.858] Caught signal 11 (Segmentation fault). Server aborting Signed-off-by: Chris Wilson --- src/i830_dri.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/i830_dri.c b/src/i830_dri.c index b1189c36..68b163f1 100644 --- a/src/i830_dri.c +++ b/src/i830_dri.c @@ -146,10 +146,9 @@ I830DRI2CreateBuffers(DrawablePtr drawable, unsigned int *attachments, privates[i].attachment = attachments[i]; bo = i830_get_pixmap_bo(pixmap); - if (dri_bo_flink(bo, &buffers[i].name) != 0) { + if (bo != NULL && dri_bo_flink(bo, &buffers[i].name) != 0) { /* failed to name buffer */ } - } return buffers; @@ -227,6 +226,11 @@ I830DRI2CreateBuffer(DrawablePtr drawable, unsigned int attachment, (format != 0) ? format : drawable->depth, hint); + if (pixmap == NULL) { + xfree(privates); + xfree(buffer); + return NULL; + } } @@ -241,8 +245,12 @@ I830DRI2CreateBuffer(DrawablePtr drawable, unsigned int attachment, privates->attachment = attachment; bo = i830_get_pixmap_bo(pixmap); - if (dri_bo_flink(bo, &buffer->name) != 0) { + if (bo == NULL || dri_bo_flink(bo, &buffer->name) != 0) { /* failed to name buffer */ + screen->DestroyPixmap(pixmap); + xfree(privates); + xfree(buffer); + return NULL; } return buffer;