xfree86: Reset randr_crtc and randr_output early in xf86CrtcCloseScreen

The DIX crtc and output structures are freed when their resources are destroyed, which happens before CloseScreen is called. As a result, we know these pointers are invalid and referencing them during any of the remaining CloseScreen sequence will be bad. Reviewed-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Keith Packard <keithp@keithp.com> Cc: thellstrom@vmware.com Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=106960
2018-06-28 11:45:15 -07:00 · 2018-06-28 11:45:15 -07:00 · c55a44a9a8
commit c55a44a9a8
parent 49283e238a
1 changed files with 14 additions and 8 deletions
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@ -734,14 +734,11 @@ xf86CrtcCloseScreen(ScreenPtr screen)
    xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(scrn);
    int o, c;

-    screen->CloseScreen = config->CloseScreen;
-
-    xf86RotateCloseScreen(screen);
-
-    xf86RandR12CloseScreen(screen);
-
-    screen->CloseScreen(screen);
-
+    /* The randr_output and randr_crtc pointers are already invalid as
+     * the DIX resources were freed when the associated resources were
+     * freed. Clear them now; referencing through them during the rest
+     * of the CloseScreen sequence will not end well.
+     */
    for (o = 0; o < config->num_output; o++) {
        xf86OutputPtr output = config->output[o];

@ -752,6 +749,15 @@ xf86CrtcCloseScreen(ScreenPtr screen)

        crtc->randr_crtc = NULL;
    }
+
+    screen->CloseScreen = config->CloseScreen;
+
+    xf86RotateCloseScreen(screen);
+
+    xf86RandR12CloseScreen(screen);
+
+    screen->CloseScreen(screen);
+
    /* detach any providers */
    if (config->randr_provider) {
        RRProviderDestroy(config->randr_provider);