The DIX crtc and output structures are freed when their resources are destroyed, which happens before CloseScreen is called. As a result, we know these pointers are invalid and referencing them during any of the remaining CloseScreen sequence will be bad.
Signed-off-by: Keith Packard <kei...@keithp.com> Cc: thellst...@vmware.com Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=106960 --- hw/xfree86/modes/xf86Crtc.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c index 4aa77a244..142ab1ebe 100644 --- a/hw/xfree86/modes/xf86Crtc.c +++ b/hw/xfree86/modes/xf86Crtc.c @@ -734,14 +734,11 @@ xf86CrtcCloseScreen(ScreenPtr screen) xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(scrn); int o, c; - screen->CloseScreen = config->CloseScreen; - - xf86RotateCloseScreen(screen); - - xf86RandR12CloseScreen(screen); - - screen->CloseScreen(screen); - + /* The randr_output and randr_crtc pointers are already invalid as + * the DIX resources were freed when the associated resources were + * freed. Clear them now; referencing through them during the rest + * of the CloseScreen sequence will not end well. + */ for (o = 0; o < config->num_output; o++) { xf86OutputPtr output = config->output[o]; @@ -752,6 +749,15 @@ xf86CrtcCloseScreen(ScreenPtr screen) crtc->randr_crtc = NULL; } + + screen->CloseScreen = config->CloseScreen; + + xf86RotateCloseScreen(screen); + + xf86RandR12CloseScreen(screen); + + screen->CloseScreen(screen); + /* detach any providers */ if (config->randr_provider) { RRProviderDestroy(config->randr_provider); -- 2.17.1 _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel