diff options
author | Keith Packard <keithp@keithp.com> | 2018-06-28 11:45:15 -0700 |
---|---|---|
committer | Adam Jackson <ajax@redhat.com> | 2018-07-02 19:34:34 -0400 |
commit | c55a44a9a86aaece17c1a2e73c77e3e665c4888e (patch) | |
tree | bdccb6c629babdb5c191dd474f8d7b8c3f5f4633 | |
parent | 49283e238a0ba6051034ae635e5970891f17f9df (diff) |
xfree86: Reset randr_crtc and randr_output early in xf86CrtcCloseScreen
The DIX crtc and output structures are freed when their resources are
destroyed, which happens before CloseScreen is called. As a result, we
know these pointers are invalid and referencing them during any of the
remaining CloseScreen sequence will be bad.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Cc: thellstrom@vmware.com
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=106960
-rw-r--r-- | hw/xfree86/modes/xf86Crtc.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c index 4aa77a244..142ab1ebe 100644 --- a/hw/xfree86/modes/xf86Crtc.c +++ b/hw/xfree86/modes/xf86Crtc.c @@ -734,14 +734,11 @@ xf86CrtcCloseScreen(ScreenPtr screen) xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(scrn); int o, c; - screen->CloseScreen = config->CloseScreen; - - xf86RotateCloseScreen(screen); - - xf86RandR12CloseScreen(screen); - - screen->CloseScreen(screen); - + /* The randr_output and randr_crtc pointers are already invalid as + * the DIX resources were freed when the associated resources were + * freed. Clear them now; referencing through them during the rest + * of the CloseScreen sequence will not end well. + */ for (o = 0; o < config->num_output; o++) { xf86OutputPtr output = config->output[o]; @@ -752,6 +749,15 @@ xf86CrtcCloseScreen(ScreenPtr screen) crtc->randr_crtc = NULL; } + + screen->CloseScreen = config->CloseScreen; + + xf86RotateCloseScreen(screen); + + xf86RandR12CloseScreen(screen); + + screen->CloseScreen(screen); + /* detach any providers */ if (config->randr_provider) { RRProviderDestroy(config->randr_provider); |