[PATCH xserver 1/2] xfree86: Reset randr_crtc and randr_output early in xf86CrtcCloseScreen

[Keith Packard]

The DIX crtc and output structures are freed when their resources are
destroyed, which happens before CloseScreen is called. As a result, we
know these pointers are invalid and referencing them during any of the
remaining CloseScreen sequence will be bad.

Signed-off-by: Keith Packard <keithp at keithp.com>
Cc: thellstrom at vmware.com
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=106960
---
 hw/xfree86/modes/xf86Crtc.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index 4aa77a244..142ab1ebe 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -734,14 +734,11 @@ xf86CrtcCloseScreen(ScreenPtr screen)
     xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(scrn);
     int o, c;
 
-    screen->CloseScreen = config->CloseScreen;
-
-    xf86RotateCloseScreen(screen);
-
-    xf86RandR12CloseScreen(screen);
-
-    screen->CloseScreen(screen);
-
+    /* The randr_output and randr_crtc pointers are already invalid as
+     * the DIX resources were freed when the associated resources were
+     * freed. Clear them now; referencing through them during the rest
+     * of the CloseScreen sequence will not end well.
+     */
     for (o = 0; o < config->num_output; o++) {
         xf86OutputPtr output = config->output[o];
 
@@ -752,6 +749,15 @@ xf86CrtcCloseScreen(ScreenPtr screen)
 
         crtc->randr_crtc = NULL;
     }
+
+    screen->CloseScreen = config->CloseScreen;
+
+    xf86RotateCloseScreen(screen);
+
+    xf86RandR12CloseScreen(screen);
+
+    screen->CloseScreen(screen);
+
     /* detach any providers */
     if (config->randr_provider) {
         RRProviderDestroy(config->randr_provider);
-- 
2.17.1