GitLab

The RRTransform are freed along the DIX crtc structures, but the xf86crtc may keep a pointer to those and try to reuse it on server reset after the last client is gone:

 Invalid read of size 4
    at 0x4C8478: xf86CrtcRotate (xf86Rotate.c:464)
    by 0x5753010: drmmode_set_desired_modes (drmmode_display.c:3483)
    by 0x574C55C: CreateScreenResources (driver.c:1346)
    by 0x4B97DA: xf86CrtcCreateScreenResources (xf86Crtc.c:746)
    by 0x43F0D8: dix_main (main.c:214)
    by 0x4CFD412: (below main) (in /usr/lib64/libc-2.28.so)
  Address 0x75e4268 is 56 bytes inside a block of size 96 free'd
    at 0x4839A0C: free (vg_replace_malloc.c:530)
    by 0x50D4C9: PictureResetFilters (filter.c:274)
    by 0x511383: PictureCloseScreen (picture.c:94)
    by 0x4B942B: xf86CrtcCloseScreen (xf86Crtc.c:791)
    by 0x51AB02: present_close_screen (present_screen.c:70)
    by 0x4D747D: CursorCloseScreen (cursor.c:205)
    by 0x43F337: dix_main (main.c:325)
    by 0x4CFD412: (below main) (in /usr/lib64/libc-2.28.so)
  Block was alloc'd at
    at 0x483AD19: realloc (vg_replace_malloc.c:826)
    by 0x50D001: PictureAddFilter (filter.c:148)
    by 0x50D486: PictureSetDefaultFilters (filter.c:262)
    by 0x511F58: PictureInit (picture.c:701)
    by 0x510128: miPictureInit (mipict.c:557)
    by 0x5AD748C: fbPictureInit (fbpict.c:493)
    by 0x574ACFB: ScreenInit (driver.c:1629)
    by 0x43B5E6: AddScreen (dispatch.c:3915)
    by 0x48CD2A: InitOutput (xf86Init.c:730)
    by 0x43F02E: dix_main (main.c:193)
    by 0x4CFD412: (below main) (in /usr/lib64/libc-2.28.so)

Make sure we clear and free both the desired transform and actual transform so that we don't reuse a previously freed transform when re-creating the resources after the server has been reset.

Signed-off-by: Olivier Fourdan ofourdan@redhat.com Closes: #14