From d31e8e77e1453c26a02f24b26d96b4660d29e1df Mon Sep 17 00:00:00 2001
From: Thomas Hellstrom <thellstrom@vmware.com>
Date: Tue, 27 Nov 2018 08:37:13 +0100
Subject: [PATCH 06/11] vmwgfx: Fix invalid memory accesses in CloseScreen

Some of the CloseScreen callbacks were referencing XA objects so move the
destruction of the XA state tracker to the end of drv_close_screen to avoid
referencing freed resources.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
---
 vmwgfx/vmwgfx_driver.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/vmwgfx/vmwgfx_driver.c b/vmwgfx/vmwgfx_driver.c
index ccddb6f..e5f0caf 100644
--- a/vmwgfx/vmwgfx_driver.c
+++ b/vmwgfx/vmwgfx_driver.c
@@ -1314,6 +1314,7 @@ drv_close_screen(CLOSE_SCREEN_ARGS_DECL)
 {
     ScrnInfoPtr pScrn = xf86ScreenToScrn(pScreen);
     modesettingPtr ms = modesettingPTR(pScrn);
+    Bool ret;
 
     if (ms->cursor) {
        FreeCursor(ms->cursor, None);
@@ -1339,10 +1340,12 @@ drv_close_screen(CLOSE_SCREEN_ARGS_DECL)
     vmwgfx_unwrap(ms, pScreen, BlockHandler);
     vmwgfx_unwrap(ms, pScreen, CreateScreenResources);
 
+    ret = (*pScreen->CloseScreen) (CLOSE_SCREEN_ARGS);
+    
     if (ms->xat)
 	xa_tracker_destroy(ms->xat);
 
-    return (*pScreen->CloseScreen) (CLOSE_SCREEN_ARGS);
+    return ret;
 }
 
 static ModeStatus
-- 
2.23.0