[PATCH xf86-video-amdgpu] Increase reference count of FB assigned to drmmode_crtc->flip_pending

[michel@xxxxxxxxxxx (Michel Dänzer)]

From: Michel Dänzer <michel.daenzer@xxxxxxx>

Otherwise, it could happen that we destroy the FB before the flip
completes, resulting in use-after-free and most likely a crash.

Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
---
 src/amdgpu_kms.c      | 8 ++++----
 src/drmmode_display.c | 8 ++++++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/amdgpu_kms.c b/src/amdgpu_kms.c
index 784f7388a..143294a9f 100644
--- a/src/amdgpu_kms.c
+++ b/src/amdgpu_kms.c
@@ -722,8 +722,8 @@ amdgpu_prime_scanout_flip(PixmapDirtyUpdatePtr ent)
 		return;
 	}
 
-	drmmode_crtc->flip_pending =
-		amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+	drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+			     amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
 	if (!drmmode_crtc->flip_pending) {
 		xf86DrvMsg(scrn->scrnIndex, X_WARNING,
 			   "Failed to get FB for PRIME flip.\n");
@@ -1011,8 +1011,8 @@ amdgpu_scanout_flip(ScreenPtr pScreen, AMDGPUInfoPtr info,
 		return;
 	}
 
-	drmmode_crtc->flip_pending =
-		amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+	drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+			     amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
 	if (!drmmode_crtc->flip_pending) {
 		xf86DrvMsg(scrn->scrnIndex, X_WARNING,
 			   "Failed to get FB for scanout flip.\n");
diff --git a/src/drmmode_display.c b/src/drmmode_display.c
index 0d900418a..ce46f7ba6 100644
--- a/src/drmmode_display.c
+++ b/src/drmmode_display.c
@@ -2196,8 +2196,11 @@ void
 drmmode_clear_pending_flip(xf86CrtcPtr crtc)
 {
 	drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+	ScrnInfoPtr scrn = crtc->scrn;
+	AMDGPUEntPtr pAMDGPUEnt = AMDGPUEntPriv(scrn);
 
-	drmmode_crtc->flip_pending = NULL;
+	drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+			     NULL);
 
 	if (!crtc->enabled ||
 	    (drmmode_crtc->pending_dpms_mode != DPMSModeOn &&
@@ -2835,7 +2838,8 @@ Bool amdgpu_do_pageflip(ScrnInfoPtr scrn, ClientPtr client,
 				goto flip_error;
 		}
 
-		drmmode_crtc->flip_pending = fb;
+		drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+				     fb);
 		drm_queue_seq = 0;
 	}
 
-- 
2.11.0