[PATCH xf86-video-ati 1/2] Increase reference count of FB assigned to drmmode_crtc->flip_pending

michel@xxxxxxxxxxx (Michel Dänzer) · Tue, 27 Jun 2017 18:38:49 +0900

From: Michel DÃ¤nzer <michel.daenzer@xxxxxxx>

Otherwise, it could happen that we destroy the FB before the flip
completes, resulting in use-after-free and most likely a crash.

(Ported from amdgpu commit af7221e1c4d2dbdfd488eb0976a835584ea8441c)

Signed-off-by: Michel DÃ¤nzer <michel.daenzer at amd.com>
---
 src/drmmode_display.c | 8 ++++++--
 src/radeon_kms.c      | 8 ++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/drmmode_display.c b/src/drmmode_display.c
index 9deaa575d..dd394ec1d 100644
--- a/src/drmmode_display.c
+++ b/src/drmmode_display.c
@@ -2369,8 +2369,11 @@ void
 drmmode_clear_pending_flip(xf86CrtcPtr crtc)
 {
 	drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+	ScrnInfoPtr scrn = crtc->scrn;
+	RADEONEntPtr pRADEONEnt = RADEONEntPriv(scrn);
 
-	drmmode_crtc->flip_pending = NULL;
+	drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+			     NULL);
 
 	if (!crtc->enabled ||
 	    (drmmode_crtc->pending_dpms_mode != DPMSModeOn &&
@@ -3030,7 +3033,8 @@ Bool radeon_do_pageflip(ScrnInfoPtr scrn, ClientPtr client,
 				goto flip_error;
 		}
 
-		drmmode_crtc->flip_pending = fb;
+		drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+				     fb);
 		drm_queue_seq = 0;
 	}
 
diff --git a/src/radeon_kms.c b/src/radeon_kms.c
index 5637e7f8a..691fcdf5b 100644
--- a/src/radeon_kms.c
+++ b/src/radeon_kms.c
@@ -815,8 +815,8 @@ radeon_prime_scanout_flip(PixmapDirtyUpdatePtr ent)
 	return;
     }
 
-    drmmode_crtc->flip_pending =
-	radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+    drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+			  radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
     if (!drmmode_crtc->flip_pending) {
 	xf86DrvMsg(scrn->scrnIndex, X_WARNING,
 		   "Failed to get FB for PRIME flip.\n");
@@ -1110,8 +1110,8 @@ radeon_scanout_flip(ScreenPtr pScreen, RADEONInfoPtr info,
 	return;
     }
 
-    drmmode_crtc->flip_pending =
-	radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+    drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+			  radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
     if (!drmmode_crtc->flip_pending) {
 	xf86DrvMsg(scrn->scrnIndex, X_WARNING,
 		   "Failed to get FB for scanout flip.\n");
-- 
2.13.1






