From: Michel Dänzer <michel.daen...@amd.com>

Otherwise, it could happen that we destroy the FB before the flip
completes, resulting in use-after-free and most likely a crash.

Signed-off-by: Michel Dänzer <michel.daen...@amd.com>
---
 src/amdgpu_kms.c      | 8 ++++----
 src/drmmode_display.c | 8 ++++++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/amdgpu_kms.c b/src/amdgpu_kms.c
index 784f7388a..143294a9f 100644
--- a/src/amdgpu_kms.c
+++ b/src/amdgpu_kms.c
@@ -722,8 +722,8 @@ amdgpu_prime_scanout_flip(PixmapDirtyUpdatePtr ent)
                return;
        }
 
-       drmmode_crtc->flip_pending =
-               amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+       drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+                            
amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
        if (!drmmode_crtc->flip_pending) {
                xf86DrvMsg(scrn->scrnIndex, X_WARNING,
                           "Failed to get FB for PRIME flip.\n");
@@ -1011,8 +1011,8 @@ amdgpu_scanout_flip(ScreenPtr pScreen, AMDGPUInfoPtr info,
                return;
        }
 
-       drmmode_crtc->flip_pending =
-               amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+       drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+                            
amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
        if (!drmmode_crtc->flip_pending) {
                xf86DrvMsg(scrn->scrnIndex, X_WARNING,
                           "Failed to get FB for scanout flip.\n");
diff --git a/src/drmmode_display.c b/src/drmmode_display.c
index 0d900418a..ce46f7ba6 100644
--- a/src/drmmode_display.c
+++ b/src/drmmode_display.c
@@ -2196,8 +2196,11 @@ void
 drmmode_clear_pending_flip(xf86CrtcPtr crtc)
 {
        drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+       ScrnInfoPtr scrn = crtc->scrn;
+       AMDGPUEntPtr pAMDGPUEnt = AMDGPUEntPriv(scrn);
 
-       drmmode_crtc->flip_pending = NULL;
+       drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending,
+                            NULL);
 
        if (!crtc->enabled ||
            (drmmode_crtc->pending_dpms_mode != DPMSModeOn &&
@@ -2835,7 +2838,8 @@ Bool amdgpu_do_pageflip(ScrnInfoPtr scrn, ClientPtr 
client,
                                goto flip_error;
                }
 
-               drmmode_crtc->flip_pending = fb;
+               drmmode_fb_reference(pAMDGPUEnt->fd, 
&drmmode_crtc->flip_pending,
+                                    fb);
                drm_queue_seq = 0;
        }
 
-- 
2.11.0

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Reply via email to