diff options
| author | Michel Dänzer <michel.daenzer@amd.com> | 2017-06-27 18:19:31 +0900 |
|---|---|---|
| committer | Michel Dänzer <michel.daenzer@amd.com> | 2017-06-27 18:19:31 +0900 |
| commit | bc46ffdf71ab3dfa0f95572529e818f2b619d380 (patch) | |
| tree | 09403e27c97590600c7a8f3075476c093fc27898 /src | |
| parent | c9dd28cb0c9c3de676eadac61e727732510f6b9b (diff) | |
Increase reference count of FB assigned to drmmode_crtc->flip_pending
Otherwise, it could happen that we destroy the FB before the flip
completes, resulting in use-after-free and most likely a crash.
(Ported from amdgpu commit af7221e1c4d2dbdfd488eb0976a835584ea8441c)
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/drmmode_display.c | 8 | ||||
| -rw-r--r-- | src/radeon_kms.c | 8 |
2 files changed, 10 insertions, 6 deletions
diff --git a/src/drmmode_display.c b/src/drmmode_display.c index 9deaa575..dd394ec1 100644 --- a/src/drmmode_display.c +++ b/src/drmmode_display.c @@ -2369,8 +2369,11 @@ void drmmode_clear_pending_flip(xf86CrtcPtr crtc) { drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private; + ScrnInfoPtr scrn = crtc->scrn; + RADEONEntPtr pRADEONEnt = RADEONEntPriv(scrn); - drmmode_crtc->flip_pending = NULL; + drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending, + NULL); if (!crtc->enabled || (drmmode_crtc->pending_dpms_mode != DPMSModeOn && @@ -3030,7 +3033,8 @@ Bool radeon_do_pageflip(ScrnInfoPtr scrn, ClientPtr client, goto flip_error; } - drmmode_crtc->flip_pending = fb; + drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending, + fb); drm_queue_seq = 0; } diff --git a/src/radeon_kms.c b/src/radeon_kms.c index 5637e7f8..691fcdf5 100644 --- a/src/radeon_kms.c +++ b/src/radeon_kms.c @@ -815,8 +815,8 @@ radeon_prime_scanout_flip(PixmapDirtyUpdatePtr ent) return; } - drmmode_crtc->flip_pending = - radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap); + drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending, + radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap)); if (!drmmode_crtc->flip_pending) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, "Failed to get FB for PRIME flip.\n"); @@ -1110,8 +1110,8 @@ radeon_scanout_flip(ScreenPtr pScreen, RADEONInfoPtr info, return; } - drmmode_crtc->flip_pending = - radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap); + drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending, + radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap)); if (!drmmode_crtc->flip_pending) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, "Failed to get FB for scanout flip.\n"); |