diff options
| author | Michel Dänzer <michel.daenzer@amd.com> | 2017-06-21 19:01:54 +0900 |
|---|---|---|
| committer | Michel Dänzer <michel@daenzer.net> | 2017-06-21 19:01:54 +0900 |
| commit | af7221e1c4d2dbdfd488eb0976a835584ea8441c (patch) | |
| tree | 83a4398faec27c34a1d3d1e1db208585758704dd | |
| parent | 184d50e008b9b31f4dda1425e255af068b6ab068 (diff) | |
Increase reference count of FB assigned to drmmode_crtc->flip_pending
Otherwise, it could happen that we destroy the FB before the flip
completes, resulting in use-after-free and most likely a crash.
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
| -rw-r--r-- | src/amdgpu_kms.c | 8 | ||||
| -rw-r--r-- | src/drmmode_display.c | 8 |
2 files changed, 10 insertions, 6 deletions
diff --git a/src/amdgpu_kms.c b/src/amdgpu_kms.c index 784f738..143294a 100644 --- a/src/amdgpu_kms.c +++ b/src/amdgpu_kms.c @@ -722,8 +722,8 @@ amdgpu_prime_scanout_flip(PixmapDirtyUpdatePtr ent) return; } - drmmode_crtc->flip_pending = - amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap); + drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending, + amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap)); if (!drmmode_crtc->flip_pending) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, "Failed to get FB for PRIME flip.\n"); @@ -1011,8 +1011,8 @@ amdgpu_scanout_flip(ScreenPtr pScreen, AMDGPUInfoPtr info, return; } - drmmode_crtc->flip_pending = - amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap); + drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending, + amdgpu_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap)); if (!drmmode_crtc->flip_pending) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, "Failed to get FB for scanout flip.\n"); diff --git a/src/drmmode_display.c b/src/drmmode_display.c index 0d90041..ce46f7b 100644 --- a/src/drmmode_display.c +++ b/src/drmmode_display.c @@ -2196,8 +2196,11 @@ void drmmode_clear_pending_flip(xf86CrtcPtr crtc) { drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private; + ScrnInfoPtr scrn = crtc->scrn; + AMDGPUEntPtr pAMDGPUEnt = AMDGPUEntPriv(scrn); - drmmode_crtc->flip_pending = NULL; + drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending, + NULL); if (!crtc->enabled || (drmmode_crtc->pending_dpms_mode != DPMSModeOn && @@ -2835,7 +2838,8 @@ Bool amdgpu_do_pageflip(ScrnInfoPtr scrn, ClientPtr client, goto flip_error; } - drmmode_crtc->flip_pending = fb; + drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc->flip_pending, + fb); drm_queue_seq = 0; } |