[PATCH xf86-video-amdgpu] Increase reference count of FB assigned to drmmode_crtc->flip_pending

Deucher, Alexander Alexander.Deucher at amd.com
Thu Jun 22 12:49:09 UTC 2017 

> -----Original Message-----
> From: amd-gfx [mailto:amd-gfx-bounces at lists.freedesktop.org] On Behalf
> Of Michel Dänzer
> Sent: Wednesday, June 21, 2017 11:56 PM
> To: amd-gfx at lists.freedesktop.org
> Subject: [PATCH xf86-video-amdgpu] Increase reference count of FB
> assigned to drmmode_crtc->flip_pending
> 
> From: Michel Dänzer <michel.daenzer at amd.com>
> 
> Otherwise, it could happen that we destroy the FB before the flip
> completes, resulting in use-after-free and most likely a crash.
> 
> Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>

Reviewed-by: Alex Deucher <alexander.deucher at amd.com>

> ---
>  src/amdgpu_kms.c      | 8 ++++----
>  src/drmmode_display.c | 8 ++++++--
>  2 files changed, 10 insertions(+), 6 deletions(-)
> 
> diff --git a/src/amdgpu_kms.c b/src/amdgpu_kms.c
> index 784f7388a..143294a9f 100644
> --- a/src/amdgpu_kms.c
> +++ b/src/amdgpu_kms.c
> @@ -722,8 +722,8 @@ amdgpu_prime_scanout_flip(PixmapDirtyUpdatePtr
> ent)
>  		return;
>  	}
> 
> -	drmmode_crtc->flip_pending =
> -		amdgpu_pixmap_get_fb(drmmode_crtc-
> >scanout[scanout_id].pixmap);
> +	drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc-
> >flip_pending,
> +			     amdgpu_pixmap_get_fb(drmmode_crtc-
> >scanout[scanout_id].pixmap));
>  	if (!drmmode_crtc->flip_pending) {
>  		xf86DrvMsg(scrn->scrnIndex, X_WARNING,
>  			   "Failed to get FB for PRIME flip.\n");
> @@ -1011,8 +1011,8 @@ amdgpu_scanout_flip(ScreenPtr pScreen,
> AMDGPUInfoPtr info,
>  		return;
>  	}
> 
> -	drmmode_crtc->flip_pending =
> -		amdgpu_pixmap_get_fb(drmmode_crtc-
> >scanout[scanout_id].pixmap);
> +	drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc-
> >flip_pending,
> +			     amdgpu_pixmap_get_fb(drmmode_crtc-
> >scanout[scanout_id].pixmap));
>  	if (!drmmode_crtc->flip_pending) {
>  		xf86DrvMsg(scrn->scrnIndex, X_WARNING,
>  			   "Failed to get FB for scanout flip.\n");
> diff --git a/src/drmmode_display.c b/src/drmmode_display.c
> index 0d900418a..ce46f7ba6 100644
> --- a/src/drmmode_display.c
> +++ b/src/drmmode_display.c
> @@ -2196,8 +2196,11 @@ void
>  drmmode_clear_pending_flip(xf86CrtcPtr crtc)
>  {
>  	drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
> +	ScrnInfoPtr scrn = crtc->scrn;
> +	AMDGPUEntPtr pAMDGPUEnt = AMDGPUEntPriv(scrn);
> 
> -	drmmode_crtc->flip_pending = NULL;
> +	drmmode_fb_reference(pAMDGPUEnt->fd, &drmmode_crtc-
> >flip_pending,
> +			     NULL);
> 
>  	if (!crtc->enabled ||
>  	    (drmmode_crtc->pending_dpms_mode != DPMSModeOn &&
> @@ -2835,7 +2838,8 @@ Bool amdgpu_do_pageflip(ScrnInfoPtr scrn,
> ClientPtr client,
>  				goto flip_error;
>  		}
> 
> -		drmmode_crtc->flip_pending = fb;
> +		drmmode_fb_reference(pAMDGPUEnt->fd,
> &drmmode_crtc->flip_pending,
> +				     fb);
>  		drm_queue_seq = 0;
>  	}
> 
> --
> 2.11.0
> 
> _______________________________________________
> amd-gfx mailing list
> amd-gfx at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx

More information about the amd-gfx mailing list