From 08d73f1a4499cfe7c3121ff2ecdd36729c5f3544 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Wed, 12 Mar 2014 12:17:55 +0000
Subject: [PATCH] sna: Only couple up a proxy->rq when inserting into the
 request->buffers list

Otherwise, we may never decouple it again afterwards leading to a
dangling pointer dereference.

Bugzilla: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/1289923
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 src/sna/kgem.c | 4 +++-
 src/sna/kgem.h | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/sna/kgem.c b/src/sna/kgem.c
index 8aef6233..729573a9 100644
--- a/src/sna/kgem.c
+++ b/src/sna/kgem.c
@@ -5841,11 +5841,13 @@ struct kgem_bo *kgem_create_proxy(struct kgem *kgem,
 	bo->proxy = kgem_bo_reference(target);
 	bo->delta = offset;
 
+	/* Proxies are only tracked for busyness on the current rq */
 	if (target->exec && !bo->io) {
+		assert(RQ(target->rq) == kgem->next_request);
 		list_move_tail(&bo->request, &kgem->next_request->buffers);
 		bo->exec = &_kgem_dummy_exec;
+		bo->rq = target->rq;
 	}
-	bo->rq = target->rq;
 
 	return bo;
 }
diff --git a/src/sna/kgem.h b/src/sna/kgem.h
index fdabd504..cb0055e6 100644
--- a/src/sna/kgem.h
+++ b/src/sna/kgem.h
@@ -630,6 +630,8 @@ static inline void __kgem_bo_mark_dirty(struct kgem_bo *bo)
 	     bo->handle, bo->proxy != NULL));
 
 	assert(bo->refcnt);
+	assert(bo->exec);
+	assert(bo->rq);
 
 	bo->exec->flags |= LOCAL_EXEC_OBJECT_WRITE;
 	bo->needs_flush = bo->gpu_dirty = true;