From 5f3ee21a307a4ff4db189bd53e58a70ec01ee6bc Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Fri, 17 Jan 2014 08:40:34 +0000
Subject: [PATCH] sna: Nullify pixmap->devPrivate.ptr after promoting CPU bo to
 GPU

When we convert a CPU bo into a GPU bo, we need to remove any dangling
shadow pointers we use for devPrivate.ptr. Whilst the bo remains alive
these are incoherent, but if we ever replace the GPU bo (for example to
change tiling for DRI2) then the dangling pointer becomes invalid and
will explode on next use.

Reported-by: Mike Aury <mike.auty@gmail.com>
Reported-by:  Marti Raudsepp <marti@juffo.org>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=73351
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 src/sna/sna_accel.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/sna/sna_accel.c b/src/sna/sna_accel.c
index 5d25bf71..40ae4c09 100644
--- a/src/sna/sna_accel.c
+++ b/src/sna/sna_accel.c
@@ -3834,9 +3834,11 @@ sna_pixmap_move_to_gpu(PixmapPtr pixmap, unsigned flags)
 			    priv->cpu_bo && !priv->shm &&
 			    kgem_bo_convert_to_gpu(&sna->kgem, priv->cpu_bo)) {
 				assert(!priv->mapped);
+				assert(!IS_STATIC_PTR(priv->ptr));
 				priv->gpu_bo = priv->cpu_bo;
 				priv->cpu_bo = NULL;
 				priv->ptr = NULL;
+				pixmap->devPrivate.ptr = NULL;
 				sna_damage_all(&priv->gpu_damage,
 					       pixmap->drawable.width,
 					       pixmap->drawable.height);