Increase reference count of FB assigned to drmmode_crtc->flip_pending

Otherwise, it could happen that we destroy the FB before the flip
completes, resulting in use-after-free and most likely a crash.

(Ported from amdgpu commit af7221e1c4d2dbdfd488eb0976a835584ea8441c)
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>

src/drmmode_display.c

@@ -2369,8 +2369,11 @@ void
 drmmode_clear_pending_flip(xf86CrtcPtr crtc)
 {
 	drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private;
+	ScrnInfoPtr scrn = crtc->scrn;
+	RADEONEntPtr pRADEONEnt = RADEONEntPriv(scrn);
 
-	drmmode_crtc->flip_pending = NULL;
+	drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+			     NULL);
 
 	if (!crtc->enabled ||
 	    (drmmode_crtc->pending_dpms_mode != DPMSModeOn &&
@@ -3030,7 +3033,8 @@ Bool radeon_do_pageflip(ScrnInfoPtr scrn, ClientPtr client,
 				goto flip_error;
 		}
 
-		drmmode_crtc->flip_pending = fb;
+		drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+				     fb);
 		drm_queue_seq = 0;
 	}
 

src/radeon_kms.c

@@ -815,8 +815,8 @@ radeon_prime_scanout_flip(PixmapDirtyUpdatePtr ent)
 	return;
     }
 
-    drmmode_crtc->flip_pending =
-	radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+    drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+			  radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
     if (!drmmode_crtc->flip_pending) {
 	xf86DrvMsg(scrn->scrnIndex, X_WARNING,
 		   "Failed to get FB for PRIME flip.\n");
@@ -1110,8 +1110,8 @@ radeon_scanout_flip(ScreenPtr pScreen, RADEONInfoPtr info,
 	return;
     }
 
-    drmmode_crtc->flip_pending =
-	radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap);
+    drmmode_fb_reference(pRADEONEnt->fd, &drmmode_crtc->flip_pending,
+			  radeon_pixmap_get_fb(drmmode_crtc->scanout[scanout_id].pixmap));
     if (!drmmode_crtc->flip_pending) {
 	xf86DrvMsg(scrn->scrnIndex, X_WARNING,
 		   "Failed to get FB for scanout flip.\n");