aboutsummaryrefslogtreecommitdiff
path: root/include/linux/fb.h
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2011-05-11 14:49:36 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2011-05-12 07:37:51 -0700
commit698b368275c3fa98261159253cfc79653f9dffc6 (patch)
treeb92c921fe6522ece33fbbde33cc173c9dd32d9a2 /include/linux/fb.h
parent9f381a61f58bb6487c93ce2233bb9992f8ea9211 (diff)
downloadlinux-linaro-stable-698b368275c3fa98261159253cfc79653f9dffc6.tar.gz
fbcon: add lifetime refcount to opened frame buffers
This just adds the refcount and the new registration lock logic. It does not (for example) actually change the read/write/ioctl routines to actually use the frame buffer that was opened: those function still end up alway susing whatever the current frame buffer is at the time of the call. Without this, if something holds the frame buffer open over a framebuffer switch, the close() operation after the switch will access a fb_info that has been free'd by the unregistering of the old frame buffer. (The read/write/ioctl operations will normally not cause problems, because they will - illogically - pick up the new fbcon instead. But a switch that happens just as one of those is going on might see problems too, the window is just much smaller: one individual op rather than the whole open-close sequence.) This use-after-free is apparently fairly easily triggered by the Ubuntu 11.04 boot sequence. Acked-by: Tim Gardner <tim.gardner@canonical.com> Tested-by: Daniel J Blueman <daniel.blueman@gmail.com> Tested-by: Anca Emanuel <anca.emanuel@gmail.com> Cc: Bruno Prémont <bonbons@linux-vserver.org> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Paul Mundt <lethal@linux-sh.org> Cc: Dave Airlie <airlied@redhat.com> Cc: Andy Whitcroft <andy.whitcroft@canonical.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include/linux/fb.h')
-rw-r--r--include/linux/fb.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/fb.h b/include/linux/fb.h
index df728c1c29ed..6a8274877171 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -832,6 +832,7 @@ struct fb_tile_ops {
#define FBINFO_CAN_FORCE_OUTPUT 0x200000
struct fb_info {
+ atomic_t count;
int node;
int flags;
struct mutex lock; /* Lock for open/release/ioctl funcs */