summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXiyu Yang <xiyuyang19@fudan.edu.cn>2021-07-19 07:59:45 +0200
committerSam Ravnborg <sam@ravnborg.org>2021-07-19 22:16:35 +0200
commit0189cb57b96ff92f75e3680b3710a46dacd6509f (patch)
treebb892fadc63bdafc3f10444a2faa97b9b40a354e
parentvideo: fbdev: kyro: fix a DoS bug by restricting user input (diff)
downloadlinux-0189cb57b96ff92f75e3680b3710a46dacd6509f.tar.xz
linux-0189cb57b96ff92f75e3680b3710a46dacd6509f.zip
fbmem: Convert from atomic_t to refcount_t on fb_info->count
refcount_t type and corresponding API can protect refcounters from accidental underflow and overflow and further use-after-free situations. Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Signed-off-by: Sam Ravnborg <sam@ravnborg.org> Link: https://patchwork.freedesktop.org/patch/msgid/1626674392-55857-1-git-send-email-xiyuyang19@fudan.edu.cn
-rw-r--r--drivers/video/fbdev/core/fbmem.c6
-rw-r--r--include/linux/fb.h3
2 files changed, 5 insertions, 4 deletions
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 072780b0e570..1598736e3bcf 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -67,7 +67,7 @@ static struct fb_info *get_fb_info(unsigned int idx)
mutex_lock(&registration_lock);
fb_info = registered_fb[idx];
if (fb_info)
- atomic_inc(&fb_info->count);
+ refcount_inc(&fb_info->count);
mutex_unlock(&registration_lock);
return fb_info;
@@ -75,7 +75,7 @@ static struct fb_info *get_fb_info(unsigned int idx)
static void put_fb_info(struct fb_info *fb_info)
{
- if (!atomic_dec_and_test(&fb_info->count))
+ if (!refcount_dec_and_test(&fb_info->count))
return;
if (fb_info->fbops->fb_destroy)
fb_info->fbops->fb_destroy(fb_info);
@@ -1590,7 +1590,7 @@ static int do_register_framebuffer(struct fb_info *fb_info)
if (!registered_fb[i])
break;
fb_info->node = i;
- atomic_set(&fb_info->count, 1);
+ refcount_set(&fb_info->count, 1);
mutex_init(&fb_info->lock);
mutex_init(&fb_info->mm_lock);
diff --git a/include/linux/fb.h b/include/linux/fb.h
index a8dccd23c249..9023739e9a42 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_FB_H
#define _LINUX_FB_H
+#include <linux/refcount.h>
#include <linux/kgdb.h>
#include <uapi/linux/fb.h>
@@ -435,7 +436,7 @@ struct fb_tile_ops {
struct fb_info {
- atomic_t count;
+ refcount_t count;
int node;
int flags;
/*