diff options
| author | Linus Torvalds <[email protected]> | 2011-05-11 14:49:36 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2011-05-12 07:37:51 -0700 |
| commit | 698b368275c3fa98261159253cfc79653f9dffc6 (patch) | |
| tree | b92c921fe6522ece33fbbde33cc173c9dd32d9a2 /tools/perf/util/scripting-engines/trace-event-python.c | |
| parent | 9f381a61f58bb6487c93ce2233bb9992f8ea9211 (diff) | |
fbcon: add lifetime refcount to opened frame buffers
This just adds the refcount and the new registration lock logic. It
does not (for example) actually change the read/write/ioctl routines to
actually use the frame buffer that was opened: those function still end
up alway susing whatever the current frame buffer is at the time of the
call.
Without this, if something holds the frame buffer open over a
framebuffer switch, the close() operation after the switch will access a
fb_info that has been free'd by the unregistering of the old frame
buffer.
(The read/write/ioctl operations will normally not cause problems,
because they will - illogically - pick up the new fbcon instead. But a
switch that happens just as one of those is going on might see problems
too, the window is just much smaller: one individual op rather than the
whole open-close sequence.)
This use-after-free is apparently fairly easily triggered by the Ubuntu
11.04 boot sequence.
Acked-by: Tim Gardner <[email protected]>
Tested-by: Daniel J Blueman <[email protected]>
Tested-by: Anca Emanuel <[email protected]>
Cc: Bruno Prémont <[email protected]>
Cc: Alan Cox <[email protected]>
Cc: Paul Mundt <[email protected]>
Cc: Dave Airlie <[email protected]>
Cc: Andy Whitcroft <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'tools/perf/util/scripting-engines/trace-event-python.c')
0 files changed, 0 insertions, 0 deletions