refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
drivers/video/fbdev/core/fbmem.c | 6 +++---
include/linux/fb.h | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 98f193078c05..b7d26b928e1d 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -67,7 +67,7 @@ static struct fb_info *get_fb_info(unsigned int idx)
mutex_lock(®istration_lock);
fb_info = registered_fb[idx];
if (fb_info)
- atomic_inc(&fb_info->count);
+ refcount_inc(&fb_info->count);
mutex_unlock(®istration_lock);
return fb_info;
@@ -75,7 +75,7 @@ static struct fb_info *get_fb_info(unsigned int idx)
static void put_fb_info(struct fb_info *fb_info)
{
- if (!atomic_dec_and_test(&fb_info->count))
+ if (!refcount_dec_and_test(&fb_info->count))
return;
if (fb_info->fbops->fb_destroy)
fb_info->fbops->fb_destroy(fb_info);
@@ -1594,7 +1594,7 @@ static int do_register_framebuffer(struct fb_info *fb_info)
if (!registered_fb[i])
break;
fb_info->node = i;
- atomic_set(&fb_info->count, 1);
+ refcount_set(&fb_info->count, 1);
mutex_init(&fb_info->lock);
mutex_init(&fb_info->mm_lock);
diff --git a/include/linux/fb.h b/include/linux/fb.h
index ecfbcc0553a5..5950f8f5dc74 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_FB_H
#define _LINUX_FB_H
+#include <linux/refcount.h>
#include <linux/kgdb.h>
#include <uapi/linux/fb.h>
@@ -435,7 +436,7 @@ struct fb_tile_ops {
struct fb_info {
- atomic_t count;
+ refcount_t count;
int node;
int flags;
/*
--
2.7.4