UBUNTU: SAUCE: fbcon -- fix race between open and removal of framebuffers
Currently there is no locking for updates to the registered_fb list.
This allows an open through /dev/fbN to pick up a registered framebuffer
pointer in parallel with it being released, as happens when a conflicting
framebuffer is ejected or on module unload. There is also no reference
counting on the framebuffer descriptor which is referenced from all open
files, leading to references to released or reused memory to persist on
these open files.
This patch adds a reference count to the framebuffer descriptor to prevent
it from being released until after all pending opens are closed. This
allows the pending opens to detect the closed status and unmap themselves.
It also adds locking to the framebuffer lookup path, locking it against
the removal path such that it is possible to atomically lookup and take a
reference to the descriptor. It also adds locking to the read and write
paths which currently could access the framebuffer descriptor after it
has been freed. Finally it moves the device to FBINFO_STATE_REMOVED to
indicate that all access should be errored for this device.
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>