torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code

pvr2fb: Fix oops when pseudo_palette is written

Browse Source 
Reported by: Adrian McMenamin <adrianmcmenamin@gmail.com>

This driver will oops when the pseudo_palette[] is written as u32 but not when
written as u16.  When written as u32, it corrupts the adjacent 'mmio_base'
field of struct pvr2fb_par.  Fix by using framebuffer_alloc()/release() to
allocate struct fb_info and struct pvr2fb_par, and create the pseudo_palette[]
as part of struct pvr2fb_par.

Signed-off-by: Antonino Daplas <adaplas@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Antonino A. Daplas 2007-08-10 13:00:47 -07:00 committed by Linus Torvalds
parent 4769a9a53b
commit 9cd1c67434
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
drivers/video/pvr2fb.c
View File

@ -143,6 +143,7 @@ static struct pvr2fb_par {
unsigned char is_lowres; /* Is horizontal pixel-doubling enabled? */
unsigned long mmio_base; /* MMIO base */
u32 palette[16];
} *currentpar;
static struct fb_info *fb_info;
@ -790,7 +791,7 @@ static int __devinit pvr2fb_common_init(void)
fb_info->fbops = &pvr2fb_ops;
fb_info->fix = pvr2_fix;
fb_info->par = currentpar;
fb_info->pseudo_palette = (void *)(fb_info->par + 1);
fb_info->pseudo_palette = currentpar->palette;
fb_info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN;
if (video_output == VO_VGA)
@ -1082,14 +1083,15 @@ static int __init pvr2fb_init(void)
#endif
size = sizeof(struct fb_info) + sizeof(struct pvr2fb_par) + 16 * sizeof(u32);
fb_info = kzalloc(size, GFP_KERNEL);
fb_info = framebuffer_alloc(sizeof(struct pvr2fb_par), NULL);
if (!fb_info) {
printk(KERN_ERR "Failed to allocate memory for fb_info\n");
return -ENOMEM;
}
currentpar = (struct pvr2fb_par *)(fb_info + 1);
currentpar = fb_info->par;
for (i = 0; i < ARRAY_SIZE(board_driver); i++) {
struct pvr2_board *pvr_board = board_driver + i;
@ -1102,7 +1104,7 @@ static int __init pvr2fb_init(void)
if (ret != 0) {
printk(KERN_ERR "pvr2fb: Failed init of %s device\n",
pvr_board->name);
kfree(fb_info);
framebuffer_release(fb_info);
break;
}
}
@ -1126,7 +1128,7 @@ static void __exit pvr2fb_exit(void)
#endif
unregister_framebuffer(fb_info);
kfree(fb_info);
framebuffer_release(fb_info);
}
module_init(pvr2fb_init);