summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAntonino A. Daplas <adaplas@gmail.com>2007-08-10 13:00:47 -0700
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-08-11 15:47:40 -0700
commit9cd1c67434544b1d9a4fb4a4cdec15608167a233 (patch)
tree04c872c916fc26e78b7a492f5ecfa681e641d2fc
parent4769a9a53b39f3b6a7e4d0b3c5e6b9598560818d (diff)
downloadkernel-crypto-9cd1c67434544b1d9a4fb4a4cdec15608167a233.tar.gz
kernel-crypto-9cd1c67434544b1d9a4fb4a4cdec15608167a233.tar.xz
kernel-crypto-9cd1c67434544b1d9a4fb4a4cdec15608167a233.zip
pvr2fb: Fix oops when pseudo_palette is written
Reported by: Adrian McMenamin <adrianmcmenamin@gmail.com> This driver will oops when the pseudo_palette[] is written as u32 but not when written as u16. When written as u32, it corrupts the adjacent 'mmio_base' field of struct pvr2fb_par. Fix by using framebuffer_alloc()/release() to allocate struct fb_info and struct pvr2fb_par, and create the pseudo_palette[] as part of struct pvr2fb_par. Signed-off-by: Antonino Daplas <adaplas@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/video/pvr2fb.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/video/pvr2fb.c b/drivers/video/pvr2fb.c
index f9300266044..a72921b552d 100644
--- a/drivers/video/pvr2fb.c
+++ b/drivers/video/pvr2fb.c
@@ -143,6 +143,7 @@ static struct pvr2fb_par {
unsigned char is_lowres; /* Is horizontal pixel-doubling enabled? */
unsigned long mmio_base; /* MMIO base */
+ u32 palette[16];
} *currentpar;
static struct fb_info *fb_info;
@@ -790,7 +791,7 @@ static int __devinit pvr2fb_common_init(void)
fb_info->fbops = &pvr2fb_ops;
fb_info->fix = pvr2_fix;
fb_info->par = currentpar;
- fb_info->pseudo_palette = (void *)(fb_info->par + 1);
+ fb_info->pseudo_palette = currentpar->palette;
fb_info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN;
if (video_output == VO_VGA)
@@ -1082,14 +1083,15 @@ static int __init pvr2fb_init(void)
#endif
size = sizeof(struct fb_info) + sizeof(struct pvr2fb_par) + 16 * sizeof(u32);
- fb_info = kzalloc(size, GFP_KERNEL);
+ fb_info = framebuffer_alloc(sizeof(struct pvr2fb_par), NULL);
+
if (!fb_info) {
printk(KERN_ERR "Failed to allocate memory for fb_info\n");
return -ENOMEM;
}
- currentpar = (struct pvr2fb_par *)(fb_info + 1);
+ currentpar = fb_info->par;
for (i = 0; i < ARRAY_SIZE(board_driver); i++) {
struct pvr2_board *pvr_board = board_driver + i;
@@ -1102,7 +1104,7 @@ static int __init pvr2fb_init(void)
if (ret != 0) {
printk(KERN_ERR "pvr2fb: Failed init of %s device\n",
pvr_board->name);
- kfree(fb_info);
+ framebuffer_release(fb_info);
break;
}
}
@@ -1126,7 +1128,7 @@ static void __exit pvr2fb_exit(void)
#endif
unregister_framebuffer(fb_info);
- kfree(fb_info);
+ framebuffer_release(fb_info);
}
module_init(pvr2fb_init);