pvr2fb: Fix oops when pseudo_palette is written
authorAntonino A. Daplas <adaplas@gmail.com>
Fri, 10 Aug 2007 20:00:47 +0000 (13:00 -0700)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Sat, 11 Aug 2007 22:47:40 +0000 (15:47 -0700)
Reported by: Adrian McMenamin <adrianmcmenamin@gmail.com>

This driver will oops when the pseudo_palette[] is written as u32 but not when
written as u16.  When written as u32, it corrupts the adjacent 'mmio_base'
field of struct pvr2fb_par.  Fix by using framebuffer_alloc()/release() to
allocate struct fb_info and struct pvr2fb_par, and create the pseudo_palette[]
as part of struct pvr2fb_par.

Signed-off-by: Antonino Daplas <adaplas@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/video/pvr2fb.c

index f9300266044d8f8e910e1421cad7484f8ef181c7..a72921b552dc93c6e047aaa4e4bc0ebcaa21816f 100644 (file)
@@ -143,6 +143,7 @@ static struct pvr2fb_par {
        unsigned char is_lowres;        /* Is horizontal pixel-doubling enabled? */
 
        unsigned long mmio_base;        /* MMIO base */
+       u32 palette[16];
 } *currentpar;
 
 static struct fb_info *fb_info;
@@ -790,7 +791,7 @@ static int __devinit pvr2fb_common_init(void)
        fb_info->fbops          = &pvr2fb_ops;
        fb_info->fix            = pvr2_fix;
        fb_info->par            = currentpar;
-       fb_info->pseudo_palette = (void *)(fb_info->par + 1);
+       fb_info->pseudo_palette = currentpar->palette;
        fb_info->flags          = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN;
 
        if (video_output == VO_VGA)
@@ -1082,14 +1083,15 @@ static int __init pvr2fb_init(void)
 #endif
        size = sizeof(struct fb_info) + sizeof(struct pvr2fb_par) + 16 * sizeof(u32);
 
-       fb_info = kzalloc(size, GFP_KERNEL);
+       fb_info = framebuffer_alloc(sizeof(struct pvr2fb_par), NULL);
+
        if (!fb_info) {
                printk(KERN_ERR "Failed to allocate memory for fb_info\n");
                return -ENOMEM;
        }
 
 
-       currentpar = (struct pvr2fb_par *)(fb_info + 1);
+       currentpar = fb_info->par;
 
        for (i = 0; i < ARRAY_SIZE(board_driver); i++) {
                struct pvr2_board *pvr_board = board_driver + i;
@@ -1102,7 +1104,7 @@ static int __init pvr2fb_init(void)
                if (ret != 0) {
                        printk(KERN_ERR "pvr2fb: Failed init of %s device\n",
                                pvr_board->name);
-                       kfree(fb_info);
+                       framebuffer_release(fb_info);
                        break;
                }
        }
@@ -1126,7 +1128,7 @@ static void __exit pvr2fb_exit(void)
 #endif
 
        unregister_framebuffer(fb_info);
-       kfree(fb_info);
+       framebuffer_release(fb_info);
 }
 
 module_init(pvr2fb_init);