Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 9cd1c67434544b1d9a4fb4a4cdec15608167a233

Authored by Antonino A. Daplas
Committed by Linus Torvalds
1 parent 4769a9a53b
Exists in master and in 39 other branches 8mp-imx_5.4.70_2.3.0, 8qm-imx_5.4.70_2.3.0, emb_imx_lf-5.15.y, emb_lf-6.1.y, imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, imx_4.1.15_1.0.0_ga, pitx_8mp_lf-5.10.y, rt-smarc-imx_4.1.15_1.0.0_ga, rt_linux_5.15.71, smarc-8m-android-11.0.0_2.0.0, smarc-imx6_4.14.98_2.0.0_ga, smarc-imx6_4.9.88_2.0.0_ga, smarc-imx7_4.14.98_2.0.0_ga, smarc-imx7_4.9.11_1.0.0_ga, smarc-imx7_4.9.88_2.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-imx_4.1.15_1.0.0_ga, smarc-imx_4.9.11_1.0.0_ga, smarc-imx_4.9.51_imx8m_ga, smarc-imx_4.9.88_2.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_1.2.0_ga, smarc_8m_00d0_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.14.78_1.0.0_ga, smarc_8m_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.19.35_1.1.0, smarc_8mm_imx_4.14.78_1.0.0_ga, smarc_8mm_imx_4.14.98_2.0.0_ga, smarc_8mm_imx_4.19.35_1.1.0, smarc_8mm_imx_5.4.24_2.1.0, smarc_8mp_lf-5.10.y, smarc_8mq_imx_5.4.24_2.1.0, smarc_8mq_lf-5.10.y, smarc_imx_lf-5.15.y

pvr2fb: Fix oops when pseudo_palette is written 

Reported by: Adrian McMenamin <adrianmcmenamin@gmail.com>

This driver will oops when the pseudo_palette[] is written as u32 but not when
written as u16.  When written as u32, it corrupts the adjacent 'mmio_base'
field of struct pvr2fb_par.  Fix by using framebuffer_alloc()/release() to
allocate struct fb_info and struct pvr2fb_par, and create the pseudo_palette[]
as part of struct pvr2fb_par.

Signed-off-by: Antonino Daplas <adaplas@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Showing 1 changed file with 7 additions and 5 deletions Side-by-side Diff

drivers/video/pvr2fb.c
Diff comments   View file @ 9cd1c67
... ... @@ -143,6 +143,7 @@
143 143 unsigned char is_lowres; /* Is horizontal pixel-doubling enabled? */
144 144  
145 145 unsigned long mmio_base; /* MMIO base */
  146 + u32 palette[16];
146 147 } *currentpar;
147 148  
148 149 static struct fb_info *fb_info;
... ... @@ -790,7 +791,7 @@
790 791 fb_info->fbops = &pvr2fb_ops;
791 792 fb_info->fix = pvr2_fix;
792 793 fb_info->par = currentpar;
793   - fb_info->pseudo_palette = (void *)(fb_info->par + 1);
  794 + fb_info->pseudo_palette = currentpar->palette;
794 795 fb_info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN;
795 796  
796 797 if (video_output == VO_VGA)
797 798  
... ... @@ -1082,14 +1083,15 @@
1082 1083 #endif
1083 1084 size = sizeof(struct fb_info) + sizeof(struct pvr2fb_par) + 16 * sizeof(u32);
1084 1085  
1085   - fb_info = kzalloc(size, GFP_KERNEL);
  1086 + fb_info = framebuffer_alloc(sizeof(struct pvr2fb_par), NULL);
  1087 +
1086 1088 if (!fb_info) {
1087 1089 printk(KERN_ERR "Failed to allocate memory for fb_info\n");
1088 1090 return -ENOMEM;
1089 1091 }
1090 1092  
1091 1093  
1092   - currentpar = (struct pvr2fb_par *)(fb_info + 1);
  1094 + currentpar = fb_info->par;
1093 1095  
1094 1096 for (i = 0; i < ARRAY_SIZE(board_driver); i++) {
1095 1097 struct pvr2_board *pvr_board = board_driver + i;
... ... @@ -1102,7 +1104,7 @@
1102 1104 if (ret != 0) {
1103 1105 printk(KERN_ERR "pvr2fb: Failed init of %s device\n",
1104 1106 pvr_board->name);
1105   - kfree(fb_info);
  1107 + framebuffer_release(fb_info);
1106 1108 break;
1107 1109 }
1108 1110 }
... ... @@ -1126,7 +1128,7 @@
1126 1128 #endif
1127 1129  
1128 1130 unregister_framebuffer(fb_info);
1129   - kfree(fb_info);
  1131 + framebuffer_release(fb_info);
1130 1132 }
1131 1133  
1132 1134 module_init(pvr2fb_init);