framebuffer bugfix

From: Arjan van de Ven
Date: Fri Apr 09 2004 - 11:58:02 EST

Next message: Andi Kleen: "Re: [PATCH] 2.6.5-mm3, x86_64: probe_roms()"
Previous message: Grzegorz Kulewski: "Re: 2.6.5: keyboard lockup on a Toshiba laptop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

patch below fixes a thinko in the frame buffer drivers;
the code does

cursor.image.data = kmalloc(size, GFP_KERNEL);
....
cursor.mask = kmalloc(size, GFP_KERNEL);
....
if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
copy_from_user(cursor.mask, sprite->mask, size)) {
....

where it's clear that the & in the first copy_from_user is utterly bogus
since the destination is the content of the newly allocated buffer, and not
the pointer to it as the code does....

--- linux-2.6.5/drivers/video/fbmem.c~ 2004-04-09 18:51:01.626902984 +0200
+++ linux-2.6.5/drivers/video/fbmem.c 2004-04-09 18:51:01.626902984 +0200
@@ -911,7 +911,7 @@
return -ENOMEM;
}

- if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
+ if (copy_from_user(cursor.image.data, sprite->image.data, size) ||
copy_from_user(cursor.mask, sprite->mask, size)) {
kfree(cursor.image.data);
kfree(cursor.mask);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: [PATCH] 2.6.5-mm3, x86_64: probe_roms()"
Previous message: Grzegorz Kulewski: "Re: 2.6.5: keyboard lockup on a Toshiba laptop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]