From: "Bruno Prémont" <bonbons@linux-vserver.org>
To: linux-fbdev@vger.kernel.org
Subject: [Patch 1/2] Fix use-after-free by vga16fb on rmmod
Date: Tue, 24 May 2011 19:59:17 +0000 [thread overview]
Message-ID: <20110524215917.4b01df45@neptune.home> (raw)
Since fb_info is now refcounted and thus may get freed at any time it
gets unregistered module unloading will try to unregister framebuffer
as stored in platform data on probe though this pointer may
be stale.
Cleanup platform data on framebuffer release.
CC: stable@kernel.org
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
---
This should also go into 2.6.39 stable as it didn't make it into 2.6.39
with the rest of fb_info refcounting work.
This comes from
[2.6.39-rc2, framebuffer] use after free oops
...
[PATCH 0/2] fbcon sanity
thread
---
diff --git a/drivers/video/vga16fb.c b/drivers/video/vga16fb.c
index 53b2c5a..2bcfe32 100644
--- a/drivers/video/vga16fb.c
+++ b/drivers/video/vga16fb.c
@@ -1265,9 +1265,11 @@ static void vga16fb_imageblit(struct fb_info *info, const struct fb_image *image
static void vga16fb_destroy(struct fb_info *info)
{
+ struct platform_device *dev = container_of(info->device, struct platform_device, dev);
iounmap(info->screen_base);
fb_dealloc_cmap(&info->cmap);
/* XXX unshare VGA regions */
+ platform_set_drvdata(dev, NULL);
framebuffer_release(info);
}
next reply other threads:[~2011-05-24 19:59 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 19:59 Bruno Prémont [this message]
2011-06-02 18:18 ` [Patch 1/2] Fix use-after-free by vga16fb on rmmod Bruno Prémont
2011-06-06 3:01 ` Paul Mundt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110524215917.4b01df45@neptune.home \
--to=bonbons@linux-vserver.org \
--cc=linux-fbdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).