Hi All,
There is a major Bug in DirectFB-0.9.25.1which will crash DFB.
Look at the below code..from(system/fbdev/fbdev.c)
shared->cmap_memory = SHMALLOC( pool_data, 256 * 2 * 12 );
shared->orig_cmap.start = 0;
shared->orig_cmap.len = 256;
shared->orig_cmap.red = shared->cmap_memory + 256 * 2 * 0;
shared->orig_cmap.green = shared->cmap_memory + 256 * 2 * 1;
shared->orig_cmap.blue = shared->cmap_memory + 256 * 2 * 2;
shared->orig_cmap.transp = shared->cmap_memory + 256 * 2 * 3;
if (ioctl( dfb_fbdev->fd, FBIOGETCMAP, &shared->orig_cmap ) < 0) {
D_PERROR( "DirectFB/FBDev: "
"Could not retrieve palette for backup!\n" );
SHFREE( pool_data, shared->cmap_memory );
shared->orig_cmap.len = 0;
}
shared->temp_cmap.len = 256;
shared->temp_cmap.red = shared->cmap_memory + 256 * 2 * 4;
shared->temp_cmap.green = shared->cmap_memory + 256 * 2 * 5;
shared->temp_cmap.blue = shared->cmap_memory + 256 * 2 * 6;
shared->temp_cmap.transp = shared->cmap_memory + 256 * 2 * 7;
you can see that the memory is allocated for cmap_memory at first and
reused. But say if the IOCTL call fails then also the memory pointer is
reused. So the current DirectFB-0.9.25.1 is reusing the freed memory in
some places.
More over this memory is been freed in the shutdown call.
if code starts using the variables of this memory this may leed to
memory corrupting, and simultaneously lead to carsh..
I experienced this problem.
The below patch fixes the above discussed problem.
Mail me if you want more detail..
diff -urN 1/systems/fbdev/fbdev.c 2/systems/fbdev/fbdev.c
--- 1/systems/fbdev/fbdev.c 2006-06-29 10:09:34.000000000 +0530
+++ 2/systems/fbdev/fbdev.c 2006-05-03 12:52:37.000000000 +0530
@@ -508,36 +508,33 @@
dfb_fbdev_var_to_mode( &shared->current_var,
&shared->current_mode );
-/* shared->cmap_memory = SHMALLOC( pool_data, 256 * 2 * 12 );*/
- shared->orig_cmap_memory = SHMALLOC( pool_data, 256 * 2 * 4 );
+ shared->cmap_memory = SHMALLOC( pool_data, 256 * 2 * 12 );
shared->orig_cmap.start = 0;
shared->orig_cmap.len = 256;
- shared->orig_cmap.red = shared->orig_cmap_memory + 256 * 2 * 0;
- shared->orig_cmap.green = shared->orig_cmap_memory + 256 * 2 * 1;
- shared->orig_cmap.blue = shared->orig_cmap_memory + 256 * 2 * 2;
- shared->orig_cmap.transp = shared->orig_cmap_memory + 256 * 2 * 3;
+ shared->orig_cmap.red = shared->cmap_memory + 256 * 2 * 0;
+ shared->orig_cmap.green = shared->cmap_memory + 256 * 2 * 1;
+ shared->orig_cmap.blue = shared->cmap_memory + 256 * 2 * 2;
+ shared->orig_cmap.transp = shared->cmap_memory + 256 * 2 * 3;
if (ioctl( dfb_fbdev->fd, FBIOGETCMAP, &shared->orig_cmap ) < 0) {
D_PERROR( "DirectFB/FBDev: "
"Could not retrieve palette for backup!\n" );
- SHFREE( pool_data, shared->orig_cmap_memory );
+ SHFREE( pool_data, shared->cmap_memory );
shared->orig_cmap.len = 0;
}
- shared->temp_cmap_memory = SHMALLOC( pool_data, 256 * 2 * 4 );
shared->temp_cmap.len = 256;
- shared->temp_cmap.red = shared->temp_cmap_memory + 256 * 2 * 4;
- shared->temp_cmap.green = shared->temp_cmap_memory + 256 * 2 * 5;
- shared->temp_cmap.blue = shared->temp_cmap_memory + 256 * 2 * 6;
- shared->temp_cmap.transp = shared->temp_cmap_memory + 256 * 2 * 7;
+ shared->temp_cmap.red = shared->cmap_memory + 256 * 2 * 4;
+ shared->temp_cmap.green = shared->cmap_memory + 256 * 2 * 5;
+ shared->temp_cmap.blue = shared->cmap_memory + 256 * 2 * 6;
+ shared->temp_cmap.transp = shared->cmap_memory + 256 * 2 * 7;
- shared->current_cmap_memory = SHMALLOC( pool_data, 256 * 2 * 4 );
shared->current_cmap.len = 256;
- shared->current_cmap.red = shared->current_cmap_memory + 256 *
2 * 8;
- shared->current_cmap.green = shared->current_cmap_memory + 256 *
2 * 9;
- shared->current_cmap.blue = shared->current_cmap_memory + 256 *
2 * 10;
- shared->current_cmap.transp = shared->current_cmap_memory + 256 *
2 * 11;
+ shared->current_cmap.red = shared->cmap_memory + 256 * 2 * 8;
+ shared->current_cmap.green = shared->cmap_memory + 256 * 2 * 9;
+ shared->current_cmap.blue = shared->cmap_memory + 256 * 2 * 10;
+ shared->current_cmap.transp = shared->cmap_memory + 256 * 2 * 11;
dfb_fbdev_get_pci_info( shared );
@@ -667,12 +664,7 @@
"Could not restore palette!\n" );
}
- if( shared->orig_cmap.len> 0) /* Check if memory IS allocated*/
- SHFREE( shared->shmpool_data, shared->orig_cmap_memory );
- if( shared->current_cmap.len> 0)/* Check if memory IS allocated*/
- SHFREE( shared->shmpool_data, shared->current_cmap_memory );
- if( shared->temp_cmap.len> 0)/* Check if memory IS allocated*/
- SHFREE( shared->shmpool_data, shared->orig_cmap_memory );
+ SHFREE( shared->shmpool_data, shared->cmap_memory );
fusion_call_destroy( &shared->fbdev_ioctl );
diff -urN 1/systems/fbdev/fbdev.h 2/systems/fbdev/fbdev.h
--- 1/systems/fbdev/fbdev.h 2006-06-29 10:09:36.000000000 +0530
+++ 2/systems/fbdev/fbdev.h 2006-05-03 12:52:37.000000000 +0530
@@ -57,11 +57,7 @@
struct fb_var_screeninfo orig_var; /* fbdev variable
screeninfo
before DirectFB was
started */
- // void *cmap_memory;
-
- void *orig_cmap_memory; /* Original CMAP Memory
*/
- void *current_cmap_memory; /* Current CMAP
Memory*/
- void *temp_cmap_memory; /* Temporary CMAP
Memory */
+ void *cmap_memory;
struct fb_cmap orig_cmap; /* original palette */
Regards
Srinivas.Kandagatla
Celunite Soft Systems.
Hyderbad.
_______________________________________________
directfb-dev mailing list
[email protected]
http://mail.directfb.org/cgi-bin/mailman/listinfo/directfb-dev
