Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ba21611c9c0031ca8388cae5e43b38c29c8b595d
Commit:     ba21611c9c0031ca8388cae5e43b38c29c8b595d
Parent:     b506d1b6c49a5884ff67a29bc99a1912ee20acee
Author:     Jeremy Kerr <[EMAIL PROTECTED]>
AuthorDate: Fri Jan 11 14:27:10 2008 +0100
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Fri Jan 11 11:47:42 2008 -0800

    ps3fb: prevent use after free of fb_info
    
    In ps3fb_shutdown, freeing the framebuffer will cause fb_info (in
    dev->core.driver_data) to be free()ed, which we potentially access
    from the ps3fbd kthread.
    
    This change frees the framebuffer after stopping the ps3fbd kthread.
    
    Signed-off-by: Jeremy Kerr <[EMAIL PROTECTED]>
    Signed-off-by: Geert Uytterhoeven <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
---
 drivers/video/ps3fb.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/video/ps3fb.c b/drivers/video/ps3fb.c
index b312890..ae07e02 100644
--- a/drivers/video/ps3fb.c
+++ b/drivers/video/ps3fb.c
@@ -1234,12 +1234,6 @@ static int ps3fb_shutdown(struct ps3_system_bus_device 
*dev)
        ps3fb_flip_ctl(0, &ps3fb);      /* flip off */
        ps3fb.dinfo->irq.mask = 0;
 
-       if (info) {
-               unregister_framebuffer(info);
-               fb_dealloc_cmap(&info->cmap);
-               framebuffer_release(info);
-       }
-
        ps3av_register_flip_ctl(NULL, NULL);
        if (ps3fb.task) {
                struct task_struct *task = ps3fb.task;
@@ -1250,6 +1244,12 @@ static int ps3fb_shutdown(struct ps3_system_bus_device 
*dev)
                free_irq(ps3fb.irq_no, &dev->core);
                ps3_irq_plug_destroy(ps3fb.irq_no);
        }
+       if (info) {
+               unregister_framebuffer(info);
+               fb_dealloc_cmap(&info->cmap);
+               framebuffer_release(info);
+               info = dev->core.driver_data = NULL;
+       }
        iounmap((u8 __iomem *)ps3fb.dinfo);
 
        status = lv1_gpu_context_free(ps3fb.context_handle);
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to