commit: a50d28de8d5085e0f34f96088a45cc156d022021 From: =?UTF-8?q?Bruno=20Pr=C3=A9mont?= <[email protected]> Date: Tue, 24 May 2011 19:59:17 +0000 Subject: [PATCH] video: Fix use-after-free by vga16fb on rmmod MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Since fb_info is now refcounted and thus may get freed at any time it gets unregistered module unloading will try to unregister framebuffer as stored in platform data on probe though this pointer may be stale. Cleanup platform data on framebuffer release. CC: [email protected] Signed-off-by: Bruno Prémont <[email protected]> Signed-off-by: Paul Mundt <[email protected]> --- drivers/video/vga16fb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/drivers/video/vga16fb.c b/drivers/video/vga16fb.c index 53b2c5a..305c975 100644 --- a/drivers/video/vga16fb.c +++ b/drivers/video/vga16fb.c @@ -1265,9 +1265,11 @@ static void vga16fb_imageblit(struct fb_info *info, const struct fb_image *image static void vga16fb_destroy(struct fb_info *info) { + struct platform_device *dev = container_of(info->device, struct platform_device, dev); iounmap(info->screen_base); fb_dealloc_cmap(&info->cmap); /* XXX unshare VGA regions */ + platform_set_drvdata(dev, NULL); framebuffer_release(info); }
_______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
