From patchwork Tue May 24 19:59:17 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Bruno_Pr=C3=A9mont?= X-Patchwork-Id: 813612 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.3) with ESMTP id p4OKT6hl021584 for ; Tue, 24 May 2011 20:29:07 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754745Ab1EXU3E (ORCPT ); Tue, 24 May 2011 16:29:04 -0400 Received: from smtprelay.restena.lu ([158.64.1.62]:43280 "EHLO smtprelay.restena.lu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754505Ab1EXU3E convert rfc822-to-8bit (ORCPT ); Tue, 24 May 2011 16:29:04 -0400 Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id A55E110584; Tue, 24 May 2011 22:29:01 +0200 (CEST) Received: from neptune.home (unknown [IPv6:2001:a18:1:1402:2c0:9fff:fe2d:39d]) by smtprelay.restena.lu (Postfix) with ESMTP id 6C44710582; Tue, 24 May 2011 22:29:01 +0200 (CEST) Date: Tue, 24 May 2011 21:59:17 +0200 From: Bruno =?UTF-8?B?UHLDqW1vbnQ=?= To: Paul Mundt Cc: linux-fbdev@vger.kernel.org Subject: [Patch 1/2] Fix use-after-free by vga16fb on rmmod Message-ID: <20110524215917.4b01df45@neptune.home> X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.1; i686-pc-linux-gnu) Mime-Version: 1.0 X-Virus-Scanned: ClamAV Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Tue, 24 May 2011 20:29:07 +0000 (UTC) Since fb_info is now refcounted and thus may get freed at any time it gets unregistered module unloading will try to unregister framebuffer as stored in platform data on probe though this pointer may be stale. Cleanup platform data on framebuffer release. CC: stable@kernel.org Signed-off-by: Bruno Prémont --- This should also go into 2.6.39 stable as it didn't make it into 2.6.39 with the rest of fb_info refcounting work. This comes from [2.6.39-rc2, framebuffer] use after free oops ... [PATCH 0/2] fbcon sanity thread --- -- To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/video/vga16fb.c b/drivers/video/vga16fb.c index 53b2c5a..2bcfe32 100644 --- a/drivers/video/vga16fb.c +++ b/drivers/video/vga16fb.c @@ -1265,9 +1265,11 @@ static void vga16fb_imageblit(struct fb_info *info, const struct fb_image *image static void vga16fb_destroy(struct fb_info *info) { + struct platform_device *dev = container_of(info->device, struct platform_device, dev); iounmap(info->screen_base); fb_dealloc_cmap(&info->cmap); /* XXX unshare VGA regions */ + platform_set_drvdata(dev, NULL); framebuffer_release(info); }