video: Fix use-after-free by vga16fb on rmmod
authorBruno Prémont <bonbons@linux-vserver.org>
Tue, 24 May 2011 19:59:17 +0000 (19:59 +0000)
committerPaul Mundt <lethal@linux-sh.org>
Mon, 6 Jun 2011 09:14:45 +0000 (18:14 +0900)
Since fb_info is now refcounted and thus may get freed at any time it
gets unregistered module unloading will try to unregister framebuffer
as stored in platform data on probe though this pointer may
be stale.

Cleanup platform data on framebuffer release.

CC: stable@kernel.org
Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
drivers/video/vga16fb.c

index 53b2c5aae06791becfea4721a3d0ad702e24f109..305c975b1787ea0628d600d2ac89c89cd0afdee9 100644 (file)
@@ -1265,9 +1265,11 @@ static void vga16fb_imageblit(struct fb_info *info, const struct fb_image *image
 
 static void vga16fb_destroy(struct fb_info *info)
 {
+       struct platform_device *dev = container_of(info->device, struct platform_device, dev);
        iounmap(info->screen_base);
        fb_dealloc_cmap(&info->cmap);
        /* XXX unshare VGA regions */
+       platform_set_drvdata(dev, NULL);
        framebuffer_release(info);
 }