Il Mon, Sep 15, 2003 at 10:07:42PM +0100, Russell King ha scritto: 

quoted

 struct cfb_info {
-	struct fb_info		fb;
+	struct fb_info		*fb;

Oh god, do we have to add yet another level of indirection all over
the framebuffer code?

Ok, I've been to vague...

Now there is  a class_dev embedded in fb_info which  registered with the
driver model. We need a dynamically allocated struct fb_info.

quoted

@@ -1635,6 +1638,16 @@
 	return err;
 }
 
+static void release_cfb_info(struct fb_info *info) {
+	struct cfb_info *cfb = info->par;
+
+	iounmap(cfb->region);
+	fb_alloc_cmap(&info->cmap, 0, 0);
+
+	if (cfb->dev)
+		pci_release_regions(cfb->dev);
+}
+
 static void __devexit cyberpro_pci_remove(struct pci_dev *dev)
 {
 	struct cfb_info *cfb = pci_get_drvdata(dev);

Who says "cfb->dev" remains valid after the PCI device has been removed.
This looks like a perfect use-after-free bug waiting to happen.

cfb->dev is  refcounted, it  won't go  away until we  are done  with the
cleanup. Maybe I misread  driver core code...

Luca
-- 
Reply-To: kronos@kronoz.cjb.net
Home: http://kronoz.cjb.net
Windows NT: Designed for the Internet. The Internet: Designed for Unix.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf