i810: fix kernel crash fix when struct fb_var_screeninfo is supplied
authorSamuel CUELLA <samuel.cuella@supinfo.com>
Tue, 10 Mar 2009 19:56:00 +0000 (12:56 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 10 Mar 2009 22:55:12 +0000 (15:55 -0700)
Prevent the kernel from being crashed by a divide-by-zero operation when
supplied an incorrectly filled 'struct fb_var_screeninfo' from userland.

Previously i810_main.c:1005 (i810_check_params) was using the global
'yres' symbol previously defined at i810_main.c:145 as a module parameter
value holder (i810_main.c:2174).  If i810fb is compiled-in or if this
param doesn't get a default value, this direct usage leads to a
divide-by-zero at i810_main.c:1005 (i810_check_params).  The patch simply
replace the 'yres' global, perhaps undefined symbol usage by a given
parameter structure lookup.

This problem occurs with directfb, mplayer -vo fbdev, SDL library.
It was also reported ( but non solved ) at:

http://mail.directfb.org/pipermail/directfb-dev/2008-March/004050.html

Signed-off-by: Samuel CUELLA <samuel.cuella@supinfo.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/video/i810/i810_main.c

index a24e680d2b9c0f90e3a82f443583b5a03951171d..2e940199fc892b40ceac2630019ef3cea9456c61 100644 (file)
@@ -993,6 +993,7 @@ static int i810_check_params(struct fb_var_screeninfo *var,
        struct i810fb_par *par = info->par;
        int line_length, vidmem, mode_valid = 0, retval = 0;
        u32 vyres = var->yres_virtual, vxres = var->xres_virtual;
        struct i810fb_par *par = info->par;
        int line_length, vidmem, mode_valid = 0, retval = 0;
        u32 vyres = var->yres_virtual, vxres = var->xres_virtual;
+
        /*
         *  Memory limit
         */
        /*
         *  Memory limit
         */
@@ -1002,12 +1003,12 @@ static int i810_check_params(struct fb_var_screeninfo *var,
        if (vidmem > par->fb.size) {
                vyres = par->fb.size/line_length;
                if (vyres < var->yres) {
        if (vidmem > par->fb.size) {
                vyres = par->fb.size/line_length;
                if (vyres < var->yres) {
-                       vyres = yres;
+                       vyres = info->var.yres;
                        vxres = par->fb.size/vyres;
                        vxres /= var->bits_per_pixel >> 3;
                        line_length = get_line_length(par, vxres, 
                                                      var->bits_per_pixel);
                        vxres = par->fb.size/vyres;
                        vxres /= var->bits_per_pixel >> 3;
                        line_length = get_line_length(par, vxres, 
                                                      var->bits_per_pixel);
-                       vidmem = line_length * yres;
+                       vidmem = line_length * info->var.yres;
                        if (vxres < var->xres) {
                                printk("i810fb: required video memory, "
                                       "%d bytes, for %dx%d-%d (virtual) "
                        if (vxres < var->xres) {
                                printk("i810fb: required video memory, "
                                       "%d bytes, for %dx%d-%d (virtual) "