Re: tty-related oops in latest kernel(s)?

Wed, 30 May 2007 15:15:08 -0700 

On Wed, 2007-05-30 at 19:01 +0300, Tero Roponen wrote:
> On Wed, 30 May 2007, Andrew Morton wrote:
> 
> > On Wed, 30 May 2007 15:02:49 +0300 (EEST) Tero Roponen <[EMAIL PROTECTED]> 
> > wrote:
> > 
> > > On Wed, 30 May 2007, Pekka Enberg wrote:
> > > 
> > > > On 5/30/07, Tero Roponen <[EMAIL PROTECTED]> wrote:

> [EMAIL PROTECTED] ~]# cat oops.c
> #include <sys/ioctl.h>
> #include <stdio.h>
> #include <linux/fb.h>
> #include <fcntl.h>
> 
> int main(void)
> {
>         struct fb_var_screeninfo fbinfo;
>         int fd = open("/dev/fb0", O_RDWR);
>         if (fd < 0)
>                 return 1;
> 
>         /* Get screeninfo */
>         ioctl(fd, FBIOGET_VSCREENINFO, &fbinfo);
> 
>         /* Change depth from current 16 to 24. */
>         fbinfo.bits_per_pixel = 24;
>         ioctl(fd, FBIOPUT_VSCREENINFO, &fbinfo);
> 
>         return 0;
> }
> 
> So this seems to be a framebuffer error.

It's a fb_setcolreg() bug in neofb.  Try this patch?

Tony



neofb: Fix pseudo_palette array overrun in neofb_setcolreg

The pseudo_palette has room for 16 entries only, but in truecolor mode, it
attempts to add 256.

Signed-off-by: Antonino Daplas <[EMAIL PROTECTED]>
---

 drivers/video/neofb.c |   30 ++++++++++++++++--------------
 1 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/drivers/video/neofb.c b/drivers/video/neofb.c
index bd30aba..731d7a5 100644
--- a/drivers/video/neofb.c
+++ b/drivers/video/neofb.c
@@ -1286,34 +1286,36 @@ static int neofb_setcolreg(u_int regno, 
        if (regno >= fb->cmap.len || regno > 255)
                return -EINVAL;
 
-       switch (fb->var.bits_per_pixel) {
-       case 8:
+       if (fb->var.bits_per_pixel <= 8) {
                outb(regno, 0x3c8);
 
                outb(red >> 10, 0x3c9);
                outb(green >> 10, 0x3c9);
                outb(blue >> 10, 0x3c9);
-               break;
-       case 16:
-               ((u32 *) fb->pseudo_palette)[regno] =
+       } else if (regno < 16) {
+               switch (fb->var.bits_per_pixel) {
+               case 16:
+                       ((u32 *) fb->pseudo_palette)[regno] =
                                ((red & 0xf800)) | ((green & 0xfc00) >> 5) |
                                ((blue & 0xf800) >> 11);
-               break;
-       case 24:
-               ((u32 *) fb->pseudo_palette)[regno] =
+                       break;
+               case 24:
+                       ((u32 *) fb->pseudo_palette)[regno] =
                                ((red & 0xff00) << 8) | ((green & 0xff00)) |
                                ((blue & 0xff00) >> 8);
-               break;
+                       break;
 #ifdef NO_32BIT_SUPPORT_YET
-       case 32:
-               ((u32 *) fb->pseudo_palette)[regno] =
+               case 32:
+                       ((u32 *) fb->pseudo_palette)[regno] =
                                ((transp & 0xff00) << 16) | ((red & 0xff00) << 
8) |
                                ((green & 0xff00)) | ((blue & 0xff00) >> 8);
-               break;
+                       break;
 #endif
-       default:
-               return 1;
+               default:
+                       return 1;
+               }
        }
+
        return 0;
 }

Reply via email to