[PATCH] framebuffer bugfix

From: Arjan van de Ven <arjanv@redhat.com>

Patch below fixes a thinko in the frame buffer drivers; the code does

cursor.image.data = kmalloc(size, GFP_KERNEL);
....
cursor.mask = kmalloc(size, GFP_KERNEL);
....
                if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
                    copy_from_user(cursor.mask, sprite->mask, size)) {
....

where it's clear that the & in the first copy_from_user is utterly bogus
since the destination is the content of the newly allocated buffer, and not
the pointer to it as the code does.

diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
index c1731c7de5b64a59a5ad936a74654f88579bc3ac..0dec2de2303e4878c25f09ee9be414b8570de0ec 100644 (file)
--- a/drivers/video/fbmem.c
+++ b/drivers/video/fbmem.c
@@ -911,7 +911,7 @@ fb_cursor(struct fb_info *info, struct fb_cursor *sprite)
                        return -ENOMEM;
                }
                
-               if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
+               if (copy_from_user(cursor.image.data, sprite->image.data, size) ||
                    copy_from_user(cursor.mask, sprite->mask, size)) { 
                        kfree(cursor.image.data);
                        kfree(cursor.mask);