From: Arjan van de Ven <arjanv@redhat.com>

Patch below fixes a thinko in the frame buffer drivers; the code does

cursor.image.data = kmalloc(size, GFP_KERNEL);
....
cursor.mask = kmalloc(size, GFP_KERNEL);
....
                if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
                    copy_from_user(cursor.mask, sprite->mask, size)) {
....

where it's clear that the & in the first copy_from_user is utterly bogus
since the destination is the content of the newly allocated buffer, and not
the pointer to it as the code does.


---

 25-akpm/drivers/video/fbmem.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff -puN drivers/video/fbmem.c~framebuffer-bugfix drivers/video/fbmem.c
--- 25/drivers/video/fbmem.c~framebuffer-bugfix	2004-04-09 21:05:10.150488400 -0700
+++ 25-akpm/drivers/video/fbmem.c	2004-04-09 21:05:10.169485512 -0700
@@ -911,7 +911,7 @@ fb_cursor(struct fb_info *info, struct f
 			return -ENOMEM;
 		}
 		
-		if (copy_from_user(&cursor.image.data, sprite->image.data, size) ||
+		if (copy_from_user(cursor.image.data, sprite->image.data, size) ||
 		    copy_from_user(cursor.mask, sprite->mask, size)) { 
 			kfree(cursor.image.data);
 			kfree(cursor.mask);

_