-
Andrew Morton authored
From: Arjan van de Ven <arjanv@redhat.com> Patch below fixes a thinko in the frame buffer drivers; the code does cursor.image.data = kmalloc(size, GFP_KERNEL); .... cursor.mask = kmalloc(size, GFP_KERNEL); .... if (copy_from_user(&cursor.image.data, sprite->image.data, size) || copy_from_user(cursor.mask, sprite->mask, size)) { .... where it's clear that the & in the first copy_from_user is utterly bogus since the destination is the content of the newly allocated buffer, and not the pointer to it as the code does.e01d652a
