Ok, I've found the bug, it is in fb_open() in drivers/video/fbmem.c, it
needs this addition:
if(fbidx >= FB_MAX)
return -ENODEV;
Without it, large minor numbers result in access beyond the end of
registered_fb.
On Debian, ls /dev/fb[67] results in:
crw--w--w- 1 root tty 29, 192 Nov 30 2000 /dev/fb6
crw--w--w- 1 root tty 29, 224 Nov 30 2000 /dev/fb7
On Red Hat this is:
crw------- 1 root root 29, 7 Apr 11 2002 /dev/fb7
crw------- 1 root root 29, 8 Apr 11 2002 /dev/fb8
Which explains why many don't see this bug.
Regards,
bert
-- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO http://netherlabs.nl Consulting - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/