Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb791514 authored by Zheyu Ma's avatar Zheyu Ma Committed by Greg Kroah-Hartman
Browse files

video: fbdev: sm712fb: Fix crash in smtcfb_write() 



[ Upstream commit 4f01d09b2bbfbcb47b3eb305560a7f4857a32260 ]

When the sm712fb driver writes three bytes to the framebuffer, the
driver will crash:

    BUG: unable to handle page fault for address: ffffc90001ffffff
    RIP: 0010:smtcfb_write+0x454/0x5b0
    Call Trace:
     vfs_write+0x291/0xd60
     ? do_sys_openat2+0x27d/0x350
     ? __fget_light+0x54/0x340
     ksys_write+0xce/0x190
     do_syscall_64+0x43/0x90
     entry_SYSCALL_64_after_hwframe+0x44/0xae

Fix it by removing the open-coded endianness fixup-code.

Signed-off-by: default avatarZheyu Ma <zheyuma97@gmail.com>
Signed-off-by: default avatarHelge Deller <deller@gmx.de>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 734ff111

drivers/video/fbdev/sm712fb.c

+4 −17
Original line number Diff line number Diff line
@@ -1118,7 +1118,7 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf, 
		count = total_size - p;

	}



	buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);

	buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);

	if (!buffer)

		return -ENOMEM;
@@ -1136,24 +1136,11 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf, 
			break;

		}



		for (i = c >> 2; i--;) {

			fb_writel(big_swap(*src), dst++);

		for (i = (c + 3) >> 2; i--;) {

			fb_writel(big_swap(*src), dst);

			dst++;

			src++;

		}

		if (c & 3) {

			u8 *src8 = (u8 *)src;

			u8 __iomem *dst8 = (u8 __iomem *)dst;



			for (i = c & 3; i--;) {

				if (i & 1) {

					fb_writeb(*src8++, ++dst8);

				} else {

					fb_writeb(*src8++, --dst8);

					dst8 += 2;

				}

			}

			dst = (u32 __iomem *)dst8;

		}



		*ppos += c;

		buf += c;