提交 4f01d09b 编写于 作者: Z Zheyu Ma 提交者: Helge Deller

video: fbdev: sm712fb: Fix crash in smtcfb_write()

When the sm712fb driver writes three bytes to the framebuffer, the
driver will crash:

    BUG: unable to handle page fault for address: ffffc90001ffffff
    RIP: 0010:smtcfb_write+0x454/0x5b0
    Call Trace:
     vfs_write+0x291/0xd60
     ? do_sys_openat2+0x27d/0x350
     ? __fget_light+0x54/0x340
     ksys_write+0xce/0x190
     do_syscall_64+0x43/0x90
     entry_SYSCALL_64_after_hwframe+0x44/0xae

Fix it by removing the open-coded endianness fixup-code.
Signed-off-by: NZheyu Ma <zheyuma97@gmail.com>
Signed-off-by: NHelge Deller <deller@gmx.de>
上级 961e366c
...@@ -1119,7 +1119,7 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf, ...@@ -1119,7 +1119,7 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf,
count = total_size - p; count = total_size - p;
} }
buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL); buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!buffer) if (!buffer)
return -ENOMEM; return -ENOMEM;
...@@ -1137,24 +1137,11 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf, ...@@ -1137,24 +1137,11 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf,
break; break;
} }
for (i = c >> 2; i--;) { for (i = (c + 3) >> 2; i--;) {
fb_writel(big_swap(*src), dst++); fb_writel(big_swap(*src), dst);
dst++;
src++; src++;
} }
if (c & 3) {
u8 *src8 = (u8 *)src;
u8 __iomem *dst8 = (u8 __iomem *)dst;
for (i = c & 3; i--;) {
if (i & 1) {
fb_writeb(*src8++, ++dst8);
} else {
fb_writeb(*src8++, --dst8);
dst8 += 2;
}
}
dst = (u32 __iomem *)dst8;
}
*ppos += c; *ppos += c;
buf += c; buf += c;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册