video: fbdev: sm712fb: Fix crash in smtcfb_write()

When the sm712fb driver writes three bytes to the framebuffer, the
driver will crash:

    BUG: unable to handle page fault for address: ffffc90001ffffff
    RIP: 0010:smtcfb_write+0x454/0x5b0
    Call Trace:
     vfs_write+0x291/0xd60
     ? do_sys_openat2+0x27d/0x350
     ? __fget_light+0x54/0x340
     ksys_write+0xce/0x190
     do_syscall_64+0x43/0x90
     entry_SYSCALL_64_after_hwframe+0x44/0xae

Fix it by removing the open-coded endianness fixup-code.

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>

diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
index b60a273..092a1ca 100644 (file)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1119,7 +1119,7 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf,
                count = total_size - p;
        }
 
-       buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
+       buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
        if (!buffer)
                return -ENOMEM;
 
@@ -1137,24 +1137,11 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf,
                        break;
                }
 
-               for (i = c >> 2; i--;) {
-                       fb_writel(big_swap(*src), dst++);
+               for (i = (c + 3) >> 2; i--;) {
+                       fb_writel(big_swap(*src), dst);
+                       dst++;
                        src++;
                }
-               if (c & 3) {
-                       u8 *src8 = (u8 *)src;
-                       u8 __iomem *dst8 = (u8 __iomem *)dst;
-
-                       for (i = c & 3; i--;) {
-                               if (i & 1) {
-                                       fb_writeb(*src8++, ++dst8);
-                               } else {
-                                       fb_writeb(*src8++, --dst8);
-                                       dst8 += 2;
-                               }
-                       }
-                       dst = (u32 __iomem *)dst8;
-               }
 
                *ppos += c;
                buf += c;