Patch "video: fbdev: sm712fb: Fix crash in smtcfb_write()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 2 Apr 2022 12:15:06 -0400

This is a note to let you know that I've just added the patch titled

    video: fbdev: sm712fb: Fix crash in smtcfb_write()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     video-fbdev-sm712fb-fix-crash-in-smtcfb_write.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f553c51b221fca7b4f2f38d90357f4f6f9acc6ec
Author: Zheyu Ma <zheyuma97@xxxxxxxxx>
Date:   Wed Mar 2 22:33:11 2022 +0800

    video: fbdev: sm712fb: Fix crash in smtcfb_write()
    
    [ Upstream commit 4f01d09b2bbfbcb47b3eb305560a7f4857a32260 ]
    
    When the sm712fb driver writes three bytes to the framebuffer, the
    driver will crash:
    
        BUG: unable to handle page fault for address: ffffc90001ffffff
        RIP: 0010:smtcfb_write+0x454/0x5b0
        Call Trace:
         vfs_write+0x291/0xd60
         ? do_sys_openat2+0x27d/0x350
         ? __fget_light+0x54/0x340
         ksys_write+0xce/0x190
         do_syscall_64+0x43/0x90
         entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Fix it by removing the open-coded endianness fixup-code.
    
    Signed-off-by: Zheyu Ma <zheyuma97@xxxxxxxxx>
    Signed-off-by: Helge Deller <deller@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/video/fbdev/sm712fb.c b/drivers/video/fbdev/sm712fb.c
index 0dbc6bf8268a..e355089ac7d6 100644
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1130,7 +1130,7 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf,
 		count = total_size - p;
 	}
 
-	buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL);
+	buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buffer)
 		return -ENOMEM;
 
@@ -1148,24 +1148,11 @@ static ssize_t smtcfb_write(struct fb_info *info, const char __user *buf,
 			break;
 		}
 
-		for (i = c >> 2; i--;) {
-			fb_writel(big_swap(*src), dst++);
+		for (i = (c + 3) >> 2; i--;) {
+			fb_writel(big_swap(*src), dst);
+			dst++;
 			src++;
 		}
-		if (c & 3) {
-			u8 *src8 = (u8 *)src;
-			u8 __iomem *dst8 = (u8 __iomem *)dst;
-
-			for (i = c & 3; i--;) {
-				if (i & 1) {
-					fb_writeb(*src8++, ++dst8);
-				} else {
-					fb_writeb(*src8++, --dst8);
-					dst8 += 2;
-				}
-			}
-			dst = (u32 __iomem *)dst8;
-		}
 
 		*ppos += c;
 		buf += c;






