Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1011244pxb; Wed, 6 Apr 2022 06:40:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxw+4rBmD+BpmAWbOMxQqTfWQAkEaKkmXDtNBw4g7LVnc5uJC4ry6RnM7TBjLDRexsIfc7M X-Received: by 2002:a17:902:e791:b0:151:dbbd:aeae with SMTP id cp17-20020a170902e79100b00151dbbdaeaemr8687708plb.171.1649252433651; Wed, 06 Apr 2022 06:40:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649252433; cv=none; d=google.com; s=arc-20160816; b=hZu9QaTSgL87kkj7BHh7Yp0OhCs573RhiUtrZOVcsvAfx2hZeJ4+JH3Ie4ZZyZdoOG 7G2riboDLALHGIA+3S1J8Adq1mDQTSUi7/P0VaWAomiZs5/SnDwtD24+hGrCnfeFDidO UXR+81CaJFxbz6sacj+oBbDogfvA9+DWK04YLkqo2KNt/09qiuT1dEq0X5BoOc8lCQJ/ 0Dl6UzKKQQnTpYuTNmcj5Hw3NarskgyOBkq22bMj2QTcOs5zCOm8c42wvPJ8PpGjYobd uYXFkouszVcO9EErthO+EAYU2w4RPoqL8vM8tX+5OJYME5jfzVYrIRAjLZ4ouzXo2U7p EDZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=x4eYxcN4jg/qokdcpVQHX8C7weXlHf/tFvb18+IQAfQ=; b=MGhBtYbu/rRC30rr9Dtxdf/ZZIP5DDuJyFL0TQDMX4eUz9EnL8j5FoWEZojLTnb+Rw 25v7n7STmgpcisR9p5ZyOPlcUW9cbvxvZHBTWbaFL+vFW+Hke2U3/Xs3am1tT8Ypfszp 1B9/Y11sI47dvzR8XU5BSe2exUktTxblDuYj8sYbP7Kj0hxjgQ23ukdo5BFVNUrELtYB rO9ZEEzkW5ua+MeAdbjZJsI3m2xhtCoskIJgzr7Qr0H3KCpJMTCi/N7HBx4BxCDGTbJf m4muJld/zujGi7jrcaPryhECZ4RA3afZTwc7u2mYVtEo5EBDRvH/FcMXr6b2Kd3vzaDS jZwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="oHAJy/+P"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id m10-20020a638c0a000000b00382b21d7a89si17906803pgd.99.2022.04.06.06.40.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 06:40:33 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="oHAJy/+P"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B680854332F; Wed, 6 Apr 2022 04:27:15 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1453107AbiDEWco (ORCPT + 99 others); Tue, 5 Apr 2022 18:32:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355365AbiDEKTd (ORCPT ); Tue, 5 Apr 2022 06:19:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A700327FEC; Tue, 5 Apr 2022 03:04:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 38758B81BC0; Tue, 5 Apr 2022 10:04:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8CEDFC385A2; Tue, 5 Apr 2022 10:04:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649153086; bh=Cw2NlYAm/sub3uTEA3b2qIyrR3JDeMkKrC26amsoKtQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oHAJy/+PL51AzoM/nN/TOBZmwl/pMjG3u2J+3waXchDLT4BF3+Xkz/WUVQCjvJBad /uLI/rAHmHXnoYQAzr0HqhdXf6s4kt4800yKn+4529B/4tEaq5RupOeEanG4VroTQ4 48mr4uFudAR+p/Jo8BT5Z4O4xtAz9IsNhLXR3uRo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Helge Deller Subject: [PATCH 5.10 097/599] video: fbdev: sm712fb: Fix crash in smtcfb_read() Date: Tue, 5 Apr 2022 09:26:31 +0200 Message-Id: <20220405070301.717839647@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070258.802373272@linuxfoundation.org> References: <20220405070258.802373272@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Helge Deller commit bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 upstream. Zheyu Ma reported this crash in the sm712fb driver when reading three bytes from the framebuffer: BUG: unable to handle page fault for address: ffffc90001ffffff RIP: 0010:smtcfb_read+0x230/0x3e0 Call Trace: vfs_read+0x198/0xa00 ? do_sys_openat2+0x27d/0x350 ? __fget_light+0x54/0x340 ksys_read+0xce/0x190 do_syscall_64+0x43/0x90 Fix it by removing the open-coded endianess fixup-code and by moving the pointer post decrement out the fb_readl() function. Reported-by: Zheyu Ma Signed-off-by: Helge Deller Tested-by: Zheyu Ma Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/sm712fb.c | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) --- a/drivers/video/fbdev/sm712fb.c +++ b/drivers/video/fbdev/sm712fb.c @@ -1047,7 +1047,7 @@ static ssize_t smtcfb_read(struct fb_inf if (count + p > total_size) count = total_size - p; - buffer = kmalloc((count > PAGE_SIZE) ? PAGE_SIZE : count, GFP_KERNEL); + buffer = kmalloc(PAGE_SIZE, GFP_KERNEL); if (!buffer) return -ENOMEM; @@ -1059,25 +1059,14 @@ static ssize_t smtcfb_read(struct fb_inf while (count) { c = (count > PAGE_SIZE) ? PAGE_SIZE : count; dst = buffer; - for (i = c >> 2; i--;) { - *dst = fb_readl(src++); - *dst = big_swap(*dst); + for (i = (c + 3) >> 2; i--;) { + u32 val; + + val = fb_readl(src); + *dst = big_swap(val); + src++; dst++; } - if (c & 3) { - u8 *dst8 = (u8 *)dst; - u8 __iomem *src8 = (u8 __iomem *)src; - - for (i = c & 3; i--;) { - if (i & 1) { - *dst8++ = fb_readb(++src8); - } else { - *dst8++ = fb_readb(--src8); - src8 += 2; - } - } - src = (u32 __iomem *)src8; - } if (copy_to_user(buf, buffer, c)) { err = -EFAULT;