From 386f40c86d6c8d5b717ef20620af1a750d0dacb4 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Sun, 6 Jun 2010 20:44:04 -0700 Subject: Revert "tty: fix a little bug in scrup, vt.c" This reverts commit 962400e8fd29981a7b166e463dd143b6ac6a3e76, which was entirely bogus. The code used to multiply the character offset by "vc->vc_cols", and that's actually correct, because 'd' itself is an 'unsigned short'. So the pointer arithmetic already takes the size of a VGA character into account. Changing it to use vc_size_row (which is just "vc_cols" shifted up to take the size of the character into account) ends up multiplying with the VGA character size twice. This got reported as bugs for various other subsystems, because what it actually results in is writing the 16-bit vc_video_erase_char pattern (usually 0x0720: 0x07 is the default attribute, 0x20 is ASCII space) into some random other allocation. So Markus ended up reporting this as a ext4 bug, while to Torsten Kaiser it looked like a problem with KMS or libata. Jeff Chua saw it in different places. And finally - Justin Mattock had slab poisoning enabled, and saw it as a slab poison overwritten. And bisected and reverted this to verify the buggy commit. Reported-by: Markus Trippelsdorf Reported-by: Torsten Kaiser Reported-by: Jeff Chua Reported-by: Justin P. Mattock Reported-bisected-and-tested-by: Justin P. Mattock Acked-by: Dave Airlie Cc: Frank Pan Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds --- drivers/char/vt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/vt.c b/drivers/char/vt.c index 1296c42..7cdb6ee 100644 --- a/drivers/char/vt.c +++ b/drivers/char/vt.c @@ -304,7 +304,7 @@ static void scrup(struct vc_data *vc, unsigned int t, unsigned int b, int nr) d = (unsigned short *)(vc->vc_origin + vc->vc_size_row * t); s = (unsigned short *)(vc->vc_origin + vc->vc_size_row * (t + nr)); scr_memmovew(d, s, (b - t - nr) * vc->vc_size_row); - scr_memsetw(d + (b - t - nr) * vc->vc_size_row, vc->vc_video_erase_char, + scr_memsetw(d + (b - t - nr) * vc->vc_cols, vc->vc_video_erase_char, vc->vc_size_row * nr); } -- cgit v1.1