Revert "tty: fix a little bug in scrup, vt.c"

This reverts commit 962400e8, which was
entirely bogus.

The code used to multiply the character offset by "vc->vc_cols", and
that's actually correct, because 'd' itself is an 'unsigned short'.  So
the pointer arithmetic already takes the size of a VGA character into
account.  Changing it to use vc_size_row (which is just "vc_cols"
shifted up to take the size of the character into account) ends up
multiplying with the VGA character size twice.

This got reported as bugs for various other subsystems, because what it
actually results in is writing the 16-bit vc_video_erase_char pattern
(usually 0x0720: 0x07 is the default attribute, 0x20 is ASCII space)
into some random other allocation.

So Markus ended up reporting this as a ext4 bug, while to Torsten Kaiser
it looked like a problem with KMS or libata.  Jeff Chua saw it in
different places.

And finally - Justin Mattock had slab poisoning enabled, and saw it as a
slab poison overwritten.  And bisected and reverted this to verify the
buggy commit.
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Reported-by: Torsten Kaiser <just.for.lkml@googlemail.com>
Reported-by: Jeff Chua <jeff.chua.linux@gmail.com>
Reported-by: Justin P. Mattock <justinmattock@gmail.com>
Reported-bisected-and-tested-by: Justin P. Mattock <justinmattock@gmail.com>
Acked-by: Dave Airlie <airlied@redhat.com>
Cc: Frank Pan <frankpzh@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

drivers/char/vt.c

@@ -304,7 +304,7 @@ static void scrup(struct vc_data *vc, unsigned int t, unsigned int b, int nr)
 	d = (unsigned short *)(vc->vc_origin + vc->vc_size_row * t);
 	s = (unsigned short *)(vc->vc_origin + vc->vc_size_row * (t + nr));
 	scr_memmovew(d, s, (b - t - nr) * vc->vc_size_row);
-	scr_memsetw(d + (b - t - nr) * vc->vc_size_row, vc->vc_video_erase_char,
+	scr_memsetw(d + (b - t - nr) * vc->vc_cols, vc->vc_video_erase_char,
 		    vc->vc_size_row * nr);
 }