Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp446772pxb;
        Thu, 9 Sep 2021 04:48:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz1cUK5MKCEcHB8ImfuZhusyHgZ/UYMy1qtmK3gUn7EXobxsYFgbcVUeRrj1eKnRYnO5tXN
X-Received: by 2002:a92:4406:: with SMTP id r6mr1959078ila.88.1631188092587;
        Thu, 09 Sep 2021 04:48:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631188092; cv=none;
        d=google.com; s=arc-20160816;
        b=SiXQm1117scYwO0rbjnU2rTjHqtStxTci9JcQm+8rcDJCYzlMUPlEMUB78SwCNNhK/
         FOEoyUb1kfkxBuc0xgg5DOxTCIBoeSzBtNh7Q1cO52XLr7wLXEYyotNV2fD+AEyqv60K
         u52klqErjQJ1FvaaODHd1qwTtU36JI3v4grZkoz/WtDJdXtVpRVjcUnpmPJvF5lBsK19
         EnNmrk0tBffjlL18S2dOmLwDvcYL3PHYPf0vGDFTzZ2DP7mbsaNKY1b+A5zSYs+f31rK
         mWi/RciatY0TQ2YSJNR4RdfjDAtuYTWgstv4iDzUfydim9VpKPFJ8BaUwKFp6mhBgJ7c
         HHrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=rzFpaDPV5zP9X7cuAs6aULZhjhqtruE2hYxCXpvvp7U=;
        b=Cug5i6CxnQZBveSmi1aLZCnWp0ciBmYtJUidr92SrLsGp5g8ik5kxPOzvc04sdoRSH
         CnqGuI4dt19m9GiAvSomAfTPSDPjcWKK/XL44WjXSPv3UYrq8vjdlY7By2kIqUzMUWbG
         bXItTJWfV6JkgEq78mxBlTqdhpYtl/Zk7IuM20Bk25TslkblxO4OgXg7He7W3cAL6hFV
         P8EoChIKIj0vPBpfRebHLKV/fqkc+1mAbLAIft8NfascSQNbq30KnBSu9rsJ+gQhT9tf
         vFN9J5aHi55HoczsCfl/2lW/KorD7z/J/TECr0m4MfwAaBFGJ/GaDT51ObKmqIi/8QMD
         fzhA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NOkcNb2u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id k22si1685034jak.36.2021.09.09.04.48.01;
        Thu, 09 Sep 2021 04:48:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NOkcNb2u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238869AbhIILra (ORCPT <rfc822;liyi.pear@gmail.com> + 99 others);
        Thu, 9 Sep 2021 07:47:30 -0400
Received: from mail.kernel.org ([198.145.29.99]:46600 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S240138AbhIILob (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Sep 2021 07:44:31 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 00F6861216;
        Thu,  9 Sep 2021 11:42:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1631187756;
        bh=L6dGz8/J8+Yzbn3xmkmqNCDjXg+BWLDTee5jp1EzVqE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=NOkcNb2uOwtZZm9MkZgxifg//Vz6lCyStCA1dlNYku2w66Z5RfO5/EyIz24SoDukH
         nvKk4Zcn9LJ4DHrRNVcdEQ6GLVLBcKWDNKGVfsHX3QmsOAZID9n075sQqrYFDVIK0x
         VesBPEFJKnb3fWSkRVgmE/I1Cc1MQZ7HTHGSqsRin3N2EBqi2ZNI5xpPRld1y13pB8
         lM9RHbCOYnJSvJbPem9Wta8xwhCyt5uJk226/ILzYHYhDe2X20oPgso2zSbaezUlPI
         dRGrAY2r6SPYSx2hjXuW2/QFrQ+7Ktql6hp6OYSpQxhDZGuOse9VticArOAyFsYeh7
         h0Hz16TJ4VxlA==
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Zheyu Ma <zheyuma97@gmail.com>, Sam Ravnborg <sam@ravnborg.org>,
        Sasha Levin <sashal@kernel.org>, linux-fbdev@vger.kernel.org,
        dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.14 070/252] video: fbdev: riva: Error out if 'pixclock' equals zero
Date:   Thu,  9 Sep 2021 07:38:04 -0400
Message-Id: <20210909114106.141462-70-sashal@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210909114106.141462-1-sashal@kernel.org>
References: <20210909114106.141462-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit f92763cb0feba247e0939ed137b495601fd072a5 ]

The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of 'pixclock',
it may cause divide error.

Fix this by checking whether 'pixclock' is zero first.

The following log reveals it:

[   33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
[   33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222
[   33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70
[   33.396969] Call Trace:
[   33.396973]  ? debug_smp_processor_id+0x1c/0x20
[   33.396984]  ? tick_nohz_tick_stopped+0x1a/0x90
[   33.396996]  ? rivafb_copyarea+0x3c0/0x3c0
[   33.397003]  ? wake_up_klogd.part.0+0x99/0xd0
[   33.397014]  ? vprintk_emit+0x110/0x4b0
[   33.397024]  ? vprintk_default+0x26/0x30
[   33.397033]  ? vprintk+0x9c/0x1f0
[   33.397041]  ? printk+0xba/0xed
[   33.397054]  ? record_print_text.cold+0x16/0x16
[   33.397063]  ? __kasan_check_read+0x11/0x20
[   33.397074]  ? profile_tick+0xc0/0x100
[   33.397084]  ? __sanitizer_cov_trace_const_cmp4+0x24/0x80
[   33.397094]  ? riva_set_rop_solid+0x2a0/0x2a0
[   33.397102]  rivafb_set_par+0xbe/0x610
[   33.397111]  ? riva_set_rop_solid+0x2a0/0x2a0
[   33.397119]  fb_set_var+0x5bf/0xeb0
[   33.397127]  ? fb_blank+0x1a0/0x1a0
[   33.397134]  ? lock_acquire+0x1ef/0x530
[   33.397143]  ? lock_release+0x810/0x810
[   33.397151]  ? lock_is_held_type+0x100/0x140
[   33.397159]  ? ___might_sleep+0x1ee/0x2d0
[   33.397170]  ? __mutex_lock+0x620/0x1190
[   33.397180]  ? trace_hardirqs_on+0x6a/0x1c0
[   33.397190]  do_fb_ioctl+0x31e/0x700

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-4-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/riva/fbdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/fbdev.c
index 55554b0433cb..84d5e23ad7d3 100644
--- a/drivers/video/fbdev/riva/fbdev.c
+++ b/drivers/video/fbdev/riva/fbdev.c
@@ -1084,6 +1084,9 @@ static int rivafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 	int mode_valid = 0;
 	
 	NVTRACE_ENTER();
+	if (!var->pixclock)
+		return -EINVAL;
+
 	switch (var->bits_per_pixel) {
 	case 1 ... 8:
 		var->red.offset = var->green.offset = var->blue.offset = 0;
-- 
2.30.2