Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp517853pxb;
        Thu, 9 Sep 2021 06:17:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJx/861rVMKM53qeBQy3wDZ9iwEuGcbA3Ty/cuQ0/wId8PSKqnVY6llYcOVhOOIrGNcUepxU
X-Received: by 2002:a5e:c905:: with SMTP id z5mr2659230iol.33.1631193457905;
        Thu, 09 Sep 2021 06:17:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631193457; cv=none;
        d=google.com; s=arc-20160816;
        b=Kdj8Wpyk15Lf/zzIWHe3Am2N9GhMDf0Q4lR+dBOveecypdZS8T8PgImKm9dJrHUi1b
         VCYeK0c/lxjjL8ck7sfcZvmmemDFx5YTHOJNl2nxAP7Y+gVZOxK99lDLTuWOEdspaB/m
         5VisZuBMNdArkjFsomyk1zE6Eux5sVhqJIdM+Sd0umAu8ApPMpxVnQMG8pTxP8zAvwC9
         +fnH/2MEW9JdktYChTUALbJ5BkTJIhg+d4SIoOpYNPgkgoenCKpBczTcQ4BLJiZ1jXub
         aROpq4/qTlvjKOoy0F3vqp4Cj7dDmZCl/8eX1of58Slf1+R+Apd3s425bMfCK3JCQrxJ
         0fGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=VrSsOjQSB3X6O7FY8uwsXo4jiHwUm/j8ycGbH6Aogv4=;
        b=RhQiT/CDyUbHXCz5lBHno4FBb8kO119mC9mUHsoU+6SMcNxgHuhnrYjcQRtTcPe01+
         CizhBWdDnQ0lLH5cotI08BXfLYD5cGQO02M2iC1htfHUE2EIR7HyZwlro2NXJND/bhXx
         t22AkE5lxDObds6gyoyrxIlW4uNkqvexREIAgG82NtUNjPYoWmVSirQ3MQOHgsaVzXuE
         p6Dxzm/E0Ys0Tq6yi+68DT6evH6QsQg67ChyGnYf4Fy+wOQ48ElJ4lsDHW7fLj1GR7l1
         3tT6Snyolg9ultqGJO1mj1q3TsoqEL6/54Hx28v5PNg2CvT+VsoXIF4xl0MdfW252VEB
         VdiQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XnIsmP7G;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j2si1724752ilr.113.2021.09.09.06.17.24;
        Thu, 09 Sep 2021 06:17:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XnIsmP7G;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1359310AbhIINQv (ORCPT <rfc822;liyi.pear@gmail.com> + 99 others);
        Thu, 9 Sep 2021 09:16:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:42490 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1356611AbhIINBD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Sep 2021 09:01:03 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 69BFA6327D;
        Thu,  9 Sep 2021 11:59:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1631188764;
        bh=d7EUfqwWWpV7h3TBHRCTu2b8IRuzuCKWsO/Z6kfeEZ0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XnIsmP7GRW+3sJXpTSNM5B7VKLmexOGjxopiOym39VlNHj5xkOObQRU5itxVWn19w
         dQeO5XoR1SjPtNP/v48vh9ou9yLrzHpo58f1lE6B6D4RCoP0wdDSd1LTXAEcpV3rfr
         nuj2WuYZ/qMlQ9BZNU0MNrdLdBBAb0a2NqidFC6isQFJzAWNeBNBtwjqdAAoqfRkPM
         bK1iL9PSl0CZdinzF6STSpbZjVb+CkaswgrVD7ZPiTU4T87EQllcQEwsi6nf8aezmI
         8VtgDDYR8T93rsfr30RUxnqXA9v3nuKDiqOUO0V8TLsQ4Vxe47qdsszcb84P3Q1CA0
         yaNNFEwa3guqQ==
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Zheyu Ma <zheyuma97@gmail.com>, Sam Ravnborg <sam@ravnborg.org>,
        Sasha Levin <sashal@kernel.org>,
        dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 18/59] video: fbdev: kyro: Error out if 'pixclock' equals zero
Date:   Thu,  9 Sep 2021 07:58:19 -0400
Message-Id: <20210909115900.149795-18-sashal@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210909115900.149795-1-sashal@kernel.org>
References: <20210909115900.149795-1-sashal@kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 1520b4b7ba964f8eec2e7dd14c571d50de3e5191 ]

The userspace program could pass any values to the driver through
ioctl() interface. if the driver doesn't check the value of 'pixclock',
it may cause divide error because the value of 'lineclock' and
'frameclock' will be zero.

Fix this by checking whether 'pixclock' is zero in kyrofb_check_var().

The following log reveals it:

[  103.073930] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
[  103.073942] CPU: 4 PID: 12483 Comm: syz-executor Not tainted 5.14.0-rc2-00478-g2734d6c1b1a0-dirty #118
[  103.073959] RIP: 0010:kyrofb_set_par+0x316/0xc80
[  103.074045] Call Trace:
[  103.074048]  ? ___might_sleep+0x1ee/0x2d0
[  103.074060]  ? kyrofb_ioctl+0x330/0x330
[  103.074069]  fb_set_var+0x5bf/0xeb0
[  103.074078]  ? fb_blank+0x1a0/0x1a0
[  103.074085]  ? lock_acquire+0x3bd/0x530
[  103.074094]  ? lock_release+0x810/0x810
[  103.074103]  ? ___might_sleep+0x1ee/0x2d0
[  103.074114]  ? __mutex_lock+0x620/0x1190
[  103.074126]  ? trace_hardirqs_on+0x6a/0x1c0
[  103.074137]  do_fb_ioctl+0x31e/0x700
[  103.074144]  ? fb_getput_cmap+0x280/0x280
[  103.074152]  ? rcu_read_lock_sched_held+0x11/0x80
[  103.074162]  ? rcu_read_lock_sched_held+0x11/0x80
[  103.074171]  ? __sanitizer_cov_trace_switch+0x67/0xf0
[  103.074181]  ? __sanitizer_cov_trace_const_cmp2+0x20/0x80
[  103.074191]  ? do_vfs_ioctl+0x14b/0x16c0
[  103.074199]  ? vfs_fileattr_set+0xb60/0xb60
[  103.074207]  ? rcu_read_lock_sched_held+0x11/0x80
[  103.074216]  ? lock_release+0x483/0x810
[  103.074224]  ? __fget_files+0x217/0x3d0
[  103.074234]  ? __fget_files+0x239/0x3d0
[  103.074243]  ? do_fb_ioctl+0x700/0x700
[  103.074250]  fb_ioctl+0xe6/0x130

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-3-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/kyro/fbdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c
index d7aa431e6846..74bf26b527b9 100644
--- a/drivers/video/fbdev/kyro/fbdev.c
+++ b/drivers/video/fbdev/kyro/fbdev.c
@@ -399,6 +399,9 @@ static int kyrofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 {
 	struct kyrofb_info *par = info->par;
 
+	if (!var->pixclock)
+		return -EINVAL;
+
 	if (var->bits_per_pixel != 16 && var->bits_per_pixel != 32) {
 		printk(KERN_WARNING "kyrofb: depth not supported: %u\n", var->bits_per_pixel);
 		return -EINVAL;
-- 
2.30.2