Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1922778pxb;
        Thu, 16 Sep 2021 20:23:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyqdhvHBaeDrRL0ufttKZueKTnket91xh8uTV2+FkuHUglkEEqlvTSe+u9D9MmI1dAT1yVg
X-Received: by 2002:a17:906:12c8:: with SMTP id l8mr9399253ejb.515.1631848988711;
        Thu, 16 Sep 2021 20:23:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631848988; cv=none;
        d=google.com; s=arc-20160816;
        b=gMA77r0gQGRqOArkX1i8arAxsnGEORvysIbnB9rfUfm5K/yEfBxX28HOht0wniUUG0
         Upyk/2SGezp1AB7SGzo2ik6+4eMTM/2iJq8cpIUWDkOi1mV+t+ZzxgqyLbb7PJZgoHos
         GY4T+8swv8qYGBrB9ApcCjwgjIPjOzOl5m3w1hNcHBYGT94fg9G715OM+KUfbrU992nE
         jNA0l9Gi69xVlsJHLSI+OqXLkFVOK/m8o23We8DFJNr+CGXRmdbmVrIUvF7X2HKBCfeJ
         hcRzZKV0mtCsymr9h3bYXOEwcWd/uPuqm09Hc988kn4EUBZ2p0fwvvYmR4B0xja/7qfT
         LU3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=rzFpaDPV5zP9X7cuAs6aULZhjhqtruE2hYxCXpvvp7U=;
        b=VlLbwdJ4i1BT1vCiKnBKFrawm/Gs7XBU1qOJXKtS86vx9QRFZVeZMO44dkQHsmRANy
         ce7tTkbQdA2fDA3QuZEiiKMXvcq+EXBKJUEUm7MweAlEtP79hn8vhXkA97N33f2/up0u
         Js55ZeD+HozbtE9NeYqdhWdNUZutiORqdcQbiPMbBNKnjvQ/6pQtnch2N47l78ipDK/d
         Qf3U3SyV24uQOLNRcRon7Yv+hMnqvnUpO7mFYZub/lXO5utMvUbQg6zFnlnnlSzqInce
         RRoqPORB8CpIRPdkAKCrpb7L9GYC1qztim3ekKMksLVvgeHh2vP9RhVs4zkKJqL/j6kw
         bD1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=no3e2cpd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ee26si6317618edb.511.2021.09.16.20.22.44;
        Thu, 16 Sep 2021 20:23:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=no3e2cpd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353639AbhIPRec (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Thu, 16 Sep 2021 13:34:32 -0400
Received: from mail.kernel.org ([198.145.29.99]:46958 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1348317AbhIPRZz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Sep 2021 13:25:55 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 14F3D61BFD;
        Thu, 16 Sep 2021 16:44:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1631810660;
        bh=L6dGz8/J8+Yzbn3xmkmqNCDjXg+BWLDTee5jp1EzVqE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=no3e2cpd4Bf011uO2Pk5IFRycuuItfUNRaWNf2l1tBemHXpiP/1Z/uVfo+2eXOIF9
         B5VglAUtJAx+d6AeQtFVAJ++p3Zm/oU9dir8NkwbI/NPVdryhuS3oMxnDmtpVr+eIf
         OkQB/JDokJ8tjrRJrGydkXkqrEHLG+wRxk9apSZI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Zheyu Ma <zheyuma97@gmail.com>,
        Sam Ravnborg <sam@ravnborg.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.14 222/432] video: fbdev: riva: Error out if pixclock equals zero
Date:   Thu, 16 Sep 2021 17:59:31 +0200
Message-Id: <20210916155818.366900644@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210916155810.813340753@linuxfoundation.org>
References: <20210916155810.813340753@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit f92763cb0feba247e0939ed137b495601fd072a5 ]

The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of 'pixclock',
it may cause divide error.

Fix this by checking whether 'pixclock' is zero first.

The following log reveals it:

[   33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI
[   33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222
[   33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70
[   33.396969] Call Trace:
[   33.396973]  ? debug_smp_processor_id+0x1c/0x20
[   33.396984]  ? tick_nohz_tick_stopped+0x1a/0x90
[   33.396996]  ? rivafb_copyarea+0x3c0/0x3c0
[   33.397003]  ? wake_up_klogd.part.0+0x99/0xd0
[   33.397014]  ? vprintk_emit+0x110/0x4b0
[   33.397024]  ? vprintk_default+0x26/0x30
[   33.397033]  ? vprintk+0x9c/0x1f0
[   33.397041]  ? printk+0xba/0xed
[   33.397054]  ? record_print_text.cold+0x16/0x16
[   33.397063]  ? __kasan_check_read+0x11/0x20
[   33.397074]  ? profile_tick+0xc0/0x100
[   33.397084]  ? __sanitizer_cov_trace_const_cmp4+0x24/0x80
[   33.397094]  ? riva_set_rop_solid+0x2a0/0x2a0
[   33.397102]  rivafb_set_par+0xbe/0x610
[   33.397111]  ? riva_set_rop_solid+0x2a0/0x2a0
[   33.397119]  fb_set_var+0x5bf/0xeb0
[   33.397127]  ? fb_blank+0x1a0/0x1a0
[   33.397134]  ? lock_acquire+0x1ef/0x530
[   33.397143]  ? lock_release+0x810/0x810
[   33.397151]  ? lock_is_held_type+0x100/0x140
[   33.397159]  ? ___might_sleep+0x1ee/0x2d0
[   33.397170]  ? __mutex_lock+0x620/0x1190
[   33.397180]  ? trace_hardirqs_on+0x6a/0x1c0
[   33.397190]  do_fb_ioctl+0x31e/0x700

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1627293835-17441-4-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/fbdev/riva/fbdev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/video/fbdev/riva/fbdev.c b/drivers/video/fbdev/riva/fbdev.c
index 55554b0433cb..84d5e23ad7d3 100644
--- a/drivers/video/fbdev/riva/fbdev.c
+++ b/drivers/video/fbdev/riva/fbdev.c
@@ -1084,6 +1084,9 @@ static int rivafb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
 	int mode_valid = 0;
 	
 	NVTRACE_ENTER();
+	if (!var->pixclock)
+		return -EINVAL;
+
 	switch (var->bits_per_pixel) {
 	case 1 ... 8:
 		var->red.offset = var->green.offset = var->blue.offset = 0;
-- 
2.30.2