Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1112325pxb; Tue, 26 Oct 2021 03:02:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHaSTXbsEts4ICb3+ooiK5XTbt7MiMh+KBAmaIwgTficaat3cZsLEUQMirabDuGIFb1DsN X-Received: by 2002:a17:90b:316:: with SMTP id ay22mr27847723pjb.114.1635242522632; Tue, 26 Oct 2021 03:02:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635242522; cv=none; d=google.com; s=arc-20160816; b=yamGYTTAMLpu4GphVfj0CYVsMoGS+isbtuDq0/1LRFWaMAcUuWuJwl8fSJaJpTuiw5 Juqo9NIPVsOk2Pq1zPZ4ArKcXCdYb49FF1Eg5dUhzvjgw1GXjI0M16ztkeYVy1Go80bE lt4Gy3ckAr4L1IAJ8FDTTjMSraJuVSStyQwI5++Yx7+F+CNIKJR+ASlyQRhUc7S8zouK yWB36/1gH2esfsGvVBztMkOGXI4qRSgpa0m8EZl5Dq1CR91uvFhpEylJQLa5C3UbDU08 Bue5Vvj5xJGAXLkXNjy+2ZEjJgLGQChcZlhikH0RTZkIPBnbOzMcVfvJRLlPcpIN3Xr+ PcJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=/ahLicdrMZ8Rl440uYSQXYfqc+SmHqq4WEC7k8rF9Ug=; b=NBisvfBpQXaHurk36y5Mo7a90a1fqriDd1Uc8MBWbd7+eCk1M3jOWduA2MuCfO5SkS D/sNsf9JK2OvIB3Uh/otCPD9Umhh3S05hYoTa1t6U7lNCWsn34i66J0oD2sHjkIs3K6L KzNKZ1obqktKNWstvUpsb1fJzZ/sH+rMdOD6WzETp2Dq05YwXvjTLlqhQwvBmgt+MBvG IvbpsXt13ehC9v2RXieiT8pgTja+bOI5W/3jV18BsRWTnqpS9KoUn6h5FdDN4LYpJ0H7 8Eu+X47c7dXqWq4aRqCB9UM/XGdvUaCYx5U6vZcWj0P/WQucNouP8AbzNVDYPKvkWMJU +hKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v5si174611pja.49.2021.10.26.03.01.49; Tue, 26 Oct 2021 03:02:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234162AbhJZIcw (ORCPT + 99 others); Tue, 26 Oct 2021 04:32:52 -0400 Received: from mail-ua1-f46.google.com ([209.85.222.46]:40566 "EHLO mail-ua1-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233763AbhJZIcv (ORCPT ); Tue, 26 Oct 2021 04:32:51 -0400 Received: by mail-ua1-f46.google.com with SMTP id e2so27566593uax.7; Tue, 26 Oct 2021 01:30:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/ahLicdrMZ8Rl440uYSQXYfqc+SmHqq4WEC7k8rF9Ug=; b=nJQNBL8XEiQozrks0YYPNf652DyOmi04Pwuc5YJVahKKahNNfaTRccZ8IzzxIvwzzl eX5P0KlJifyScpGC6JaPqom9U+VxyjgD1I5v/oydqnw+A2Oo/1NTGXz4+ccrATOsyHsV F2+kWeOG2m8h95rtX6jYHSfjaKkFGhtCfvEaa0F/Nac7y2oohxdyBF5lj2SwQ/QE3EWM yfRf8ku6DmwsuEdAxezjnrhlsiHFHBfGUoLNmBV+lzGOLx8HmP485cHmoFTCjiSswEYC 41s0J4MW8Gl2ANCIl/4kKfmSjt4sAuartvEFYD4LCY2fXyWpfYi78Nz/uWURacMp3GFK Zfvg== X-Gm-Message-State: AOAM5329oSMu4xlvAf+XDf7mcskbw6dSYRWC8GurwanvqzRn1c9pYiqQ j5stRu1R0f4U8iSP5l8oDsPqa5lFq5rr/A== X-Received: by 2002:a05:6102:38ce:: with SMTP id k14mr21833917vst.6.1635237027568; Tue, 26 Oct 2021 01:30:27 -0700 (PDT) Received: from mail-ua1-f44.google.com (mail-ua1-f44.google.com. [209.85.222.44]) by smtp.gmail.com with ESMTPSA id v2sm5180563uao.3.2021.10.26.01.30.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Oct 2021 01:30:27 -0700 (PDT) Received: by mail-ua1-f44.google.com with SMTP id f4so27587239uad.4; Tue, 26 Oct 2021 01:30:27 -0700 (PDT) X-Received: by 2002:ab0:2bd2:: with SMTP id s18mr21259739uar.78.1635237026866; Tue, 26 Oct 2021 01:30:26 -0700 (PDT) MIME-Version: 1.0 References: <1635188490-15082-1-git-send-email-george.kennedy@oracle.com> <0ddb1c19-64b0-4117-7a92-c3d2fcddfdcf@oracle.com> In-Reply-To: <0ddb1c19-64b0-4117-7a92-c3d2fcddfdcf@oracle.com> From: Geert Uytterhoeven Date: Tue, 26 Oct 2021 10:30:15 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] video: fbdev: cirrusfb: check pixclock to avoid divide by zero To: George Kennedy Cc: Greg KH , Thomas Zimmermann , Sam Ravnborg , DRI Development , Linux Fbdev development list , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi George, On Mon, Oct 25, 2021 at 9:37 PM George Kennedy wrote: > On 10/25/2021 3:07 PM, Greg KH wrote: > > On Mon, Oct 25, 2021 at 02:01:30PM -0500, George Kennedy wrote: > >> Do a sanity check on pixclock value before using it as a divisor. > >> > >> Syzkaller reported a divide error in cirrusfb_check_pixclock. > >> > >> divide error: 0000 [#1] SMP KASAN PTI > >> CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1 > >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2 > >> RIP: 0010:cirrusfb_check_var+0x6f1/0x1260 > >> > >> Call Trace: > >> fb_set_var+0x398/0xf90 > >> do_fb_ioctl+0x4b8/0x6f0 > >> fb_ioctl+0xeb/0x130 > >> __x64_sys_ioctl+0x19d/0x220 > >> do_syscall_64+0x3a/0x80 > >> entry_SYSCALL_64_after_hwframe+0x44/0xae > >> > >> Signed-off-by: George Kennedy > >> --- > >> drivers/video/fbdev/cirrusfb.c | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >> diff --git a/drivers/video/fbdev/cirrusfb.c b/drivers/video/fbdev/cirrusfb.c > >> index 93802ab..099ddcb 100644 > >> --- a/drivers/video/fbdev/cirrusfb.c > >> +++ b/drivers/video/fbdev/cirrusfb.c > >> @@ -477,6 +477,9 @@ static int cirrusfb_check_pixclock(const struct fb_var_screeninfo *var, > >> struct cirrusfb_info *cinfo = info->par; > >> unsigned maxclockidx = var->bits_per_pixel >> 3; > >> > >> + if (!var->pixclock) > >> + return -EINVAL; This is not correct: fbdev drivers should round up invalid values, and only return an error if rounding up cannot yield a valid value. > > Shouldn't you be checking further up the call chain where this got set > > to 0? > > The same pixclock check is done in these fb drivers: > > arch/arm/mach-rpc/include/mach/acornfb.h: if (!var->pixclock) > drivers/video/fbdev/asiliantfb.c: if (!var->pixclock) > drivers/video/fbdev/clps711x-fb.c: if (!var->pixclock) > drivers/video/fbdev/core/fbmon.c: if (!var->pixclock) > drivers/video/fbdev/core/modedb.c: if (!var->pixclock) > drivers/video/fbdev/cirrusfb.c: if (!var->pixclock) > drivers/video/fbdev/kyro/fbdev.c: if (!var->pixclock) > drivers/video/fbdev/riva/fbdev.c: if (!var->pixclock) > drivers/video/fbdev/uvesafb.c: if (!var->pixclock) > > > > > What logic allows this to be a valid value? What about all other fb > > drivers? > > The "check_var" function, which is set into the ".fb_check_var" element > of the fb_ops struct, should do the check, but in the case of cirrusfb, > that is not being done. > > All this patch does is add the same pixclock check that the other above > fb drivers do. Indeed, several drivers are not following the rounding rules. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds