Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1619974pxb;
        Thu, 28 Oct 2021 07:07:09 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzrYArep0BHbWcVnKv6NJd3cm9OPBFnxZiDNI6QL/TIA5B9JuQBj+vWPAosroi4UovMFnuH
X-Received: by 2002:a63:7152:: with SMTP id b18mr3431896pgn.455.1635430029400;
        Thu, 28 Oct 2021 07:07:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635430029; cv=none;
        d=google.com; s=arc-20160816;
        b=qNBfxz4oKrkGdZQarwUdqzOORpy+SjWW5LOkMGUNymt1FhDNhTr+ZNIFa8i5n0nODq
         FbEn6aH7fnKFkJAT9h57E3kleE32lOUiRQJkWgy7xErW78FuB5Jde/nFqASq+Rh2DuRe
         f/iCO01bbDIUxXKX1IsVSlwHyln1mTECOMIoKSg41BlxGwMYfUgHbJhYEXfOv6ldHN5J
         m0P1rdKUBJxAp+5Z7pKQf5Tm0LHyDX+twAQnuHcBrTLiGRT7QH7c93NfsQm7aN01tUZT
         H+wR8adabBmhXJjUMUzKHVmuDqt+vyyCI0GN5Ca71L0BW+nOpgV0QYkEVPtul1eGqMBz
         m2yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=AjqREIgILKI7pBzKmuBKbiSZW3CxUADHtTSVI16Y5fM=;
        b=cLGQEzd63K+jqPbaHdClEwwMMtOTL0SS4vsBWu9leaOb4OQpAvv1W9+OKPFU9NzN3h
         d8RCsfHGl1T9oiZyH3OF13HGKZ0wdFf2if9NTh80bYtssNDRobhF40/XAd14ScxLvfLO
         kmIiYFzttZTfApgK1Gh5Pelxx3W7khMVQocoxp4qWJBLc2EDBjD8wR+DqEbYfRUblk6b
         FxL5OQ3LsNF7clzdWHzLi8wnCGkUgifn+DfgbeNX6lohlkk8QRYUP+vlUwnlg1QjnCLL
         CCSuTwAMWk+h7mmZ/WHasA41GDLe++XSfAq6fVMMllcAyrHTq5LpcNLedXj9d83/IhZ+
         R8fw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u13si4440014pfg.134.2021.10.28.07.06.54;
        Thu, 28 Oct 2021 07:07:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230445AbhJ1OGy (ORCPT <rfc822;m15259695263@gmail.com>
        + 99 others); Thu, 28 Oct 2021 10:06:54 -0400
Received: from mga04.intel.com ([192.55.52.120]:44548 "EHLO mga04.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S230471AbhJ1OGx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Oct 2021 10:06:53 -0400
X-IronPort-AV: E=McAfee;i="6200,9189,10150"; a="229161842"
X-IronPort-AV: E=Sophos;i="5.87,190,1631602800"; 
   d="scan'208";a="229161842"
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Oct 2021 07:04:23 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.87,190,1631602800"; 
   d="scan'208";a="636208867"
Received: from stinkbox.fi.intel.com (HELO stinkbox) ([10.237.72.171])
  by fmsmga001.fm.intel.com with SMTP; 28 Oct 2021 07:04:19 -0700
Received: by stinkbox (sSMTP sendmail emulation); Thu, 28 Oct 2021 17:04:19 +0300
Date:   Thu, 28 Oct 2021 17:04:19 +0300
From:   Ville =?iso-8859-1?Q?Syrj=E4l=E4?= <ville.syrjala@linux.intel.com>
To:     George Kennedy <george.kennedy@oracle.com>
Cc:     gregkh@linuxfoundation.org, maarten.lankhorst@linux.intel.com,
        mripard@kernel.org, tzimmermann@suse.de, airlied@linux.ie,
        daniel@ffwll.ch, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drm: check drm_format_info hsub and vsub to avoid divide
 by zero
Message-ID: <YXqt46TPL9tUZCL1@intel.com>
References: <1635429437-21718-1-git-send-email-george.kennedy@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1635429437-21718-1-git-send-email-george.kennedy@oracle.com>
X-Patchwork-Hint: comment
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Oct 28, 2021 at 08:57:17AM -0500, George Kennedy wrote:
> Do a sanity check on struct drm_format_info hsub and vsub values to
> avoid divide by zero.
> 
> Syzkaller reported a divide error in framebuffer_check() when the
> DRM_FORMAT_Q410 or DRM_FORMAT_Q401 pixel_format is passed in via
> the DRM_IOCTL_MODE_ADDFB2 ioctl. The drm_format_info struct for
> the DRM_FORMAT_Q410 pixel_pattern has ".hsub = 0" and ".vsub = 0".
> fb_plane_width() uses hsub as a divisor and fb_plane_height() uses
> vsub as a divisor. These divisors need to be sanity checked for
> zero before use.
> 
> divide error: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 PID: 14995 Comm: syz-executor709 Not tainted 5.15.0-rc6-syzk #1
> Hardware name: Red Hat KVM, BIOS 1.13.0-2
> RIP: 0010:framebuffer_check drivers/gpu/drm/drm_framebuffer.c:199 [inline]
> RIP: 0010:drm_internal_framebuffer_create+0x604/0xf90
> drivers/gpu/drm/drm_framebuffer.c:317
> 
> Call Trace:
>  drm_mode_addfb2+0xdc/0x320 drivers/gpu/drm/drm_framebuffer.c:355
>  drm_mode_addfb2_ioctl+0x2a/0x40 drivers/gpu/drm/drm_framebuffer.c:391
>  drm_ioctl_kernel+0x23a/0x2e0 drivers/gpu/drm/drm_ioctl.c:795
>  drm_ioctl+0x589/0xac0 drivers/gpu/drm/drm_ioctl.c:898
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl fs/ioctl.c:860 [inline]
>  __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Signed-off-by: George Kennedy <george.kennedy@oracle.com>
> ---
>  drivers/gpu/drm/drm_framebuffer.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c
> index 07f5abc..a146e4b 100644
> --- a/drivers/gpu/drm/drm_framebuffer.c
> +++ b/drivers/gpu/drm/drm_framebuffer.c
> @@ -195,6 +195,16 @@ static int framebuffer_check(struct drm_device *dev,
>  	/* now let the driver pick its own format info */
>  	info = drm_get_format_info(dev, r);
>  
> +	if (info->hsub == 0) {
> +		DRM_DEBUG_KMS("bad horizontal chroma subsampling factor %u\n", info->hsub);
> +		return -EINVAL;
> +	}
> +
> +	if (info->vsub == 0) {
> +		DRM_DEBUG_KMS("bad vertical chroma subsampling factor %u\n", info->vsub);
> +		return -EINVAL;
> +	}

Looks like duct tape to me. I think we need to either fix those formats
to have valid format info, or just revert the whole patch that added such
broken things.

> +
>  	for (i = 0; i < info->num_planes; i++) {
>  		unsigned int width = fb_plane_width(r->width, info, i);
>  		unsigned int height = fb_plane_height(r->height, info, i);
> -- 
> 1.8.3.1

-- 
Ville Syrj?l?
Intel