From patchwork Mon Apr 4 08:47:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12799986 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D7149C433EF for ; Mon, 4 Apr 2022 08:47:50 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 1394D10EB44; Mon, 4 Apr 2022 08:47:50 +0000 (UTC) Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by gabe.freedesktop.org (Postfix) with ESMTPS id 26CE210EB3F for ; Mon, 4 Apr 2022 08:47:48 +0000 (UTC) Received: by mail-pj1-x1032.google.com with SMTP id o5-20020a17090ad20500b001ca8a1dc47aso2643820pju.1 for ; Mon, 04 Apr 2022 01:47:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=se5gGj4gIJ4vBWROJp5FA4oTC1hFkItwaNy9Koid500=; b=FAWD5yFE3Vc1iB03y75UnpfQijI3kB8ErWFbZSX3sTvLpWWs8B9bNUKAqt1J9AUjua +8qiSwoCtM81wPcqTXMLNWNi51npg2coAdhvntqlt8jzubrZcqpdPAzkPEP+df7LxRF6 SU/2nl+b/D/Gfs5CGKOKbs5elEtIeGAeh1vYKYwyk5CpJxaYBG8ynXrXQISO+XQXwJNX oE8ZKXL7BUqPKahtHTTiFy1jsLmyVr/BiTJP0GWcFgyCkIBCLNn18/nIU9Zwz5uqdArj DfJQTbq4JSXt26CYu/+j4MreZdnQKpxzeh6b3w+GBv8DtX0UKPkv1dSkxJmCK0ViTutb oKNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=se5gGj4gIJ4vBWROJp5FA4oTC1hFkItwaNy9Koid500=; b=ZQSYfqm21DikogvsshZoQf2xU8yGORZJ1vmzUHNZLTtsFpuKbuY3QT9FHm2Eqhx7w0 1dV1dERUdeE5TJ5voPI+2H+8owi11MUBpLrw9GJSqq+VoIIbaOL9G+5qzHs47j4tRONy wX4FuUYujK8RWXf0l/9nxOELT3P3pmhfEP5aKkCienkqeK8l8WFMnZ/j6T3RV0eDWbzu ioeqJb/59mzGu6DstMTIetW1T8KGbKysSMk43ae0jZ1dVJXwE1l17IlrpAkWd9Cp/GKg UxL26YD0kiRUIER46A0X28Wcas0PcOSdrEFadzQoiJPm4ogfmOnlyCkOPip5V5bfAyRm HhzA== X-Gm-Message-State: AOAM532az2gpjYGqCnKCJ8dixgws7n7lERURCt1NvMYri5e/brdDeO/w C3bQmI6+SnseGj06QSq0Dw== X-Google-Smtp-Source: ABdhPJymLqxgqm2NQFE6WKf9I6xeVeCxVVNJO1ePEFu5Dx3u2IlfUF8NYPn6xZ6W5qBnlwa3LUtr8w== X-Received: by 2002:a17:902:ecd2:b0:156:9992:5892 with SMTP id a18-20020a170902ecd200b0015699925892mr5803329plh.7.1649062067669; Mon, 04 Apr 2022 01:47:47 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.47.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:47:47 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 1/7] video: fbdev: i740fb: Error out if 'pixclock' equals zero Date: Mon, 4 Apr 2022 16:47:17 +0800 Message-Id: <20220404084723.79089-2-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in the function i740fb_check_var(). The following log reveals it: divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline] RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] Signed-off-by: Zheyu Ma --- drivers/video/fbdev/i740fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index 52cce0db8bd3..b595437a5752 100644 --- a/drivers/video/fbdev/i740fb.c +++ b/drivers/video/fbdev/i740fb.c @@ -657,6 +657,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var, static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { + if (!var->pixclock) + return -EINVAL; + switch (var->bits_per_pixel) { case 8: var->red.offset = var->green.offset = var->blue.offset = 0; From patchwork Mon Apr 4 08:47:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12799987 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3CC78C433FE for ; Mon, 4 Apr 2022 08:47:53 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 7A1C210EB3C; Mon, 4 Apr 2022 08:47:52 +0000 (UTC) Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) by gabe.freedesktop.org (Postfix) with ESMTPS id ED4FA10EB46 for ; Mon, 4 Apr 2022 08:47:50 +0000 (UTC) Received: by mail-pl1-x636.google.com with SMTP id n8so585610plh.1 for ; Mon, 04 Apr 2022 01:47:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6lQXVT/uUsnfVE8WcNYNQC83df5wSK/7H6QlhzyGSpQ=; b=KHLiQpb41/Jw+rhklJELDpaMOhckeHIcsw9AtQfrQZVhXUpiSvQOoEqLOWnWZt5N1z fvw5nL32fYw19ijPqYbuxD1CKpEfwJ5AWt/SVteFr4bVvwv6VdXylzhAcHNAJ2DDNUoD uJYWZuWDo3vo/IlAuNirkKPlaCiPaYIxYxkT6R1KdmrLjESBZ8q1NViVRwLfWSDjIaJ1 zHy5Alslrx8QGBPFt4DtgHTz7U+DYAGT0DlpOpDG4CIRSZnMFJxfQ1HxmLAHtuNWexeX KsPVNi1JlUl1f0C3+1/nq7L4cfl9ib7E3+w4a5wLnn86lSz0M+PNAdC0Jm3TUXKx2Yc3 IyYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6lQXVT/uUsnfVE8WcNYNQC83df5wSK/7H6QlhzyGSpQ=; b=uoeP5cdmjbnjU37YDCjSjqYGOwstLJCUcOJ6N2TKIExLZisS5PBvRrYvR7c6CqFhHd HYvBj4+HoZulc8vZIc6NsapDgZL1ooUbObIFbynwIAnSYMehUQhR8NmnBmtDzhCJxUq5 wrXyxVi5iW6F9tfuwWZGU+YHMQu2yRGbGFV26jklPG72ksCAokoJ4hPiVJSfTswkWeYX iDfRjRhPDe+R4QTKPRarF1dJl64hvqljcmM0BDIDDFRAD3CS4xIoxYQf1e11ywn5JuG6 UTO9fN6ED0S1pxvsQZjl1yXuS4vom7tVd5eFhsuZa+UIVxceqyO8BjuF+Lo9KlGvwGlU emXg== X-Gm-Message-State: AOAM530QNENk4pFJHPPovQ0bcG6bDMVjVzEhlySPtZgMvzQNs44bBnYj MPLlqIGX04Fs9rUq3JUmlamXBeEiIB9fzrWTAA== X-Google-Smtp-Source: ABdhPJz4d1wgPvWQSKcf0Ti+XkoQbDjoaZEPj5OUoHAmUr4JUgtLaBghkz4cZl6tbHh/c+SMdrjEVQ== X-Received: by 2002:a17:902:7887:b0:156:788a:56d1 with SMTP id q7-20020a170902788700b00156788a56d1mr10208376pll.110.1649062070526; Mon, 04 Apr 2022 01:47:50 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.47.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:47:50 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 2/7] video: fbdev: neofb: Fix the check of 'var->pixclock' Date: Mon, 4 Apr 2022 16:47:18 +0800 Message-Id: <20220404084723.79089-3-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The previous check against 'var->pixclock' doesn't return -EINVAL when it equals zero, but the driver uses it again, causing the divide error. Fix this by returning when 'var->pixclock' is zero. The following log reveals it: [ 49.704574] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 49.704593] RIP: 0010:neofb_set_par+0x190f/0x49a0 [ 49.704635] Call Trace: [ 49.704636] [ 49.704650] fb_set_var+0x604/0xeb0 [ 49.704702] do_fb_ioctl+0x234/0x670 [ 49.704745] fb_ioctl+0xdd/0x130 [ 49.704753] do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/neofb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c index 966df2a07360..28d32cbf496b 100644 --- a/drivers/video/fbdev/neofb.c +++ b/drivers/video/fbdev/neofb.c @@ -585,7 +585,7 @@ neofb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) DBG("neofb_check_var"); - if (var->pixclock && PICOS2KHZ(var->pixclock) > par->maxClock) + if (!var->pixclock || PICOS2KHZ(var->pixclock) > par->maxClock) return -EINVAL; /* Is the mode larger than the LCD panel? */ From patchwork Mon Apr 4 08:47:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12799988 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 53DFFC433F5 for ; Mon, 4 Apr 2022 08:47:56 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 5F26510EB4D; Mon, 4 Apr 2022 08:47:55 +0000 (UTC) Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by gabe.freedesktop.org (Postfix) with ESMTPS id 80D1A10EB46 for ; Mon, 4 Apr 2022 08:47:53 +0000 (UTC) Received: by mail-pj1-x1034.google.com with SMTP id j20-20020a17090ae61400b001ca9553d073so2266843pjy.5 for ; Mon, 04 Apr 2022 01:47:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=7Dp26xvo/OWBw1ANhAEXpc1rNkAlB/vfXe93IpIqI6Y=; b=N7B4YUdHA5X14Z98xRic3ph/TDam03J6r+SaLio3r0NOrD/uN9H48sTbuxImkJLW6I E8YSiitNg3JBfvyiLYk0iX5RhtHSWP8CCCzGIxGBUIjIVEDMkhTXu66s5tVJt4nXf77d fnW3+qY01p2fv5GqiFsqluOe0hfxdqab2PqDznLJ/IsyhuwRHxm2nx9FFq0aYTHvH1Iy r357HRXMjj2B2PkwGIoMFVRn4nGBsZ2qS/VczSqSQoVcO38+AyBhGhlApWOns/NUXmII /imIbWKUoE62Q1s1yjN+kpBOaZzHqCvzg2F4JLGaO2i5roWGM8IuN1RUbmNuehZfZDGQ a88w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=7Dp26xvo/OWBw1ANhAEXpc1rNkAlB/vfXe93IpIqI6Y=; b=clHHxJfIUroIxsCy/qKEM9FWk+t1x1plfB9loQpJCGcQBHxzm+uu6Dvp8FJFauAFqn 9HaeiOTl35qaNJQjHNmvXNb6wbmT1qxX+8dzR7KxN2OxlEyzd93IiAzgr0jc7s8RcQ4p JRLmPTjy4ANmllTCn6uRJ35Iph9hPVNYzyCbsowqRXlYFwlp7UVpccMjjkyBZIZCl2si prUkcuEPAhjn2KVELXLlgYPwvzksQCJX5nzSEmC7CVtrzRRVGm58IcgpPzbfXl9a5Hi7 ITgL/nAg1GwZN7oCMrpQK2M1jGgkx/klQlj6S6FX0Nk4j2zHwiDPrnvXR2TbYwZ5+i0o pldg== X-Gm-Message-State: AOAM531HBl22dEE1H+CDRmb1L7ZDQWp8aP7G6y2OpMgOiPj6h2T/z7BD DNw/quY4LbVk2TgJZn18Hg== X-Google-Smtp-Source: ABdhPJy72jA/2st/G//51PTWh7W6OWC4XiZ2I9BsaCCF+sqVXaF/3AWziOFSL05+SBew/BNAaFPMKQ== X-Received: by 2002:a17:902:e746:b0:156:9eed:d2d6 with SMTP id p6-20020a170902e74600b001569eedd2d6mr4849504plf.144.1649062073047; Mon, 04 Apr 2022 01:47:53 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.47.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:47:52 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 3/7] video: fbdev: kyro: Error out if 'lineclock' equals zero Date: Mon, 4 Apr 2022 16:47:19 +0800 Message-Id: <20220404084723.79089-4-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'lineclock', it may cause divide error. Fix this by checking whether 'lineclock' is zero. The following log reveals it: [ 33.404918] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.404932] RIP: 0010:kyrofb_set_par+0x30d/0xd80 [ 33.404976] Call Trace: [ 33.404978] [ 33.404987] fb_set_var+0x604/0xeb0 [ 33.405038] do_fb_ioctl+0x234/0x670 [ 33.405083] fb_ioctl+0xdd/0x130 [ 33.405091] do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/kyro/fbdev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/kyro/fbdev.c b/drivers/video/fbdev/kyro/fbdev.c index 25801e8e3f74..d57772f96ad2 100644 --- a/drivers/video/fbdev/kyro/fbdev.c +++ b/drivers/video/fbdev/kyro/fbdev.c @@ -494,6 +494,8 @@ static int kyrofb_set_par(struct fb_info *info) info->var.hsync_len + info->var.left_margin)) / 1000; + if (!lineclock) + return -EINVAL; /* time for a frame in ns (precision in 32bpp) */ frameclock = lineclock * (info->var.yres + From patchwork Mon Apr 4 08:47:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12799989 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E775EC433F5 for ; Mon, 4 Apr 2022 08:47:58 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 1080710EB3A; Mon, 4 Apr 2022 08:47:58 +0000 (UTC) Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by gabe.freedesktop.org (Postfix) with ESMTPS id EFE4B10EB4B for ; Mon, 4 Apr 2022 08:47:55 +0000 (UTC) Received: by mail-pj1-x102d.google.com with SMTP id j20-20020a17090ae61400b001ca9553d073so2266925pjy.5 for ; Mon, 04 Apr 2022 01:47:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=99A9a3hHeLpuMdZogws2agT3Pd/9V9gAGhJHXsYptTw=; b=FEWaJFqHiORNV4n3ITN4hvIxL/s/r/ujDrwxJkvlaNB8kwZiS7A/KFs0C6nSH9Fjj6 hNV2GTIYaKbOjwploqMSVC3IkiQ05w14dN/RGAB8X+ZUWmFvKEk5sV3bc6Bx758tPqHO U2reaV4WrwQFVFhhL69S6ey2NDHe74btKudCdicMuTYguS0WMfO/xMb5nQ9CIifNSOkA TMPenuoIkkxwusMIeBOg0m7n7IG3XCVpVwQtNJBYiCUz+ujG6hh/6zX8ne+OduhAujW1 MmPUHKNB2dDspHO3g9QYl+owLNVEgfl8hubi9rQ1xusjDFxsx1kIdlwZfP//ZNtzqbKA M9oQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=99A9a3hHeLpuMdZogws2agT3Pd/9V9gAGhJHXsYptTw=; b=xqm80HEtOyieG2Z5p39URP3zvWAfF4zW8JmApG2G+FnpHJTbWbIALzAX7Oc/QYTB6F S5zeGoLnVBOj1zCtsyOUL05dufZ4QQsu/b98Log/Wa238fS+0ooJvi07pwPeJRCZQuUs ZknQuXd66nnPx+XKSH5bBE0Pk7fdP2AMUKpqaeXJjxAODkjC3gt4mc30pm25gsxW8+vc Ij/I8Ht8TJnh+xS2e3vRaHzDFiQPVxYcNRZdaqGZCRy42a799ByCvB8wxDPKBAQ2Tvgj maSfmouRj/NVqiMu933BwlV7eCHruFdf5gUS035eNkV5iDUtwJlxk+oY+TmkQFB7/Euw d4Jw== X-Gm-Message-State: AOAM5303u4lDvak6/Krv0fbf9OgFoY5jh4ODgEWWqG6MWSGshEK6qyEk YaGFAkfp+Zxf17kMErsccG7ZRJpgdxjQWyK3Rw== X-Google-Smtp-Source: ABdhPJzHEpK7iQlUi2JXa05S2CyzF7s2BEpWcpFng5mVwfJfydFQGtfX42aZdvVbPwni/HDOC/K2tw== X-Received: by 2002:a17:90a:7288:b0:1ca:6e77:84a0 with SMTP id e8-20020a17090a728800b001ca6e7784a0mr9647359pjg.60.1649062075558; Mon, 04 Apr 2022 01:47:55 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.47.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:47:55 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 4/7] video: fbdev: vt8623fb: Error out if 'pixclock' equals zero Date: Mon, 4 Apr 2022 16:47:20 +0800 Message-Id: <20220404084723.79089-5-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in the function vt8623fb_check_var(). The following log reveals it: [ 47.778727] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 47.778803] RIP: 0010:vt8623fb_set_par+0xecd/0x2210 [ 47.778870] Call Trace: [ 47.778872] [ 47.778909] fb_set_var+0x604/0xeb0 [ 47.778995] do_fb_ioctl+0x234/0x670 [ 47.779041] fb_ioctl+0xdd/0x130 [ 47.779048] do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/vt8623fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/vt8623fb.c b/drivers/video/fbdev/vt8623fb.c index 7a959e5ba90b..a92a8c670cf0 100644 --- a/drivers/video/fbdev/vt8623fb.c +++ b/drivers/video/fbdev/vt8623fb.c @@ -321,6 +321,9 @@ static int vt8623fb_check_var(struct fb_var_screeninfo *var, struct fb_info *inf { int rv, mem, step; + if (!var->pixclock) + return -EINVAL; + /* Find appropriate format */ rv = svga_match_format (vt8623fb_formats, var, NULL); if (rv < 0) From patchwork Mon Apr 4 08:47:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12799990 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6DFC1C433F5 for ; Mon, 4 Apr 2022 08:48:00 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 3F75910EB46; Mon, 4 Apr 2022 08:47:59 +0000 (UTC) Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by gabe.freedesktop.org (Postfix) with ESMTPS id 69E6110EB4B for ; Mon, 4 Apr 2022 08:47:58 +0000 (UTC) Received: by mail-pg1-x52e.google.com with SMTP id c11so7765614pgu.11 for ; Mon, 04 Apr 2022 01:47:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=SWpUGp4NjV3mF23nQixJRErG81vz0xeRsfDHiseYmFE=; b=b0BitWdvZHTGzL4flNceTWdnxQtwSwZY5rAnnRUa1Ml+nFqLcBJ2kKJx/fs6xfPFvl CnhHwqlgN/roC4WdLsqaGZsrjw6Ld8wHYNg7TEz0LuvMMuJCYT1osfRnlImjbXzJc5Gj 9vDQNbKfeIWAgtHngp01v6YPYfxabAvWqaqYHRs2bqWl2kkaRyMwlJu+2ZrhHUj5PLrs yjl5sBxSLIL93Y2FN9GX0kX6956qgWteXsvblXuZLS6Fbf4RptxQoU6nDZ3xBJFrZK1w V/7LXCAYAJvqjwVBn/J4+KZoqUzskh2ygSUXO4hEz6OnN7FCJ/rzL3/obwNAklbZ0TYN kF+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=SWpUGp4NjV3mF23nQixJRErG81vz0xeRsfDHiseYmFE=; b=sRnYUlHAGg/c146ryV4mN5pepLxXcM/5+e3tl7ElP5y8mqSZIZTyBxxVnR2LTFGYeE giFRoQT6dlH2K1v1/vv39QZLMszBf+p/i8cbRWwX8a+ezzKpmZVT2Z4L7mYVLTSvalqs RQf6El+PgLTaAyH0v0BiQhXf6CiRQj8ZhxM4dh+755AqidfZUJj+AIEpPKo1P9c+hJ7Z 76AmSHITYIjs9K5u7XEjxSZ0CGUF4PIppuaSYOYU/wz2ilW9zDb5eRIeFbLYMnB60ZQ8 ZJmyJtIHWW8ERuUdUP1zNOIY52Vb26df+KUQXZiFW1UE03OPs/bJCqHZnf4xN1jCgluQ bjIQ== X-Gm-Message-State: AOAM531UgIBQDPxIEZpNHBT997bvFviQXbrEtxXeM5x+eOTqKwCqj/6J PLbieYubIgYKDgj/UhLYtQ== X-Google-Smtp-Source: ABdhPJxz/8JcRIXtURoXNzWsyUQjQh/GXQxIkNp1/xI8KkbxCy3Pghw6PtQScHAtt2QEukPM+DPMqg== X-Received: by 2002:a63:4f08:0:b0:34c:6090:603e with SMTP id d8-20020a634f08000000b0034c6090603emr24435870pgb.15.1649062077959; Mon, 04 Apr 2022 01:47:57 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.47.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:47:57 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 5/7] video: fbdev: tridentfb: Error out if 'pixclock' equals zero Date: Mon, 4 Apr 2022 16:47:21 +0800 Message-Id: <20220404084723.79089-6-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero. The following log reveals it: [ 38.260715] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 38.260733] RIP: 0010:tridentfb_check_var+0x853/0xe60 [ 38.260791] Call Trace: [ 38.260793] [ 38.260796] fb_set_var+0x367/0xeb0 [ 38.260879] do_fb_ioctl+0x234/0x670 [ 38.260922] fb_ioctl+0xdd/0x130 [ 38.260930] do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/tridentfb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/tridentfb.c b/drivers/video/fbdev/tridentfb.c index 4d20cb557ff0..319131bd72cf 100644 --- a/drivers/video/fbdev/tridentfb.c +++ b/drivers/video/fbdev/tridentfb.c @@ -996,6 +996,9 @@ static int tridentfb_check_var(struct fb_var_screeninfo *var, int ramdac = 230000; /* 230MHz for most 3D chips */ debug("enter\n"); + if (!var->pixclock) + return -EINVAL; + /* check color depth */ if (bpp == 24) bpp = var->bits_per_pixel = 32; From patchwork Mon Apr 4 08:47:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12800012 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E2EFCC433EF for ; Mon, 4 Apr 2022 08:48:02 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 1734610EB4B; Mon, 4 Apr 2022 08:48:02 +0000 (UTC) Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by gabe.freedesktop.org (Postfix) with ESMTPS id D416410EB4B for ; Mon, 4 Apr 2022 08:48:00 +0000 (UTC) Received: by mail-pl1-x62a.google.com with SMTP id o20so1834985pla.13 for ; Mon, 04 Apr 2022 01:48:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=AsQsOGOBswiqIkfE+MmZmSYrrU64sgPI4cLq7rNPZkk=; b=b4c7KmBW0dluWZGhagtxX35zeboI86n00qjpygwNWb4mr9DaRZ6+hVK0lwlf8CRknM knRly/iSX7myVM4yjqVn9+5Uhrp+Vd9NDBC9jeUSfKfGic+DoUDOwQVqCgZKUxY4t30s S6co9ns78h8EOSuPT5AW8xTNGw0kx1dbO/fN703kgdlfd9EpmDl6na6IHiv77Z6ogI8H BfBso/WnyYdmflfwlALETgTAH7sMrjnWUAcl9+bTz9wrqXAWCSYTIFxvt91ZxjwL7m0q 04g+YjOhsvC6gzJ7L91krIz8eBRXNArQZXmByvOfA/8CUOj9Ct224O1V/oXSr5Xj6gJ6 EcdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AsQsOGOBswiqIkfE+MmZmSYrrU64sgPI4cLq7rNPZkk=; b=WoIUqBLCNdOuCW5XjdDciw6HhJOnMAwO/QFmkhlBsvPBMVWhQzN5kFAX/xdvwpkWvh P+X4wuMJrt0Dtp+mCUzZld5pQRYitmN2diZoP55AZ3jdg8o8ucGBAmkoVYcBUgqx+xBI 5Pu/gttnsYLnPwTbzkfwUJXIE8tGQYHeAipIphnVIs0OGpJN42KLzkEossWcTH5UeiRS DeHL1hlGGMC5ANswEtgc21ceHIkkvan325OzW7jOUBcwjarBNIVeCiZBbkvNYgGaO8su bBoyYdQPXtGZ1lMdwvP+LlR0JwwHqjCYRHrMMoeZurKFYk8l7q/ApiU68DFT6Vvc8g5y agew== X-Gm-Message-State: AOAM531XLrbBlcMQ62URUIGDoxRbKZhWYTZ7YzTVoCQMvhWmSfB83Mn0 1R4+O2M7+XjduGfzGFr2oA== X-Google-Smtp-Source: ABdhPJyaumC2pAoaVZdgGxH0C6+k3h97CLv5+0nGYCnk+CTU9mYZSDQ8odzFEQgW1zPAVxACmLujOw== X-Received: by 2002:a17:902:8f94:b0:14f:d9b3:52c2 with SMTP id z20-20020a1709028f9400b0014fd9b352c2mr21780055plo.103.1649062080299; Mon, 04 Apr 2022 01:48:00 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.47.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:48:00 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 6/7] video: fbdev: arkfb: Error out if 'pixclock' equals zero Date: Mon, 4 Apr 2022 16:47:22 +0800 Message-Id: <20220404084723.79089-7-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero. The following log reveals it: [ 76.603696] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 76.603712] RIP: 0010:arkfb_set_par+0x10fc/0x24f0 [ 76.603762] Call Trace: [ 76.603764] [ 76.603773] fb_set_var+0x604/0xeb0 [ 76.603827] do_fb_ioctl+0x234/0x670 [ 76.603873] fb_ioctl+0xdd/0x130 [ 76.603881] do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/arkfb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c index edf169d0816e..eb3e47c58c5f 100644 --- a/drivers/video/fbdev/arkfb.c +++ b/drivers/video/fbdev/arkfb.c @@ -566,6 +566,9 @@ static int arkfb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { int rv, mem, step; + if (!var->pixclock) + return -EINVAL; + /* Find appropriate format */ rv = svga_match_format (arkfb_formats, var, NULL); if (rv < 0) From patchwork Mon Apr 4 08:47:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zheyu Ma X-Patchwork-Id: 12800013 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E3ED7C433EF for ; Mon, 4 Apr 2022 08:48:05 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 29D5E10EB59; Mon, 4 Apr 2022 08:48:05 +0000 (UTC) Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by gabe.freedesktop.org (Postfix) with ESMTPS id 818C910EB58 for ; Mon, 4 Apr 2022 08:48:03 +0000 (UTC) Received: by mail-pf1-x435.google.com with SMTP id z16so8354353pfh.3 for ; Mon, 04 Apr 2022 01:48:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4A8goeGhaPhZ1beeVbOmqSl7OQXT8O1NS+m0bvoRpjo=; b=Z5fOUGpEhMxgb4z/mtIOFAioIea+f/nCbEWUv8Yc6LLoDU5lLJDNnCsq5hFzojhak0 Cpd/FUmkGKRxZm8OAqAhKgAQvxZc7WWQUMQqWe16bro7kvVcDjmeE8HdAc3xNj2Uc9Z3 3MKyhPIweU/fiD2Iu5nHmMxT1satV8rgRS0NvN/KSMPMTw9Xtn8fydugpQ3kxsTigncU +6KFV45Hw5cXz1Tt6bMiBFJErOKt8U5tsxq9xs/X8aNgAZXjcSL4WDEJIMfU7HrruZJN xGklKNJLiDWylzwjOKJpGorgKod+gO4IL8JbhP/zGQ/gzFGsJEd4j516K772rau002Dh LB7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4A8goeGhaPhZ1beeVbOmqSl7OQXT8O1NS+m0bvoRpjo=; b=s27ZmRw0xTk/DCsZ8t+u9L66rCn9YBCkav7g4pvkARbripT6ZEpq5rFAoHWf5Bk6HJ OS+Lfc3EmPkVFkfqlyuZHAlu0RAIkaicqJcr3s+xZj1scm7O2WFXuuJX3aEfzfOwFiXV P52xiKlQzWOTCt0SpGwHvmCdgjLBoA5XFrSgj++Pe+gJV6UcAx245pWcy/mQcYSU01B+ lNR/WbIY0cJH3HJkI7RyFabK5o2g1A2q9vFb0vjqn9pQQHiUAwKcxysreJbsPbztVWLX 5tmr//iQomMneozlLXGmtb3We3eBMQezNmy4u588VOBMPYSv7EZHiRmFZL9yvtxTPbGW Nb+g== X-Gm-Message-State: AOAM533RRLkAlrXSnpNwv5xJZ9LL/M3zvyinGv9W5Gj5Dq/3tNZTXCQp 9E7VjPsj266JjhP9QXR9BQ== X-Google-Smtp-Source: ABdhPJy6JgPINls43h0o9/63+vpTSZFuQEI/lBMSWnAyDFK5g+Sq5Oe+7B9z4yzg4UkAlq/ZDjIVVg== X-Received: by 2002:a05:6a00:228b:b0:4fa:e12b:2c7b with SMTP id f11-20020a056a00228b00b004fae12b2c7bmr55776235pfe.79.1649062083039; Mon, 04 Apr 2022 01:48:03 -0700 (PDT) Received: from localhost.localdomain ([144.202.91.207]) by smtp.gmail.com with ESMTPSA id u6-20020a17090a3fc600b001ca88b0bdfesm3991960pjm.13.2022.04.04.01.48.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 01:48:02 -0700 (PDT) From: Zheyu Ma To: deller@gmx.de Subject: [PATCH 7/7] video: fbdev: s3fb: Error out if 'pixclock' equals zero Date: Mon, 4 Apr 2022 16:47:23 +0800 Message-Id: <20220404084723.79089-8-zheyuma97@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220404084723.79089-1-zheyuma97@gmail.com> References: <20220404084723.79089-1-zheyuma97@gmail.com> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, Zheyu Ma , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero in s3fb_check_var(). The following log reveals it: [ 511.141561] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 511.141607] RIP: 0010:s3fb_check_var+0x3f3/0x530 [ 511.141693] Call Trace: [ 511.141695] [ 511.141716] fb_set_var+0x367/0xeb0 [ 511.141815] do_fb_ioctl+0x234/0x670 [ 511.141876] fb_ioctl+0xdd/0x130 [ 511.141888] do_syscall_64+0x3b/0x90 Signed-off-by: Zheyu Ma --- drivers/video/fbdev/s3fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c index 5c74253e7b2c..b93c8eb02336 100644 --- a/drivers/video/fbdev/s3fb.c +++ b/drivers/video/fbdev/s3fb.c @@ -549,6 +549,9 @@ static int s3fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) int rv, mem, step; u16 m, n, r; + if (!var->pixclock) + return -EINVAL; + /* Find appropriate format */ rv = svga_match_format (s3fb_formats, var, NULL);