From: Ondrej Zary <linux@zary.sk>
To: Helge Deller <deller@gmx.de>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>,
Zheyu Ma <zheyuma97@gmail.com>,
Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
DRI Development <dri-devel@lists.freedesktop.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero
Date: Tue, 5 Apr 2022 19:46:43 +0200 [thread overview]
Message-ID: <202204051946.43277.linux@zary.sk> (raw)
In-Reply-To: <a564f6af-31fa-79a2-72c3-578f2c095b23@gmx.de>
On Tuesday 05 April 2022 08:33:57 Helge Deller wrote:
> Hello Geert,
>
> On 4/4/22 13:46, Geert Uytterhoeven wrote:
> > Hi Helge,
> >
> > On Sun, Apr 3, 2022 at 5:41 PM Helge Deller <deller@gmx.de> wrote:
> >> On 4/3/22 13:26, Zheyu Ma wrote:
> >>> I found a bug in the function i740fb_set_par().
> >>
> >> Nice catch!
> >>
> >>> When the user calls the ioctl system call without setting the value to
> >>> 'var->pixclock', the driver will throw a divide error.
> >>>
> >>> This bug occurs because the driver uses the value of 'var->pixclock'
> >>> without checking it, as the following code snippet show:
> >>>
> >>> if ((1000000 / var->pixclock) > DACSPEED8) {
> >>> dev_err(info->device, "requested pixclock %i MHz out of range
> >>> (max. %i MHz at 8bpp)\n",
> >>> 1000000 / var->pixclock, DACSPEED8);
> >>> return -EINVAL;x
> >>> }
> >>>
> >>> We can fix this by checking the value of 'var->pixclock' in the
> >>> function i740fb_check_var() similar to commit
> >>> b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest
> >>> supported value when this field is zero.
> >>> I have no idea about which solution is better.
> >>
> >> Me neither.
> >> I think a solution like commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09
> >> is sufficient.
> >>
> >> Note that i740fb_set_par() is called in i740fb_resume() as well.
> >> Since this doesn't comes form userspace I think adding a check for
> >> the return value there isn't necessary.
> >>
> >> Would you mind sending a patch like b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ?
> >
> > When passed an invalid value, .check_var() is supposed to
> > round up the invalid to a valid value, if possible.
>
> I don't disagree.
> The main problem probably is: what is the next valid value?
> This needs to be analyzed on a per-driver base and ideally tested.
> Right now a division-by-zero is tiggered which is probably more worse.
I still have an i740 card so I can test it.
> That said, currently I'd prefer to apply the zero-checks patches over
> any untested patches. It's easy to revert such checks if a better solution
> becomes available.
>
> Thoughts?
>
> > Commit b36b242d4b8ea178 ("video: fbdev: asiliantfb: Error out if
> > 'pixclock' equals zero") does not do that.
>
> Helge
>
--
Ondrej Zary
WARNING: multiple messages have this Message-ID (diff)
From: Ondrej Zary <linux@zary.sk>
To: Helge Deller <deller@gmx.de>
Cc: Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
Zheyu Ma <zheyuma97@gmail.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
DRI Development <dri-devel@lists.freedesktop.org>
Subject: Re: [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero
Date: Tue, 5 Apr 2022 19:46:43 +0200 [thread overview]
Message-ID: <202204051946.43277.linux@zary.sk> (raw)
In-Reply-To: <a564f6af-31fa-79a2-72c3-578f2c095b23@gmx.de>
On Tuesday 05 April 2022 08:33:57 Helge Deller wrote:
> Hello Geert,
>
> On 4/4/22 13:46, Geert Uytterhoeven wrote:
> > Hi Helge,
> >
> > On Sun, Apr 3, 2022 at 5:41 PM Helge Deller <deller@gmx.de> wrote:
> >> On 4/3/22 13:26, Zheyu Ma wrote:
> >>> I found a bug in the function i740fb_set_par().
> >>
> >> Nice catch!
> >>
> >>> When the user calls the ioctl system call without setting the value to
> >>> 'var->pixclock', the driver will throw a divide error.
> >>>
> >>> This bug occurs because the driver uses the value of 'var->pixclock'
> >>> without checking it, as the following code snippet show:
> >>>
> >>> if ((1000000 / var->pixclock) > DACSPEED8) {
> >>> dev_err(info->device, "requested pixclock %i MHz out of range
> >>> (max. %i MHz at 8bpp)\n",
> >>> 1000000 / var->pixclock, DACSPEED8);
> >>> return -EINVAL;x
> >>> }
> >>>
> >>> We can fix this by checking the value of 'var->pixclock' in the
> >>> function i740fb_check_var() similar to commit
> >>> b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest
> >>> supported value when this field is zero.
> >>> I have no idea about which solution is better.
> >>
> >> Me neither.
> >> I think a solution like commit b36b242d4b8ea178f7fd038965e3cac7f30c3f09
> >> is sufficient.
> >>
> >> Note that i740fb_set_par() is called in i740fb_resume() as well.
> >> Since this doesn't comes form userspace I think adding a check for
> >> the return value there isn't necessary.
> >>
> >> Would you mind sending a patch like b36b242d4b8ea178f7fd038965e3cac7f30c3f09 ?
> >
> > When passed an invalid value, .check_var() is supposed to
> > round up the invalid to a valid value, if possible.
>
> I don't disagree.
> The main problem probably is: what is the next valid value?
> This needs to be analyzed on a per-driver base and ideally tested.
> Right now a division-by-zero is tiggered which is probably more worse.
I still have an i740 card so I can test it.
> That said, currently I'd prefer to apply the zero-checks patches over
> any untested patches. It's easy to revert such checks if a better solution
> becomes available.
>
> Thoughts?
>
> > Commit b36b242d4b8ea178 ("video: fbdev: asiliantfb: Error out if
> > 'pixclock' equals zero") does not do that.
>
> Helge
>
--
Ondrej Zary
next prev parent reply other threads:[~2022-04-06 1:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-03 11:26 [BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero Zheyu Ma
2022-04-03 11:26 ` Zheyu Ma
2022-04-03 15:02 ` Helge Deller
2022-04-03 15:02 ` Helge Deller
2022-04-03 15:30 ` Zheyu Ma
2022-04-04 11:46 ` Geert Uytterhoeven
2022-04-04 11:46 ` Geert Uytterhoeven
2022-04-05 6:33 ` Helge Deller
2022-04-05 6:33 ` Helge Deller
2022-04-05 6:52 ` Geert Uytterhoeven
2022-04-05 6:52 ` Geert Uytterhoeven
2022-04-05 17:46 ` Ondrej Zary [this message]
2022-04-05 17:46 ` Ondrej Zary
2022-04-05 18:23 ` Helge Deller
2022-04-05 18:23 ` Helge Deller
2022-04-06 1:24 ` Zheyu Ma
2022-04-06 1:24 ` Zheyu Ma
2022-04-07 15:50 ` Helge Deller
2022-04-07 15:50 ` Helge Deller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202204051946.43277.linux@zary.sk \
--to=linux@zary.sk \
--cc=deller@gmx.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=geert@linux-m68k.org \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.