[PATCH AUTOSEL 6.17-6.12] drm/panic: Fix divide by 0 if the screen width < font width

[Sasha Levin <sashal@kernel.org>]

From: Jocelyn Falempe <jfalempe@redhat.com>

[ Upstream commit 2e337dd278c6c38982b520c309f36e0f88696e6e ]

In the unlikely case that the screen is tiny, and smaller than the
font width, it leads to a divide by 0:

draw_line_with_wrap()
chars_per_row = sb->width / font->width = 0
line_wrap.len = line->len % chars_per_row;

This will trigger a divide by 0

Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://lore.kernel.org/r/20251009122955.562888-6-jfalempe@redhat.com
Signed-off-by: Jocelyn Falempe <jfalempe@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Based on my comprehensive analysis of the Linux kernel repository using
multiple tools, here is my assessment:

## **Backport Status: YES**

### Analysis Summary

I used the following tools and methods to analyze this commit:
1. **git log/show**: To examine commit history, dates, and affected
   versions
2. **Read tool**: To examine the actual code and understand the bug
   context
3. **Grep tool**: To trace function calls and usage patterns
4. **git tag analysis**: To determine version impact (v6.11 through
   v6.17 affected)

### Detailed Findings

#### 1. **Bug Severity - HIGH PRIORITY**
- **Type**: Divide-by-zero crash in kernel panic handler
- **Location**: `drivers/gpu/drm/drm_panic.c:479` and `484`
- **Call chain discovered**:
  - `drm_panic()` (panic callback) →
  - `draw_panic_plane()` →
  - `draw_panic_dispatch()` →
  - `draw_panic_static_kmsg()` →
  - `draw_line_with_wrap()` (where crash occurs at lines 479 and 484)

**Critical Impact**: When a kernel panic occurs, the system attempts to
display panic information on screen. If `sb->width < font->width`, then
`chars_per_row = sb->width / font->width = 0`, leading to `line_wrap.len
= line->len % 0` which triggers a divide-by-zero exception **during
panic handling**. This prevents users from seeing any panic information.

#### 2. **Scope Analysis - SMALL AND CONTAINED**
- **Files changed**: 1 file (`drivers/gpu/drm/drm_panic.c`)
- **Lines changed**: 1 line (adding condition `|| font->width >
  sb->width`)
- **Change type**: Defensive check only, no behavioral changes to normal
  path
- **Fix location**: Line 523, adding early return condition

#### 3. **Version Impact - SIGNIFICANT RANGE**
- **Introduced in**: v6.11 (commit `54034bebb22fd`, June 2024 -
  "drm/panic: Add a kmsg panic screen")
- **Affected versions**: v6.11, v6.12, v6.13, v6.14, v6.15, v6.16, v6.17
- **Fixed in**: v6.18-rc3 (October 2025)
- **Backport target**: All stable trees from v6.11 onwards

#### 4. **Risk Assessment - MINIMAL**
- **Risk of regression**: Very low - only adds a safety check
- **Side effects**: None - function returns early if condition met
- **Testing**: The fix prevents a crash path; no valid use case affected
- **Font width range**: 4-16 pixels (from my analysis of `lib/fonts/`)
- **Trigger condition**: Screen width < 4 pixels (extremely rare but
  possible with embedded/weird displays)

#### 5. **Subsystem Context - MATURING FEATURE**
My analysis revealed:
- **drm/panic introduced**: v6.10 (April 2024) - relatively new
  subsystem
- **Bug count**: Found 23 "drm/panic: Fix" commits since June 2024
- **Pattern**: This is part of ongoing stabilization of a new feature
- **Similar fixes**: Multiple other drawing/bounds checking fixes in
  same timeframe

#### 6. **Stable Tree Compliance - MEETS ALL CRITERIA**
✅ **Fixes a real bug**: Divide-by-zero crash
✅ **Small change**: 1-line modification
✅ **Low regression risk**: Only adds defensive check
✅ **No new features**: Pure bug fix
✅ **No architectural changes**: Localized to one function
✅ **Already reviewed**: Has Reviewed-by tag from Javier Martinez
Canillas
❌ **Missing stable tag**: No "Cc: stable@vger.kernel.org" (but this
doesn't disqualify it)

### Code-Specific Analysis

**Original vulnerable code** (line 479):
```c
int chars_per_row = sb->width / font->width;  // Can be 0!
```

**Crash trigger** (line 484):
```c
line_wrap.len = line->len % chars_per_row;  // Divide by 0 if
chars_per_row == 0
```

**Fix applied** (line 523):
```c
- if (!font)
+       if (!font || font->width > sb->width)
                return;
```

This simple check prevents entering the drawing code path when the
screen is too narrow, avoiding the divide-by-zero entirely.

### Recommendation Rationale

Despite the "unlikely" scenario mentioned in the commit message, this
should be backported because:

1. **Critical code path**: Occurs during panic handling when system
   stability is already compromised
2. **Clean fix**: Minimal, obvious, and safe change
3. **Subsystem maturity**: drm/panic is new and actively being
   stabilized with multiple fixes
4. **No downsides**: Zero risk of breaking working configurations
5. **Completeness**: Part of a series of drawing boundary fixes that
   should all be backported together

The commit follows the stable kernel rule: "It must fix a real bug that
bothers people" - while rare, a crash during panic display is a serious
issue that prevents debugging.

### Similar Commits for Reference
Other drm/panic fixes from same timeframe that should also be
considered:
- `a119caf6af5ed`: "Fix 24bit pixel crossing page boundaries"
- `16ded1e690422`: "Fix drawing the logo on a small narrow screen"
- `e9b36fe063004`: "Fix kmsg text drawing rectangle"

**CONCLUSION**: This commit should be backported to all stable trees
containing the drm/panic kmsg screen feature (v6.11+).

 drivers/gpu/drm/drm_panic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_panic.c b/drivers/gpu/drm/drm_panic.c
index ea6a64e5ddd76..4c994656ea1ab 100644
--- a/drivers/gpu/drm/drm_panic.c
+++ b/drivers/gpu/drm/drm_panic.c
@@ -520,7 +520,7 @@ static void draw_panic_static_kmsg(struct drm_scanout_buffer *sb)
 	struct drm_panic_line line;
 	int yoffset;
 
-	if (!font)
+	if (!font || font->width > sb->width)
 		return;
 
 	yoffset = sb->height - font->height - (sb->height % font->height) / 2;
-- 
2.51.0