From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zheyu Ma <zheyuma97@gmail.com>,
Helge Deller <deller@gmx.de>,
Stefan Ghinea <stefan.ghinea@windriver.com>
Subject: [PATCH 5.10 24/39] video: fbdev: i740fb: Error out if pixclock equals zero
Date: Wed, 21 Sep 2022 17:46:29 +0200 [thread overview]
Message-ID: <20220921153646.522403400@linuxfoundation.org> (raw)
In-Reply-To: <20220921153645.663680057@linuxfoundation.org>
From: Zheyu Ma <zheyuma97@gmail.com>
commit 15cf0b82271b1823fb02ab8c377badba614d95d5 upstream.
The userspace program could pass any values to the driver through
ioctl() interface. If the driver doesn't check the value of 'pixclock',
it may cause divide error.
Fix this by checking whether 'pixclock' is zero in the function
i740fb_check_var().
The following log reveals it:
divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/i740fb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/video/fbdev/i740fb.c
+++ b/drivers/video/fbdev/i740fb.c
@@ -662,6 +662,9 @@ static int i740fb_decode_var(const struc
static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info)
{
+ if (!var->pixclock)
+ return -EINVAL;
+
switch (var->bits_per_pixel) {
case 8:
var->red.offset = var->green.offset = var->blue.offset = 0;
next prev parent reply other threads:[~2022-09-21 15:58 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-21 15:46 [PATCH 5.10 00/39] 5.10.145-rc1 review Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 01/39] KVM: PPC: Book3S HV: Context tracking exit guest context before enabling irqs Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 02/39] KVM: PPC: Tick accounting should defer vtime accounting til after IRQ handling Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 03/39] serial: 8250: Fix reporting real baudrate value in c_ospeed field Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 04/39] parisc: Optimize per-pagetable spinlocks Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 05/39] parisc: Flush kernel data mapping in set_pte_at() when installing pte for user page Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 06/39] dmaengine: bestcomm: fix system boot lockups Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 07/39] powerpc/pseries/mobility: refactor node lookup during DT update Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 08/39] powerpc/pseries/mobility: ignore ibm, platform-facilities updates Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 09/39] usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 10/39] platform/x86/intel: hid: add quirk to support Surface Go 3 Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 11/39] net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 12/39] of: fdt: fix off-by-one error in unflatten_dt_nodes() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 13/39] pinctrl: sunxi: Fix name for A100 R_PIO Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 14/39] NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 15/39] gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 16/39] drm/meson: Correct OSD1 global alpha value Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 17/39] drm/meson: Fix OSD1 RGB to YCbCr coefficient Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 18/39] parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 19/39] tracing: hold caller_addr to hardirq_{enable,disable}_ip Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 20/39] of/device: Fix up of_dma_configure_id() stub Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 21/39] cifs: revalidate mapping when doing direct writes Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 22/39] cifs: dont send down the destination address to sendmsg for a SOCK_STREAM Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 23/39] tools/include/uapi: Fix <asm/errno.h> for parisc and xtensa Greg Kroah-Hartman
2022-09-21 15:46 ` Greg Kroah-Hartman [this message]
2022-09-21 15:46 ` [PATCH 5.10 25/39] Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field" Greg Kroah-Hartman
2022-09-21 20:05 ` Pavel Machek
2022-09-22 6:59 ` Greg Kroah-Hartman
2022-09-25 15:20 ` Sasha Levin
2022-09-21 15:46 ` [PATCH 5.10 26/39] ASoC: nau8824: Fix semaphore unbalance at error paths Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 27/39] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 28/39] rxrpc: Fix local destruction being repeated Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 29/39] rxrpc: Fix calc of resend age Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 30/39] wifi: mac80211_hwsim: check length for virtio packets Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 31/39] ALSA: hda/sigmatel: Keep power up while beep is enabled Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 32/39] ALSA: hda/tegra: Align BDL entry to 4KB boundary Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 33/39] net: usb: qmi_wwan: add Quectel RM520N Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 34/39] afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 35/39] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 36/39] mksysmap: Fix the mismatch of L0 symbols in System.map Greg Kroah-Hartman
2022-09-21 20:06 ` Pavel Machek
2022-09-21 15:46 ` [PATCH 5.10 37/39] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 38/39] cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 39/39] ALSA: hda/sigmatel: Fix unused variable warning for beep power change Greg Kroah-Hartman
2022-09-21 20:03 ` [PATCH 5.10 00/39] 5.10.145-rc1 review Pavel Machek
2022-09-21 20:18 ` Allen Pais
2022-09-21 22:48 ` Florian Fainelli
2022-09-21 22:56 ` Shuah Khan
2022-09-22 9:46 ` Naresh Kamboju
2022-09-22 10:28 ` Sudip Mukherjee (Codethink)
2022-09-22 16:44 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220921153646.522403400@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=deller@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stefan.ghinea@windriver.com \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox