From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Guangshuo Li <lgs201920130244@gmail.com>,
Helge Deller <deller@gmx.de>
Subject: [PATCH 6.12 33/42] fbdev: rivafb: fix divide error in nv3_arb()
Date: Tue, 17 Feb 2026 21:32:24 +0100 [thread overview]
Message-ID: <20260217200007.267906954@linuxfoundation.org> (raw)
In-Reply-To: <20260217200005.998240758@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream.
A userspace program can trigger the RIVA NV3 arbitration code by calling
the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver
recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz
(derived from the PRAMDAC MCLK PLL) as a divisor without validating it
first.
In a normal setup, state->mclk_khz is provided by the real hardware and is
non-zero. However, an attacker can construct a malicious or misconfigured
device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL
configuration, causing state->mclk_khz to become zero. Once
nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns
calculation causes a divide error and crashes the kernel.
Fix this by checking whether state->mclk_khz is zero and bailing out before
doing the division.
The following log reveals it:
rivafb: setting virtual Y resolution to 2184
divide error: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]
RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546
Call Trace:
nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603
nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]
CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246
riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779
rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196
fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033
do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188
__x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/riva/riva_hw.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/video/fbdev/riva/riva_hw.c
+++ b/drivers/video/fbdev/riva/riva_hw.c
@@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_
vmisses = 2;
eburst_size = state->memory_width * 1;
mburst_size = 32;
+ if (!state->mclk_khz)
+ return (0);
+
gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz;
ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000;
ainfo->wcmocc = 0;
next prev parent reply other threads:[~2026-02-17 20:54 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:31 [PATCH 6.12 00/42] 6.12.74-rc1 review Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 01/42] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 02/42] bnxt_en: Change FW message timeout warning Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 03/42] bnxt_en: hide CONFIG_DETECT_HUNG_TASK specific code Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 04/42] bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 05/42] bus: fsl-mc: fix use-after-free in driver_override_show() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 06/42] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 07/42] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.12 08/42] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 09/42] ALSA: hda/realtek: Add quirk for Inspur S14-G1 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 10/42] ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 11/42] ALSA: hda/realtek - fixed speaker no sound Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 12/42] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 13/42] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 14/42] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 15/42] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 16/42] ASoC: amd: yc: Add quirk for HP 200 G2a 16 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 17/42] ALSA: hda/realtek: Enable headset mic for Acer Nitro 5 Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 18/42] platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 19/42] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 20/42] ASoC: cs42l43: Correct handling of 3-pole jack load detection Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 21/42] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 22/42] drm/amd/display: extend delta clamping logic to CM3 LUT helper Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 23/42] drm/amd/display: remove assert around dpp_base replacement Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 24/42] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 25/42] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 26/42] mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 27/42] mm/hugetlb: fix hugetlb_pmd_shared() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 28/42] mm/hugetlb: fix two comments related to huge_pmd_unshare() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 29/42] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 30/42] LoongArch: Rework KASAN initialization for PTW-enabled systems Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 31/42] Revert "wireguard: device: enable threaded NAPI" Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 32/42] cpuset: Fix missing adaptation for cpuset_is_populated Greg Kroah-Hartman
2026-02-17 20:32 ` Greg Kroah-Hartman [this message]
2026-02-17 20:32 ` [PATCH 6.12 34/42] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 35/42] f2fs: fix to add gc count stat in f2fs_gc_range Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 36/42] f2fs: fix to check sysfs filename w/ gc_pin_file_thresh correctly Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 37/42] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 38/42] f2fs: fix to avoid mapping wrong physical block for swapfile Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 39/42] iommu/arm-smmu-qcom: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 40/42] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 41/42] f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.12 42/42] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 22:51 ` [PATCH 6.12 00/42] 6.12.74-rc1 review Florian Fainelli
2026-02-18 3:02 ` Peter Schneider
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 9:11 ` Pavel Machek
2026-02-18 12:51 ` Francesco Dolcini
2026-02-18 23:43 ` Mark Brown
2026-02-19 6:33 ` Ron Economos
2026-02-19 9:20 ` Harshit Mogalapalli
2026-02-19 12:36 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200007.267906954@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=deller@gmx.de \
--cc=lgs201920130244@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox