2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-21 11:44:01 +08:00
linux-next/drivers/video/fbdev
Shile Zhang cf84807f6d fbdev: fix divide error in fb_var_to_videomode
To fix following divide-by-zero error found by Syzkaller:

  divide error: 0000 [#1] SMP PTI
  CPU: 7 PID: 8447 Comm: test Kdump: loaded Not tainted 4.19.24-8.al7.x86_64 #1
  Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
  RIP: 0010:fb_var_to_videomode+0xae/0xc0
  Code: 04 44 03 46 78 03 4e 7c 44 03 46 68 03 4e 70 89 ce d1 ee 69 c0 e8 03 00 00 f6 c2 01 0f 45 ce 83 e2 02 8d 34 09 0f 45 ce 31 d2 <41> f7 f0 31 d2 f7 f1 89 47 08 f3 c3 66 0f 1f 44 00 00 0f 1f 44 00
  RSP: 0018:ffffb7e189347bf0 EFLAGS: 00010246
  RAX: 00000000e1692410 RBX: ffffb7e189347d60 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb7e189347c10
  RBP: ffff99972a091c00 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000100
  R13: 0000000000010000 R14: 00007ffd66baf6d0 R15: 0000000000000000
  FS:  00007f2054d11740(0000) GS:ffff99972fbc0000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f205481fd20 CR3: 00000004288a0001 CR4: 00000000001606a0
  Call Trace:
   fb_set_var+0x257/0x390
   ? lookup_fast+0xbb/0x2b0
   ? fb_open+0xc0/0x140
   ? chrdev_open+0xa6/0x1a0
   do_fb_ioctl+0x445/0x5a0
   do_vfs_ioctl+0x92/0x5f0
   ? __alloc_fd+0x3d/0x160
   ksys_ioctl+0x60/0x90
   __x64_sys_ioctl+0x16/0x20
   do_syscall_64+0x5b/0x190
   entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x7f20548258d7
  Code: 44 00 00 48 8b 05 b9 15 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 15 2d 00 f7 d8 64 89 01 48

It can be triggered easily with following test code:

  #include <linux/fb.h>
  #include <fcntl.h>
  #include <sys/ioctl.h>
  int main(void)
  {
          struct fb_var_screeninfo var = {.activate = 0x100, .pixclock = 60};
          int fd = open("/dev/fb0", O_RDWR);
          if (fd < 0)
                  return 1;

          if (ioctl(fd, FBIOPUT_VSCREENINFO, &var))
                  return 1;

          return 0;
  }

Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Cc: Fredrik Noring <noring@nocrew.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
2019-04-01 17:47:00 +02:00
..
aty fbdev: Use of_node_name_eq for node name comparisons 2019-02-08 19:24:45 +01:00
core fbdev: fix divide error in fb_var_to_videomode 2019-04-01 17:47:00 +02:00
geode video: fbdev: geode: remove ifdef OLPC noise 2019-02-08 19:24:46 +01:00
i810 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
intelfb video: fbdev: intelfb: deprecate pci_get_bus_and_slot() 2018-01-17 08:16:46 -06:00
kyro video: fbdev: kyro: constify pci_device_id. 2017-08-01 17:20:42 +02:00
matrox powerpc, fbdev: Use NV_CMODE and NV_VMODE only when CONFIG_PPC32 && CONFIG_PPC_PMAC && CONFIG_NVRAM 2019-01-22 10:21:45 +01:00
mb862xx treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mbx fbdev: mbx: fix a misspelled variable name 2019-03-05 12:36:33 +01:00
mmp drivers: video: fbdev: Kconfig: pedantic cleanups 2019-04-01 17:46:57 +02:00
nvidia fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
omap drivers: video: fbdev: Kconfig: pedantic cleanups 2019-04-01 17:46:57 +02:00
omap2 drivers: video: fbdev: Kconfig: pedantic cleanups 2019-04-01 17:46:57 +02:00
riva treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
savage video: fbdev: savage: fix indentation issue 2019-04-01 17:46:54 +02:00
sis video: fbdev: sis: Remove unnecessary parentheses and commented code 2018-10-08 12:57:36 +02:00
vermilion video: fbdev: vermilion: use 64-bit arithmetic instead of 32-bit 2018-03-12 17:06:54 +01:00
via fbdev/via: fix spelling mistake "Expandsion" -> "Expansion" 2019-02-08 19:24:44 +01:00
68328fb.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
acornfb.c drivers/video/fbdev: Fixing coding guidelines in acornfb.c 2017-04-07 17:03:24 +02:00
acornfb.h
amba-clcd-nomadik.c fbdev changes for v4.11: 2017-02-25 13:20:22 -08:00
amba-clcd-nomadik.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd-versatile.c video: ARM CLCD: use panel device node for panel initialization 2017-01-30 17:39:48 +01:00
amba-clcd-versatile.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
amba-clcd.c video: ARM CLCD: Improve a size determination in clcdfb_probe() 2018-03-28 16:34:29 +02:00
amifb.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
arcfb.c video: fbdev: arcfb: mark expected switch fall-through 2018-10-08 12:57:37 +02:00
arkfb.c video: fbdev: arkfb: constify pci_device_id. 2017-08-01 17:20:42 +02:00
asiliantfb.c video: fbdev: asiliantfb: constify pci_device_id. 2017-08-01 17:20:41 +02:00
atafb_iplan2p2.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_iplan2p4.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_iplan2p8.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_mfb.c fbdev: atafb: Remove obsolete module support 2019-04-01 17:46:55 +02:00
atafb_utils.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atafb.c fbdev: atafb: Modernize printing of kernel messages 2019-04-01 17:46:55 +02:00
atafb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel_lcdfb.c video: fbdev: atmel_lcdfb: drop AVR and platform_data support 2019-04-01 17:46:56 +02:00
au1100fb.c fbdev changes for v4.18: 2018-06-17 05:00:24 +09:00
au1100fb.h
au1200fb.c video: fbdev: fix spelling mistake: "frambuffer" -> "framebuffer" 2018-05-15 12:41:11 +02:00
au1200fb.h fbdev: au1200fb: delete duplicate header contents 2018-01-04 16:53:49 +01:00
broadsheetfb.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bt431.h
bt455.h
bw2.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
c2p_core.h
c2p_iplan2.c
c2p_planar.c
c2p.h
carminefb_regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
carminefb.c
carminefb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cg3.c fbdev: Use of_node_name_eq for node name comparisons 2019-02-08 19:24:45 +01:00
cg6.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
cg14.c fbdev: Use of_node_name_eq for node name comparisons 2019-02-08 19:24:45 +01:00
chipsfb.c fbdev: chipsfb: remove set but not used variable 'size' 2019-02-08 19:24:45 +01:00
cirrusfb.c video: fbdev: cirrusfb: mark expected switch fall-throughs 2017-11-09 18:09:32 +01:00
clps711x-fb.c video: clps711x-fb: release disp device node in probe() 2018-12-20 19:13:07 +01:00
cobalt_lcdfb.c video: cobalt_lcdfb: constify fb_fix_screeninfo structure 2017-08-01 17:20:39 +02:00
controlfb.c powerpc, fbdev: Use NV_CMODE and NV_VMODE only when CONFIG_PPC32 && CONFIG_PPC_PMAC && CONFIG_NVRAM 2019-01-22 10:21:45 +01:00
controlfb.h fbdev: controlfb: Add missing modes to fix out of bounds access 2017-11-09 18:09:33 +01:00
cyber2000fb.c video: fbdev: make fb_videomode const 2017-09-04 16:00:49 +02:00
cyber2000fb.h
da8xx-fb.c cross-tree: phase out dma_zalloc_coherent() 2019-01-08 07:58:37 -05:00
dnfb.c video/fbdev/dnfb: Use common error handling code in dnfb_probe() 2017-11-09 18:09:31 +01:00
edid.h
efifb.c efifb: BGRT: Add nobgrt option 2018-09-26 18:11:22 +02:00
ep93xx-fb.c
fb-puv3.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
ffb.c fbdev: Use of_node_name_eq for node name comparisons 2019-02-08 19:24:45 +01:00
fm2fb.c video: fm2fb: constify zorro_device_id 2017-09-04 16:00:49 +02:00
fsl-diu-fb.c fbdev: fsl-diu: remove redundant null check on cmap 2018-12-20 19:13:08 +01:00
g364fb.c
gbefb.c
goldfishfb.c video: goldfishfb: fix memory leak on driver remove 2018-07-24 19:11:27 +02:00
grvga.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
gxt4500.c
hecubafb.c
hgafb.c video: hgafb: fix potential NULL pointer dereference 2019-04-01 17:46:58 +02:00
hitfb.c
hpfb.c hpfb: use probe_kernel_read() 2017-05-27 15:41:17 -04:00
hyperv_fb.c use the new async probing feature for the hyperv drivers 2018-07-03 13:02:28 +02:00
i740_reg.h
i740fb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
imsttfb.c video: imsttfb: fix potential NULL pointer dereferences 2019-04-01 17:46:58 +02:00
imxfb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
jz4740_fb.c fbdev: jz4740-fb: Let the pinctrl driver configure the pins 2017-05-22 17:22:06 +02:00
Kconfig drivers: video: fbdev: Kconfig: pedantic cleanups 2019-04-01 17:46:57 +02:00
leo.c fbdev: Convert to using %pOFn instead of device_node.name 2018-10-08 12:57:36 +02:00
macfb.c video/macfb: Always initialize DAFB colour table pointer register 2019-04-01 17:46:55 +02:00
macmodes.c
macmodes.h
Makefile video: fbdev: remove dead old CLPS711x LCD support driver 2018-10-24 11:26:32 +02:00
maxinefb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
metronomefb.c video: fbdev: metronomefb: fix some off by one bugs 2018-07-24 19:11:26 +02:00
mx3fb.c
mxsfb.c fbdev: mxsfb: implement FB_PRE_INIT_FB option 2019-04-01 17:46:53 +02:00
n411.c Annotate hardware config module parameters in drivers/video/ 2017-04-20 12:02:32 +01:00
neofb.c video: fbdev: neofb: constify pci_device_id. 2017-08-01 17:20:44 +02:00
nuc900fb.c
nuc900fb.h
ocfb.c
offb.c video: offb: annotate implicit fall throughs 2019-02-08 19:24:46 +01:00
p9100.c fbdev: Convert to using %pOFn instead of device_node.name 2018-10-08 12:57:36 +02:00
platinumfb.c powerpc, fbdev: Use NV_CMODE and NV_VMODE only when CONFIG_PPC32 && CONFIG_PPC_PMAC && CONFIG_NVRAM 2019-01-22 10:21:45 +01:00
platinumfb.h
pm2fb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
pm3fb.c video: fbdev: pm3fb: constify pci_device_id. 2017-08-01 17:20:45 +02:00
pmag-aa-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
pmag-ba-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
pmagb-b-fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
ps3fb.c video: fbdev: annotate fb_fix_screeninfo with const and __initconst 2017-09-04 16:00:49 +02:00
pvr2fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
pxa3xx-gcu.c video: fbdev: pxa3xx_gcu: add devicetree bindings 2018-07-24 19:11:25 +02:00
pxa3xx-gcu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxa168fb.c pxa168fb: trivial typo fix 2018-12-20 19:13:09 +01:00
pxa168fb.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pxafb.c video: fbdev: pxafb: Fix "WARNING: invalid free of devm_ allocated data" 2018-12-20 19:13:08 +01:00
pxafb.h video: fbdev: pxafb: Add support for lcd-supply regulator 2018-07-24 19:11:26 +02:00
q40fb.c video: fbdev: make fb_var_screeninfo const 2017-09-04 16:00:50 +02:00
s1d13xxxfb.c fbdev: s1d13xxxfb: remove m32r specific hacks 2018-03-26 15:56:46 +02:00
s3c2410fb.c
s3c2410fb.h
s3c-fb.c video: fbdev: s3c-fb: remove dead platform code for Exynos and S5PV210 platforms 2018-03-28 16:34:29 +02:00
s3fb.c video: fbdev: s3fb: constify pci_device_id. 2017-08-01 17:20:45 +02:00
sa1100fb.c video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sa1100fb.h video: sa1100fb: move pseudo palette into sa1100fb_info structure 2017-10-17 16:01:13 +02:00
sbuslib.c fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() 2018-10-08 12:57:36 +02:00
sbuslib.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sh7760fb.c media: fbdev: sh7760fb: convert to SPDX identifiers 2018-09-12 09:31:04 -04:00
sh_mobile_lcdcfb.c video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support 2018-05-14 15:47:30 +02:00
sh_mobile_lcdcfb.h video: fbdev: sh_mobile_lcdcfb: remove unused MERAM support 2018-05-14 15:47:30 +02:00
simplefb.c video: fbdev: simplefb: Stop including <linux/clk-provider.h> 2018-07-03 17:43:09 +02:00
skeletonfb.c docs: fix broken references with multiple hints 2018-06-15 18:10:01 -03:00
sm501fb.c video: sm501fb: Improve a size determination in sm501fb_probe() 2018-04-26 12:24:18 +02:00
sm712.h fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display 2019-04-01 17:46:59 +02:00
sm712fb.c fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display 2019-04-01 17:46:59 +02:00
smscufx.c video: smscufx: Delete an error message for a failed memory allocation in ufx_realloc_framebuffer() 2018-03-28 16:34:28 +02:00
ssd1307fb.c video: ssd1307fb: Do not hard code active-low reset sequence 2019-02-08 19:24:48 +01:00
sstfb.c
sticore.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stifb.c video/fbdev/stifb: Fix spelling mistake in fall-through annotation 2018-09-26 18:50:54 +02:00
sunxvr500.c video: fbdev: sunxvr500: constify pci_device_id. 2017-08-01 17:20:43 +02:00
sunxvr1000.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
sunxvr2500.c video: fbdev: sunxvr2500: constify pci_device_id. 2017-08-01 17:20:41 +02:00
tcx.c video: fbdev: Convert to using %pOF instead of full_name 2017-08-07 17:22:13 +02:00
tdfxfb.c video: fbdev: mark expected switch fall-throughs 2018-07-24 19:11:28 +02:00
tgafb.c
tmiofb.c
tridentfb.c video: fbdev: tridentfb: remove deadcode on unreachable case statement 2018-07-24 19:11:28 +02:00
udlfb.c udlfb: introduce a rendering mutex 2019-04-01 17:46:57 +02:00
uvesafb.c fbdev: uvesafb: fix spelling mistake "memoery" -> "memory" 2018-12-20 19:13:08 +01:00
valkyriefb.c powerpc, fbdev: Use NV_CMODE and NV_VMODE only when CONFIG_PPC32 && CONFIG_PPC_PMAC && CONFIG_NVRAM 2019-01-22 10:21:45 +01:00
valkyriefb.h
vesafb.c video: fbdev: vesafb: fix indentation issue 2019-04-01 17:46:54 +02:00
vfb.c vfb: fix video mode and line_length being set when loaded 2018-01-04 16:53:50 +01:00
vga16fb.c video: fbdev: remove redundant self assignment of 'height' 2017-12-29 19:48:43 +01:00
vt8500lcdfb.c video/fbdev/vt8500lcdfb: Delete an error message for a failed memory allocation in vt8500lcd_probe() 2017-12-29 19:48:44 +01:00
vt8500lcdfb.h
vt8623fb.c video: fbdev: vt8623fb: constify vt8623_timing_regs 2017-08-18 19:56:40 +02:00
w100fb.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
w100fb.h
wm8505fb_regs.h
wm8505fb.c video/fbdev/wm8505fb: Delete an error message for a failed memory allocation in wm8505fb_probe() 2017-12-29 19:48:43 +01:00
wmt_ge_rops.c
wmt_ge_rops.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xen-fbfront.c xen, fbfront: mark expected switch fall-through 2019-04-01 17:46:57 +02:00
xilinxfb.c video: fbdev: Fix multiple style issues in xilinxfb 2017-08-21 16:49:57 +02:00