From nobody Mon Dec 1 22:05:10 2025 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21797186A for ; Sun, 30 Nov 2025 14:42:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764513754; cv=none; b=oCiOzewe3kRUmw8o6bVft1iYznCg3yJ32OwgrbVDqNAVgRwu6xIrqMAUhS66Qzx32x1GlQ+Vc7CZtFPan1mspHygWxdsQ9IJVPPMIkyHNUG4iYL3BQAoaQ/ytVKLdLXUX1ITofLlaOdyjiYz99Yvo7USLJ1/mw451dJxxZGk1M4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764513754; c=relaxed/simple; bh=srfwpYO+otIHCLT3lWAYz+qWKvjSj3dcwvZjP0cV+24=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=KiOog5HSvxwGCNAULgjfqsnwmm0QGH/UlqDlXmgrBXAPaiGjWTF0E8kvrssYUwSTmNr9Q33kZ/sp0d/6vmnecmUpmqGHAl0YxZD9CdTJR7Tjc63eXs2dBF6cVVPTxhV2Nu9HWLAvz7YvbXznSpS0eyeCKCKYUn2taeZXJoobWSI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CqC26eQc; arc=none smtp.client-ip=209.85.167.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CqC26eQc" Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-5959d9a8eceso2403729e87.3 for ; Sun, 30 Nov 2025 06:42:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764513751; x=1765118551; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=p73b8XMlnTSi7KqBmjtWQMkQBIAWTKM0Ot/hr/K9NMU=; b=CqC26eQcN+gnpjAq4bKP91XErT2D3MAD0O6mYzUxqIcK4B6K6WHXK+6JC8PZuZ80m/ F4AxN9TrjNlMyqI/oooL5i1iZI4YRb8fYFBV0StsImMTEXPADWXyNzLBzJFdXGClpf8G Du3DNcg1Ybi6zavdipecCRgKnD2TXcrOZ7JtZI0giejAcEHHObpn/F+4MHndej4sTgj7 t/S60QvxClJSabjLOa73J7PGT/w0FcI/JMRUOrEsu+WG5BZX5h5/P7GF0+NyOxmDYJM+ YL48htLyaT5cKFFZ7XZKUXTfzp29RVTmDsgHSibk4hhU9Ru4RuLw45xa2ipKsLKB1Zef 5xDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764513751; x=1765118551; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=p73b8XMlnTSi7KqBmjtWQMkQBIAWTKM0Ot/hr/K9NMU=; b=weZUPcJU/WEYXLImkLGkOIae+s+NODsw9FWN3KzR1qq7RgH501P+VjKTGn8/LWK7/j /BjhWUjzMX/I1Um3f5B1VT9ZjxBR8uPb5b1EgC7H8xMGwZ5hSunGzPcD4DCzHYAZgU9K cO2u0gBFKjC0gGJbnlhwb938Ur2owZGMA+Y5rZVr+O4wR07nOj+TmmUBAnZDF/W+4lUK s5nwWbXMI0bQyy25nUSm7DhrceWgtWMSZ3NOc+iYGlBQwokCLmH3e9SyJdAY7g/oKXzf zhbqZpYaiRgM2TtcAPeS/gLaYxa6jYhdaC20xikaOfPm7W3FwMZ6C6reQZ13bBch0XOM DGCQ== X-Forwarded-Encrypted: i=1; AJvYcCUHDmPhDL4TZ3YYDJ1mCQcV5TqCtd3E61W1PviTo02yfsNSCFV6wRb4tv6fujTN1RCFraJNw0pxeh23XEM=@vger.kernel.org X-Gm-Message-State: AOJu0YyQqE30DgJg6DHgKTO8honE33e9XqXnkdQ2ty0lJDytV6jLzZD3 A0/65jeeH1qqGg0SM6b7OhTRKvKRvfdmlcbb8npAP9btMwh/5YCpfmvx X-Gm-Gg: ASbGncuZQ45MqGh2LXahVLqy2SUCjcjG/mifyF3Mq0VPMNNkBIl10VwB4rvHHg89WH1 GZdnVG/sQv5JUGnJ69VpZzQmKMfsPVwAk6HVZlpElHcJKMnkyVdmb91IPTeeeA1YQPMBGqm7R4v oHJsEftuqPiYubEZ19tjNO9lzytu8G+TcI8LfAcC7XdfM1WYtTLRhWg952S+3g6R2vJ2o8zWM2c bljrqUCUM20jlYobXZYdjC3YHWTaOzH49l0wZpyRO97Qu4eA9CSYxQAefFdvKZpLSJvLUVfmBQm LkR6MK8vsouNd92vY1p2XCjM0ScrBHOkPzmof1ndS2xGheIXj9bLQRN8bviC0Q9W/++xOMoOMMR MFV2yyUifBYcOUC4VPfD8ig0poZa8ZoMOYrqTw57Dly083OHceCEHMf7fEUpZckFR2BiLjsNOqw O1+t1/H4rGL9rZGUmc1eVz5c6ds/aZRJkJ0XaGEyRn9SSYldE7 X-Google-Smtp-Source: AGHT+IH1K7vOLIGvq0uhY0khDGnZ6O5dtNHEYSExFHc8Hxw3O6yt++WQ+vurMa839//Vrr6SIF7E4w== X-Received: by 2002:a05:6512:2304:b0:595:8062:135 with SMTP id 2adb3069b0e04-596a3eb322amr11827999e87.20.1764513750889; Sun, 30 Nov 2025 06:42:30 -0800 (PST) Received: from home-server.lan (89-109-48-215.dynamic.mts-nn.ru. [89.109.48.215]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-596bfa48cc8sm2846041e87.83.2025.11.30.06.42.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Nov 2025 06:42:30 -0800 (PST) From: Alexey Simakov To: Lyude Paul Cc: Alexey Simakov , David Airlie , Daniel Vetter , Francisco Jerez , dri-devel@lists.freedesktop.org, nouveau@lists.freedesktop.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Alexandr Sapozhnikov Subject: [PATCH v2] drm/nouveau: fix div-by-zero in nouveau_bo_fixup_align Date: Sun, 30 Nov 2025 17:42:21 +0300 Message-Id: <20251130144221.7689-1-bigalex934@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The expression 64 * nvbo->mode can be zero when nvbo->mode equals U32_MAX / 64, causing a division by zero in do_div(). Values greater than U32_MAX / 64 cause a u32 overflow, leading to incorrect results. Since nvbo->mode comes from userspace via ioctl, it must be validated to prevent crashes or undefined behavior. Add a check to ensure nvbo->mode is less than U32_MAX / 64 before use in multiplication. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: a0af9add499c ("drm/nouveau: Make the MM aware of pre-G80 tiling.") Co-developed-by: Alexandr Sapozhnikov Signed-off-by: Alexandr Sapozhnikov Signed-off-by: Alexey Simakov --- drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau= /nouveau_bo.c index 96a8b7b1215e..774888ffa4a8 100644 --- a/drivers/gpu/drm/nouveau/nouveau_bo.c +++ b/drivers/gpu/drm/nouveau/nouveau_bo.c @@ -207,6 +207,9 @@ nouveau_bo_alloc(struct nouveau_cli *cli, u64 *size, in= t *align, u32 domain, struct nvif_vmm *vmm =3D cli->svm.cli ? &cli->svm.vmm : &cli->vmm.vmm; int i, pi =3D -1; =20 + if (tile_mode > U32_MAX / 64) + return ERR_PTR(-EINVAL); + if (!*size) { NV_WARN(drm, "skipped size %016llx\n", *size); return ERR_PTR(-EINVAL); --=20 2.34.1