From nobody Fri Dec 19 11:48:27 2025 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B42421CC43 for ; Sun, 7 Dec 2025 07:26:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765092416; cv=none; b=Vx80RkPQtjqhgsraUp8h0fB/kNVb6qBmHvxbzD77Xj3FMbLRepHpQAy0ev6BkW9b11wn4LPw2FvpuY7D6SzsvHL2qsH1bUbdAp1OZUD9C8CS/N6Yt7Vt1TsdDD/eliC5rYv4QRSldq9rEiDrO3w+mXWq2g/KBI5xFPg/HcA1t0k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765092416; c=relaxed/simple; bh=fckAhuubTKdSBsK2F15HzWXj7qefxnBiIDefELE4Skw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=KFs01/TFNWfCiD10LWY+6rtMtBdP9QFzYDjAFM+YTdOgAK6CrH2KYkv7RGt9n16jzPbJeFpxpwdRUtdAQY8bg4YjmEfvTI9a1zqCbl1y0naJAEetiAi8umCODMo6I38A4btq0uZySn6Z1L6qv7yEsWfo0AueSPIZH8Y0MiEc7Iw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z/AwJVlt; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z/AwJVlt" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-298144fb9bcso36030805ad.0 for ; Sat, 06 Dec 2025 23:26:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765092414; x=1765697214; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tEK2eF1M99CkbnJ4lJKZbSTlkLnJNDGKuxnzg8A0N00=; b=Z/AwJVlt7wq5NIwWY9hvhrC3pZKm/ptN8wpeuo7qO/q+j0kQl3S3DgYV3dYV1TzdKd BEWE7ypnnAsrzYFH6X9Z1H4cPvspE4GdsQtn7iY9IAVB2ERH6FMfGwzUQsMhAjdZ0jBB fKAZnxINeS6yVa9+BIDzmHWwMfk8+oePmdbZHcEGdWD6MgrKpOuy6litUXHNOSxBDWPV 4IsgcUPPPtxWMTAOJbWIP9YN7X+fnOMR30yJwYRU/0U5agpyDixncfPhaROxmqkcio7d T+KXE+L+jVTrTP8BGsO/tjI+Jttj7993IKxfWxsv+TjPiUz/ezB2y1FEqFQzJWAF7xlO 3cUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765092414; x=1765697214; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=tEK2eF1M99CkbnJ4lJKZbSTlkLnJNDGKuxnzg8A0N00=; b=fk3IXB1sDHUsMcCO2AqcUxuThBk8izdhrLBhQGCqLkdrT7g6c4JJJUN4aZn6o1bgQU 7X6m0NuBL6A7YGF1R3aHnVufR730u9lv3GcNJpXtR2t1JZSS7zmtFrtj4R6wLD0XZNL9 7MlYTdcxgUwbU+Cdluf0NbXuHqnyRKnkJT2avg2EGIEG/jC97dxo6Vg/TB2Es9wLFx2W xL9tBudZ5+BLwO3mSIZpH1T7TyvLYWePIVa7KnvPdMGMXVhHcfVsEFzpTCYFySTYyQJ/ b1kd1ZLFb9SftVqSY3lIJ1GYCFWPbT+avV/FuLY4EwiwxWPS8B2i6XGgdO30cjplxLim 0E4A== X-Forwarded-Encrypted: i=1; AJvYcCVMa7B114VRXZ64B7jbohQTRW6MxhKJKQMpRgqMW/M86ELjAjOwKyClsvZZ5R6H7f1XSLa8E2ni9H4XWKw=@vger.kernel.org X-Gm-Message-State: AOJu0YxzLxQRPxKvTabv5qDEtFK4X9BMoUXqIYkbZj5TqbgHqw8G3Vmc YNeYLUD83AOIVYTZNjE3xksvHafpGMCRvVSQ/hk3gOcf1UKMFCpsKTPzSUkb8Gvo X-Gm-Gg: ASbGncsokcc5dAn9nCwihf6cNRkua9N88ReoQ9ojrP+ZrLEa7lSz+3BAZvyg/J3qI8K JvNjNunqm2xrCYhBfAaEzSLdlYRAw1OG2RMyRmOwWcT+fpvbabqR5efKOtKmYYyIRpNX6hM0SrC /pWv1JyfRvWttcJV3e7UEiJ+IB4REWWvhv1YU+doWkNDS4bTWq/PSfrvvoRq2S4ALONzH5KvaVF CKVnwe+WPuhr6Nrit4b3B+CkFSVtgGNua4kIFyexo5cAbFUaRu/wsny5jdWFBsT0r6xFzw+byR0 NvQY9/g2EWwpEn/RFFMHimxDklPpQyzkDwW0eCM3UtscgHfrcB6rusK8JDvyDufB0JWGO7pfCS8 st8WxpUFTXYLBpywJ0beErIJ+4D0zd82TOrX2yx3LRzmf3cFuw1tZrlWFGmtCT1EHzjbBJNkWVK 9HlDkTrydN3A== X-Google-Smtp-Source: AGHT+IFZ1X99wA8hRN/ZGpHPSkBafJxesyhbybcnYCATbgOcM4F6190itrl1yOrpl2KdPdZRHijNHA== X-Received: by 2002:a17:903:2381:b0:299:fc47:d7d7 with SMTP id d9443c01a7336-29df579eb2emr38062925ad.3.1765092414366; Sat, 06 Dec 2025 23:26:54 -0800 (PST) Received: from lgs.. ([101.76.246.176]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29daeaabf8asm90338325ad.85.2025.12.06.23.26.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 06 Dec 2025 23:26:53 -0800 (PST) From: Guangshuo Li To: Antonino Daplas , Helge Deller , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] riva/fbdev: fix divide error in nv3_arb() Date: Sun, 7 Dec 2025 15:25:32 +0800 Message-ID: <20251207072532.518547-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before= doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-g= c9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Code: c1 e8 03 42 0f b6 14 38 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 = 0f 85 b7 0e 00 00 41 8b 46 18 01 d8 69 c0 40 42 0f 00 99 <41> f7 fc 48 63 c= 8 4c 89 e8 48 c1 e8 03 42 0f b6 14 38 4c 89 e8 83 RSP: 0018:ffff888013b2f318 EFLAGS: 00010206 RAX: 0000000001d905c0 RBX: 0000000000000016 RCX: 0000000000040000 RDX: 0000000000000000 RSI: 0000000000000080 RDI: ffff888013b2f6f0 RBP: 0000000000000002 R08: ffffffff82226288 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888013b2f4d8 R14: ffff888013b2f6d8 R15: dffffc0000000000 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_= hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inli= ne] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- drivers/video/fbdev/riva/riva_hw.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/riva/riva_hw.c b/drivers/video/fbdev/riva/= riva_hw.c index 8b829b720064..d70c6c4d28e8 100644 --- a/drivers/video/fbdev/riva/riva_hw.c +++ b/drivers/video/fbdev/riva/riva_hw.c @@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_info, nv3_sim_s= tate * state, nv3_arb_in vmisses =3D 2; eburst_size =3D state->memory_width * 1; mburst_size =3D 32; + if (!state->mclk_khz) + return (0); + gns =3D 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/= state->mclk_khz; ainfo->by_gfacc =3D gns*ainfo->gdrain_rate/1000000; ainfo->wcmocc =3D 0; --=20 2.43.0