Patch "video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()" has been added to the 4.9-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6da48afa34f1cc1b61ff83e60246a3cf36f37551
Author: Zheyu Ma <zheyuma97@xxxxxxxxx>
Date:   Wed Aug 3 17:23:12 2022 +0800

    video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()
    
    [ Upstream commit 2f1c4523f7a3aaabe7e53d3ebd378292947e95c8 ]
    
    Since the user can control the arguments of the ioctl() from the user
    space, under special arguments that may result in a divide-by-zero bug
    in:
      drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul);
    with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0.
    and then in:
      drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock);
    we'll get a division-by-zero.
    
    The following log can reveal it:
    
    divide error: 0000 [#1] PREEMPT SMP KASAN PTI
    RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline]
    RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784
    Call Trace:
     fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034
     do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110
     fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
    
    Fix this by checking the argument of ark_set_pixclock() first.
    
    Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards")
    Signed-off-by: Zheyu Ma <zheyuma97@xxxxxxxxx>
    Signed-off-by: Helge Deller <deller@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c
index 6a317de7082c..6af8043541c7 100644
--- a/drivers/video/fbdev/arkfb.c
+++ b/drivers/video/fbdev/arkfb.c
@@ -778,7 +778,12 @@ static int arkfb_set_par(struct fb_info *info)
 		return -EINVAL;
 	}
 
-	ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul);
+	value = (hdiv * info->var.pixclock) / hmul;
+	if (!value) {
+		fb_dbg(info, "invalid pixclock\n");
+		value = 1;
+	}
+	ark_set_pixclock(info, value);
 	svga_set_timings(par->state.vgabase, &ark_timing_regs, &(info->var), hmul, hdiv,
 			 (info->var.vmode & FB_VMODE_DOUBLE)     ? 2 : 1,
 			 (info->var.vmode & FB_VMODE_INTERLACED) ? 2 : 1,