Re: [PATCH 1/2] drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()

Jani Nikula <jani.nikula@xxxxxxxxxxxxxxx> · Fri, 29 Nov 2024 15:07:41 +0200

On Fri, 29 Nov 2024, "Nautiyal, Ankit K" <ankit.k.nautiyal@xxxxxxxxx> wrote:
> On 11/29/2024 9:56 AM, Ville Syrjala wrote:
>> From: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
>>
>> drm_mode_vrefresh() is trying to avoid divide by zero
>> by checking whether htotal or vtotal are zero. But we may
>> still end up with a div-by-zero of vtotal*htotal*...
>>
>> Cc: stable@xxxxxxxxxxxxxxx
>> Reported-by: syzbot+622bba18029bcde672e1@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Closes: https://syzkaller.appspot.com/bug?extid=622bba18029bcde672e1
>> Signed-off-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
>> ---
>>   drivers/gpu/drm/drm_modes.c | 11 +++++++----
>>   1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
>> index 6ba167a33461..71573b85d924 100644
>> --- a/drivers/gpu/drm/drm_modes.c
>> +++ b/drivers/gpu/drm/drm_modes.c
>> @@ -1287,14 +1287,11 @@ EXPORT_SYMBOL(drm_mode_set_name);
>>    */
>>   int drm_mode_vrefresh(const struct drm_display_mode *mode)
>>   {
>> -	unsigned int num, den;
>> +	unsigned int num = 1, den = 1;
>>   
>>   	if (mode->htotal == 0 || mode->vtotal == 0)
>>   		return 0;
>>   
>> -	num = mode->clock;
>> -	den = mode->htotal * mode->vtotal;
>> -
>>   	if (mode->flags & DRM_MODE_FLAG_INTERLACE)
>>   		num *= 2;
>>   	if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
>> @@ -1302,6 +1299,12 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
>>   	if (mode->vscan > 1)
>>   		den *= mode->vscan;
>>   
>> +	if (check_mul_overflow(mode->clock, num, &num))
>> +		return 0;
>> +
>> +	if (check_mul_overflow(mode->htotal * mode->vtotal, den, &den))
>
> Can mode->htotal * mode->vtotal result in overflow?

u16 * u16 will always fit in an unsigned int (at least where the kernel
runs).

Reviewed-by: Jani Nikula <jani.nikula@xxxxxxxxx>

>
> and we should add:
>
> if (check_mul_overflow(mode->htotal, mode->vtotal, &prod))
> 	return 0;
>
> Regards,
>
> Ankit
>
>> +		return 0;
>> +
>>   	return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
>>   }
>>   EXPORT_SYMBOL(drm_mode_vrefresh);

-- 
Jani Nikula, Intel