[BUG] fbdev: i740fb: Divide error when ‘var->pixclock’ is zero
Zheyu Ma
zheyuma97 at gmail.com
Sun Apr 3 11:26:36 UTC 2022
Hi,
I found a bug in the function i740fb_set_par().
When the user calls the ioctl system call without setting the value to
'var->pixclock', the driver will throw a divide error.
This bug occurs because the driver uses the value of 'var->pixclock'
without checking it, as the following code snippet show:
if ((1000000 / var->pixclock) > DACSPEED8) {
dev_err(info->device, "requested pixclock %i MHz out of range
(max. %i MHz at 8bpp)\n",
1000000 / var->pixclock, DACSPEED8);
return -EINVAL;x
}
We can fix this by checking the value of 'var->pixclock' in the
function i740fb_check_var() similar to commit
b36b242d4b8ea178f7fd038965e3cac7f30c3f09, or we should set the lowest
supported value when this field is zero.
I have no idea about which solution is better.
The following log reveals it:
divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline]
RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739
Call Trace:
<TASK>
fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036
do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112
fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
Regards,
Zheyu Ma
More information about the dri-devel
mailing list