--- /dev/null
+From 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Sun, 7 Dec 2025 15:25:32 +0800
+Subject: fbdev: rivafb: fix divide error in nv3_arb()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream.
+
+A userspace program can trigger the RIVA NV3 arbitration code by calling
+the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver
+recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz
+(derived from the PRAMDAC MCLK PLL) as a divisor without validating it
+first.
+
+In a normal setup, state->mclk_khz is provided by the real hardware and is
+non-zero. However, an attacker can construct a malicious or misconfigured
+device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL
+configuration, causing state->mclk_khz to become zero. Once
+nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns
+calculation causes a divide error and crashes the kernel.
+
+Fix this by checking whether state->mclk_khz is zero and bailing out before
+doing the division.
+
+The following log reveals it:
+
+rivafb: setting virtual Y resolution to 2184
+divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]
+RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546
+Call Trace:
+ nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603
+ nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]
+ CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246
+ riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779
+ rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196
+ fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033
+ do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109
+ fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188
+ __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/riva/riva_hw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/riva/riva_hw.c
++++ b/drivers/video/fbdev/riva/riva_hw.c
+@@ -437,6 +437,9 @@ static char nv3_arb(nv3_fifo_info * res_
+ vmisses = 2;
+ eburst_size = state->memory_width * 1;
+ mburst_size = 32;
++ if (!state->mclk_khz)
++ return (0);
++
+ gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz;
+ ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000;
+ ainfo->wcmocc = 0;
--- /dev/null
+From 120adae7b42faa641179270c067864544a50ab69 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 28 Dec 2025 14:17:03 +0100
+Subject: fbdev: smscufx: properly copy ioctl memory to kernelspace
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 120adae7b42faa641179270c067864544a50ab69 upstream.
+
+The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
+userspace to kernelspace, and instead directly references the memory,
+which can cause problems if invalid data is passed from userspace. Fix
+this all up by correctly copying the memory before accessing it within
+the kernel.
+
+Reported-by: Tianchu Chen <flynnnchen@tencent.com>
+Cc: stable <stable@kernel.org>
+Cc: Steve Glendinning <steve.glendinning@shawell.net>
+Cc: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/smscufx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/smscufx.c
++++ b/drivers/video/fbdev/smscufx.c
+@@ -987,7 +987,6 @@ static int ufx_ops_ioctl(struct fb_info
+ unsigned long arg)
+ {
+ struct ufx_data *dev = info->par;
+- struct dloarea *area = NULL;
+
+ if (!atomic_read(&dev->usb_active))
+ return 0;
+@@ -1002,6 +1001,10 @@ static int ufx_ops_ioctl(struct fb_info
+
+ /* TODO: Help propose a standard fb.h ioctl to report mmap damage */
+ if (cmd == UFX_IOCTL_REPORT_DAMAGE) {
++ struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL);
++ if (!area)
++ return -ENOMEM;
++
+ /* If we have a damage-aware client, turn fb_defio "off"
+ * To avoid perf imact of unnecessary page fault handling.
+ * Done by resetting the delay for this fb_info to a very
+@@ -1011,7 +1014,8 @@ static int ufx_ops_ioctl(struct fb_info
+ if (info->fbdefio)
+ info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE;
+
+- area = (struct dloarea *)arg;
++ if (copy_from_user(area, (u8 __user *)arg, sizeof(*area)))
++ return -EFAULT;
+
+ if (area->x < 0)
+ area->x = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
