From 8470c5e96bb0461e0b06c3ef159090fec15f243f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 17 Feb 2026 13:57:02 +0100
Subject: [PATCH] 6.1-stable patches

added patches:
	fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
	fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch
---
 ...v-rivafb-fix-divide-error-in-nv3_arb.patch | 65 +++++++++++++++++++
 ...rly-copy-ioctl-memory-to-kernelspace.patch | 57 ++++++++++++++++
 queue-6.1/series                              |  2 +
 3 files changed, 124 insertions(+)
 create mode 100644 queue-6.1/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
 create mode 100644 queue-6.1/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch

diff --git a/queue-6.1/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch b/queue-6.1/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
new file mode 100644
index 0000000000..508d7baab6
--- /dev/null
+++ b/queue-6.1/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
@@ -0,0 +1,65 @@
+From 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Sun, 7 Dec 2025 15:25:32 +0800
+Subject: fbdev: rivafb: fix divide error in nv3_arb()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream.
+
+A userspace program can trigger the RIVA NV3 arbitration code by calling
+the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver
+recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz
+(derived from the PRAMDAC MCLK PLL) as a divisor without validating it
+first.
+
+In a normal setup, state->mclk_khz is provided by the real hardware and is
+non-zero. However, an attacker can construct a malicious or misconfigured
+device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL
+configuration, causing state->mclk_khz to become zero.  Once
+nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns
+calculation causes a divide error and crashes the kernel.
+
+Fix this by checking whether state->mclk_khz is zero and bailing out before
+doing the division.
+
+The following log reveals it:
+
+rivafb: setting virtual Y resolution to 2184
+divide error: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]
+RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546
+Call Trace:
+  nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603
+  nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]
+  CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246
+  riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779
+  rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196
+  fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033
+  do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109
+  fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188
+  __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/riva/riva_hw.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/riva/riva_hw.c
++++ b/drivers/video/fbdev/riva/riva_hw.c
+@@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_
+     vmisses = 2;
+     eburst_size = state->memory_width * 1;
+     mburst_size = 32;
++    if (!state->mclk_khz)
++	return (0);
++
+     gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz;
+     ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000;
+     ainfo->wcmocc = 0;
diff --git a/queue-6.1/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch b/queue-6.1/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch
new file mode 100644
index 0000000000..75937091e4
--- /dev/null
+++ b/queue-6.1/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch
@@ -0,0 +1,57 @@
+From 120adae7b42faa641179270c067864544a50ab69 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 28 Dec 2025 14:17:03 +0100
+Subject: fbdev: smscufx: properly copy ioctl memory to kernelspace
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 120adae7b42faa641179270c067864544a50ab69 upstream.
+
+The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
+userspace to kernelspace, and instead directly references the memory,
+which can cause problems if invalid data is passed from userspace.  Fix
+this all up by correctly copying the memory before accessing it within
+the kernel.
+
+Reported-by: Tianchu Chen <flynnnchen@tencent.com>
+Cc: stable <stable@kernel.org>
+Cc: Steve Glendinning <steve.glendinning@shawell.net>
+Cc: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/smscufx.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/smscufx.c
++++ b/drivers/video/fbdev/smscufx.c
+@@ -988,7 +988,6 @@ static int ufx_ops_ioctl(struct fb_info
+ 			 unsigned long arg)
+ {
+ 	struct ufx_data *dev = info->par;
+-	struct dloarea *area = NULL;
+ 
+ 	if (!atomic_read(&dev->usb_active))
+ 		return 0;
+@@ -1003,6 +1002,10 @@ static int ufx_ops_ioctl(struct fb_info
+ 
+ 	/* TODO: Help propose a standard fb.h ioctl to report mmap damage */
+ 	if (cmd == UFX_IOCTL_REPORT_DAMAGE) {
++		struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL);
++		if (!area)
++			return -ENOMEM;
++
+ 		/* If we have a damage-aware client, turn fb_defio "off"
+ 		 * To avoid perf imact of unnecessary page fault handling.
+ 		 * Done by resetting the delay for this fb_info to a very
+@@ -1012,7 +1015,8 @@ static int ufx_ops_ioctl(struct fb_info
+ 		if (info->fbdefio)
+ 			info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE;
+ 
+-		area = (struct dloarea *)arg;
++		if (copy_from_user(area, (u8 __user *)arg, sizeof(*area)))
++			return -EFAULT;
+ 
+ 		if (area->x < 0)
+ 			area->x = 0;
diff --git a/queue-6.1/series b/queue-6.1/series
index 0869cf4cc9..3da69040cc 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -55,3 +55,5 @@ net-dsa-free-routing-table-on-probe-failure.patch
 mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch
 wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch
 cpuset-fix-missing-adaptation-for-cpuset_is_populated.patch
+fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
+fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch
-- 
2.47.3