releases/4.19.31/stm-class-prevent-division-by-zero.patch

   1 From bf7cbaae0831252b416f375ca9b1027ecd4642dd Mon Sep 17 00:00:00 2001
   2 From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
   3 Date: Thu, 21 Feb 2019 14:19:17 +0200
   4 Subject: stm class: Prevent division by zero
   5
   6 From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
   7
   8 commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream.
   9
  10 Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
  11 device that supplies zero mmio channel size, will trigger a division by
  12 zero bug in the kernel.
  13
  14 Prevent this by disallowing channel widths other than 1 for such devices.
  15
  16 Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
  17 Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
  18 CC: stable@vger.kernel.org # v4.4+
  19 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20
  21 ---
  22  drivers/hwtracing/stm/core.c |    8 +++++---
  23  1 file changed, 5 insertions(+), 3 deletions(-)
  24
  25 --- a/drivers/hwtracing/stm/core.c
  26 +++ b/drivers/hwtracing/stm/core.c
  27 @@ -553,7 +553,7 @@ static int stm_char_policy_set_ioctl(str
  28  {
  29         struct stm_device *stm = stmf->stm;
  30         struct stp_policy_id *id;
  31 -       int ret = -EINVAL;
  32 +       int ret = -EINVAL, wlimit = 1;
  33         u32 size;
  34
  35         if (stmf->output.nr_chans)
  36 @@ -581,8 +581,10 @@ static int stm_char_policy_set_ioctl(str
  37         if (id->__reserved_0 || id->__reserved_1)
  38                 goto err_free;
  39
  40 -       if (id->width < 1 ||
  41 -           id->width > PAGE_SIZE / stm->data->sw_mmiosz)
  42 +       if (stm->data->sw_mmiosz)
  43 +               wlimit = PAGE_SIZE / stm->data->sw_mmiosz;
  44 +
  45 +       if (id->width < 1 || id->width > wlimit)
  46                 goto err_free;
  47
  48         ret = stm_file_assign(stmf, id->id, id->width);