4.4-stable patches

added patches:
	stm-class-prevent-division-by-zero.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index ec2c9b898e56b99fd18313aa79d6c1a96291086a..8c44423f4a71039048205bf974985ed4d4a9bff7 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -174,3 +174,4 @@ phonet-fix-building-with-clang.patch
 mac80211_hwsim-propagate-genlmsg_reply-return-code.patch
 net-set-static-variable-an-initial-value-in-atl2_pro.patch
 tmpfs-fix-uninitialized-return-value-in-shmem_link.patch
+stm-class-prevent-division-by-zero.patch

diff --git a/queue-4.4/stm-class-prevent-division-by-zero.patch b/queue-4.4/stm-class-prevent-division-by-zero.patch
new file mode 100644 (file)
index 0000000..068c886
--- /dev/null
+++ b/queue-4.4/stm-class-prevent-division-by-zero.patch
@@ -0,0 +1,48 @@
+From bf7cbaae0831252b416f375ca9b1027ecd4642dd Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 21 Feb 2019 14:19:17 +0200
+Subject: stm class: Prevent division by zero
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream.
+
+Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
+device that supplies zero mmio channel size, will trigger a division by
+zero bug in the kernel.
+
+Prevent this by disallowing channel widths other than 1 for such devices.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
+CC: stable@vger.kernel.org # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/stm/core.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwtracing/stm/core.c
++++ b/drivers/hwtracing/stm/core.c
+@@ -477,7 +477,7 @@ static int stm_char_policy_set_ioctl(str
+ {
+       struct stm_device *stm = stmf->stm;
+       struct stp_policy_id *id;
+-      int ret = -EINVAL;
++      int ret = -EINVAL, wlimit = 1;
+       u32 size;
+ 
+       if (stmf->output.nr_chans)
+@@ -505,8 +505,10 @@ static int stm_char_policy_set_ioctl(str
+       if (id->__reserved_0 || id->__reserved_1)
+               goto err_free;
+ 
+-      if (id->width < 1 ||
+-          id->width > PAGE_SIZE / stm->data->sw_mmiosz)
++      if (stm->data->sw_mmiosz)
++              wlimit = PAGE_SIZE / stm->data->sw_mmiosz;
++
++      if (id->width < 1 || id->width > wlimit)
+               goto err_free;
+ 
+       ret = stm_file_assign(stmf, id->id, id->width);