From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 15:41:09 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.137~79 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=336d90fbc825988a2a78a1dd86c4b78d78837dbc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: stm-class-prevent-division-by-zero.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index ec2c9b898e5..8c44423f4a7 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -174,3 +174,4 @@ phonet-fix-building-with-clang.patch mac80211_hwsim-propagate-genlmsg_reply-return-code.patch net-set-static-variable-an-initial-value-in-atl2_pro.patch tmpfs-fix-uninitialized-return-value-in-shmem_link.patch +stm-class-prevent-division-by-zero.patch diff --git a/queue-4.4/stm-class-prevent-division-by-zero.patch b/queue-4.4/stm-class-prevent-division-by-zero.patch new file mode 100644 index 00000000000..068c886e35b --- /dev/null +++ b/queue-4.4/stm-class-prevent-division-by-zero.patch @@ -0,0 +1,48 @@ +From bf7cbaae0831252b416f375ca9b1027ecd4642dd Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 21 Feb 2019 14:19:17 +0200 +Subject: stm class: Prevent division by zero + +From: Alexander Shishkin + +commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream. + +Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM +device that supplies zero mmio channel size, will trigger a division by +zero bug in the kernel. + +Prevent this by disallowing channel widths other than 1 for such devices. + +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices") +CC: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -477,7 +477,7 @@ static int stm_char_policy_set_ioctl(str + { + struct stm_device *stm = stmf->stm; + struct stp_policy_id *id; +- int ret = -EINVAL; ++ int ret = -EINVAL, wlimit = 1; + u32 size; + + if (stmf->output.nr_chans) +@@ -505,8 +505,10 @@ static int stm_char_policy_set_ioctl(str + if (id->__reserved_0 || id->__reserved_1) + goto err_free; + +- if (id->width < 1 || +- id->width > PAGE_SIZE / stm->data->sw_mmiosz) ++ if (stm->data->sw_mmiosz) ++ wlimit = PAGE_SIZE / stm->data->sw_mmiosz; ++ ++ if (id->width < 1 || id->width > wlimit) + goto err_free; + + ret = stm_file_assign(stmf, id->id, id->width);