[PATCH 4.4 177/230] stm class: Prevent division by zero

From: Greg Kroah-Hartman
Date: Fri Mar 22 2019 - 07:37:12 EST


4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>

commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream.

Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
device that supplies zero mmio channel size, will trigger a division by
zero bug in the kernel.

Prevent this by disallowing channel widths other than 1 for such devices.

Signed-off-by: Alexander Shishkin <alexander.shishkin@xxxxxxxxxxxxxxx>
Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
CC: stable@xxxxxxxxxxxxxxx # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/hwtracing/stm/core.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -477,7 +477,7 @@ static int stm_char_policy_set_ioctl(str
{
struct stm_device *stm = stmf->stm;
struct stp_policy_id *id;
- int ret = -EINVAL;
+ int ret = -EINVAL, wlimit = 1;
u32 size;

if (stmf->output.nr_chans)
@@ -505,8 +505,10 @@ static int stm_char_policy_set_ioctl(str
if (id->__reserved_0 || id->__reserved_1)
goto err_free;

- if (id->width < 1 ||
- id->width > PAGE_SIZE / stm->data->sw_mmiosz)
+ if (stm->data->sw_mmiosz)
+ wlimit = PAGE_SIZE / stm->data->sw_mmiosz;
+
+ if (id->width < 1 || id->width > wlimit)
goto err_free;

ret = stm_file_assign(stmf, id->id, id->width);