stm class: Prevent division by zero

commit bf7cbaae0831252b416f375ca9b1027ecd4642dd upstream.

Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
device that supplies zero mmio channel size, will trigger a division by
zero bug in the kernel.

Prevent this by disallowing channel widths other than 1 for such devices.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
CC: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index 88a79b45b80cdf610443cec77693a1a0a8e3d571..41724d18e712bc690d90c7e9e4e50f9ee39542e6 100644 (file)
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -561,7 +561,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
 {
        struct stm_device *stm = stmf->stm;
        struct stp_policy_id *id;
-       int ret = -EINVAL;
+       int ret = -EINVAL, wlimit = 1;
        u32 size;
 
        if (stmf->output.nr_chans)
@@ -589,8 +589,10 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
        if (id->__reserved_0 || id->__reserved_1)
                goto err_free;
 
-       if (id->width < 1 ||
-           id->width > PAGE_SIZE / stm->data->sw_mmiosz)
+       if (stm->data->sw_mmiosz)
+               wlimit = PAGE_SIZE / stm->data->sw_mmiosz;
+
+       if (id->width < 1 || id->width > wlimit)
                goto err_free;
 
        ret = stm_file_assign(stmf, id->id, id->width);