stm class: Prevent division by zero
Using STP_POLICY_ID_SET ioctl command with dummy_stm device, or any STM
device that supplies zero mmio channel size, will trigger a division by
zero bug in the kernel.
Prevent this by disallowing channel widths other than 1 for such devices.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes: 7bd1d4093c
("stm class: Introduce an abstraction for System Trace Module devices")
CC: stable@vger.kernel.org # v4.4+
This commit is contained in:
parent
a1d75dad3a
commit
bf7cbaae08
@ -735,7 +735,7 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
|
||||
struct stm_device *stm = stmf->stm;
|
||||
struct stp_policy_id *id;
|
||||
char *ids[] = { NULL, NULL };
|
||||
int ret = -EINVAL;
|
||||
int ret = -EINVAL, wlimit = 1;
|
||||
u32 size;
|
||||
|
||||
if (stmf->output.nr_chans)
|
||||
@ -763,8 +763,10 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
|
||||
if (id->__reserved_0 || id->__reserved_1)
|
||||
goto err_free;
|
||||
|
||||
if (id->width < 1 ||
|
||||
id->width > PAGE_SIZE / stm->data->sw_mmiosz)
|
||||
if (stm->data->sw_mmiosz)
|
||||
wlimit = PAGE_SIZE / stm->data->sw_mmiosz;
|
||||
|
||||
if (id->width < 1 || id->width > wlimit)
|
||||
goto err_free;
|
||||
|
||||
ids[0] = id->id;
|
||||
|
Loading…
Reference in New Issue
Block a user