Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 bug fixes from Martin Schwidefsky: "A couple of s390 bug fixes. The PCI segment boundary issue is a nasty one as it can lead to data corruption" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/cio: Fix missing subchannels after CHPID configure on s390/pci/dma: use correct segment boundary size s390/compat: fix sys_sched_getattr compat wrapper s390/zcrypt: additional check to avoid overflow in msg-type 6 requests
This commit is contained in:
commit
335d08b86f
|
@ -1421,5 +1421,5 @@ ENTRY(sys_sched_setattr_wrapper)
|
||||||
ENTRY(sys_sched_getattr_wrapper)
|
ENTRY(sys_sched_getattr_wrapper)
|
||||||
lgfr %r2,%r2 # pid_t
|
lgfr %r2,%r2 # pid_t
|
||||||
llgtr %r3,%r3 # const char __user *
|
llgtr %r3,%r3 # const char __user *
|
||||||
llgfr %r3,%r3 # unsigned int
|
llgfr %r4,%r4 # unsigned int
|
||||||
jg sys_sched_getattr
|
jg sys_sched_getattr
|
||||||
|
|
|
@ -206,11 +206,13 @@ static void dma_cleanup_tables(struct zpci_dev *zdev)
|
||||||
zdev->dma_table = NULL;
|
zdev->dma_table = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
static unsigned long __dma_alloc_iommu(struct zpci_dev *zdev, unsigned long start,
|
static unsigned long __dma_alloc_iommu(struct zpci_dev *zdev,
|
||||||
int size)
|
unsigned long start, int size)
|
||||||
{
|
{
|
||||||
unsigned long boundary_size = 0x1000000;
|
unsigned long boundary_size;
|
||||||
|
|
||||||
|
boundary_size = ALIGN(dma_get_seg_boundary(&zdev->pdev->dev) + 1,
|
||||||
|
PAGE_SIZE) >> PAGE_SHIFT;
|
||||||
return iommu_area_alloc(zdev->iommu_bitmap, zdev->iommu_pages,
|
return iommu_area_alloc(zdev->iommu_bitmap, zdev->iommu_pages,
|
||||||
start, size, 0, boundary_size, 0);
|
start, size, 0, boundary_size, 0);
|
||||||
}
|
}
|
||||||
|
|
|
@ -610,6 +610,7 @@ void chsc_chp_online(struct chp_id chpid)
|
||||||
css_wait_for_slow_path();
|
css_wait_for_slow_path();
|
||||||
for_each_subchannel_staged(__s390_process_res_acc, NULL,
|
for_each_subchannel_staged(__s390_process_res_acc, NULL,
|
||||||
&link);
|
&link);
|
||||||
|
css_schedule_reprobe();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -311,7 +311,7 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
|
||||||
} __packed * msg = ap_msg->message;
|
} __packed * msg = ap_msg->message;
|
||||||
|
|
||||||
int rcblen = CEIL4(xcRB->request_control_blk_length);
|
int rcblen = CEIL4(xcRB->request_control_blk_length);
|
||||||
int replylen;
|
int replylen, req_sumlen, resp_sumlen;
|
||||||
char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen;
|
char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen;
|
||||||
char *function_code;
|
char *function_code;
|
||||||
|
|
||||||
|
@ -321,12 +321,34 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
|
||||||
xcRB->request_data_length;
|
xcRB->request_data_length;
|
||||||
if (ap_msg->length > MSGTYPE06_MAX_MSG_SIZE)
|
if (ap_msg->length > MSGTYPE06_MAX_MSG_SIZE)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
/* Overflow check
|
||||||
|
sum must be greater (or equal) than the largest operand */
|
||||||
|
req_sumlen = CEIL4(xcRB->request_control_blk_length) +
|
||||||
|
xcRB->request_data_length;
|
||||||
|
if ((CEIL4(xcRB->request_control_blk_length) <=
|
||||||
|
xcRB->request_data_length) ?
|
||||||
|
(req_sumlen < xcRB->request_data_length) :
|
||||||
|
(req_sumlen < CEIL4(xcRB->request_control_blk_length))) {
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
replylen = sizeof(struct type86_fmt2_msg) +
|
replylen = sizeof(struct type86_fmt2_msg) +
|
||||||
CEIL4(xcRB->reply_control_blk_length) +
|
CEIL4(xcRB->reply_control_blk_length) +
|
||||||
xcRB->reply_data_length;
|
xcRB->reply_data_length;
|
||||||
if (replylen > MSGTYPE06_MAX_MSG_SIZE)
|
if (replylen > MSGTYPE06_MAX_MSG_SIZE)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
/* Overflow check
|
||||||
|
sum must be greater (or equal) than the largest operand */
|
||||||
|
resp_sumlen = CEIL4(xcRB->reply_control_blk_length) +
|
||||||
|
xcRB->reply_data_length;
|
||||||
|
if ((CEIL4(xcRB->reply_control_blk_length) <= xcRB->reply_data_length) ?
|
||||||
|
(resp_sumlen < xcRB->reply_data_length) :
|
||||||
|
(resp_sumlen < CEIL4(xcRB->reply_control_blk_length))) {
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
/* prepare type6 header */
|
/* prepare type6 header */
|
||||||
msg->hdr = static_type6_hdrX;
|
msg->hdr = static_type6_hdrX;
|
||||||
memcpy(msg->hdr.agent_id , &(xcRB->agent_ID), sizeof(xcRB->agent_ID));
|
memcpy(msg->hdr.agent_id , &(xcRB->agent_ID), sizeof(xcRB->agent_ID));
|
||||||
|
|
Loading…
Reference in New Issue