Commit 335d08b8 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 bug fixes from Martin Schwidefsky:
 "A couple of s390 bug fixes.  The PCI segment boundary issue is a nasty
  one as it can lead to data corruption"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/cio: Fix missing subchannels after CHPID configure on
  s390/pci/dma: use correct segment boundary size
  s390/compat: fix sys_sched_getattr compat wrapper
  s390/zcrypt: additional check to avoid overflow in msg-type 6 requests
parents cfbf8d48 9955e8d1
...@@ -1421,5 +1421,5 @@ ENTRY(sys_sched_setattr_wrapper) ...@@ -1421,5 +1421,5 @@ ENTRY(sys_sched_setattr_wrapper)
ENTRY(sys_sched_getattr_wrapper) ENTRY(sys_sched_getattr_wrapper)
lgfr %r2,%r2 # pid_t lgfr %r2,%r2 # pid_t
llgtr %r3,%r3 # const char __user * llgtr %r3,%r3 # const char __user *
llgfr %r3,%r3 # unsigned int llgfr %r4,%r4 # unsigned int
jg sys_sched_getattr jg sys_sched_getattr
...@@ -206,11 +206,13 @@ static void dma_cleanup_tables(struct zpci_dev *zdev) ...@@ -206,11 +206,13 @@ static void dma_cleanup_tables(struct zpci_dev *zdev)
zdev->dma_table = NULL; zdev->dma_table = NULL;
} }
static unsigned long __dma_alloc_iommu(struct zpci_dev *zdev, unsigned long start, static unsigned long __dma_alloc_iommu(struct zpci_dev *zdev,
int size) unsigned long start, int size)
{ {
unsigned long boundary_size = 0x1000000; unsigned long boundary_size;
boundary_size = ALIGN(dma_get_seg_boundary(&zdev->pdev->dev) + 1,
PAGE_SIZE) >> PAGE_SHIFT;
return iommu_area_alloc(zdev->iommu_bitmap, zdev->iommu_pages, return iommu_area_alloc(zdev->iommu_bitmap, zdev->iommu_pages,
start, size, 0, boundary_size, 0); start, size, 0, boundary_size, 0);
} }
......
...@@ -610,6 +610,7 @@ void chsc_chp_online(struct chp_id chpid) ...@@ -610,6 +610,7 @@ void chsc_chp_online(struct chp_id chpid)
css_wait_for_slow_path(); css_wait_for_slow_path();
for_each_subchannel_staged(__s390_process_res_acc, NULL, for_each_subchannel_staged(__s390_process_res_acc, NULL,
&link); &link);
css_schedule_reprobe();
} }
} }
......
...@@ -311,7 +311,7 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, ...@@ -311,7 +311,7 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
} __packed * msg = ap_msg->message; } __packed * msg = ap_msg->message;
int rcblen = CEIL4(xcRB->request_control_blk_length); int rcblen = CEIL4(xcRB->request_control_blk_length);
int replylen; int replylen, req_sumlen, resp_sumlen;
char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen; char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen;
char *function_code; char *function_code;
...@@ -321,12 +321,34 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, ...@@ -321,12 +321,34 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
xcRB->request_data_length; xcRB->request_data_length;
if (ap_msg->length > MSGTYPE06_MAX_MSG_SIZE) if (ap_msg->length > MSGTYPE06_MAX_MSG_SIZE)
return -EINVAL; return -EINVAL;
/* Overflow check
sum must be greater (or equal) than the largest operand */
req_sumlen = CEIL4(xcRB->request_control_blk_length) +
xcRB->request_data_length;
if ((CEIL4(xcRB->request_control_blk_length) <=
xcRB->request_data_length) ?
(req_sumlen < xcRB->request_data_length) :
(req_sumlen < CEIL4(xcRB->request_control_blk_length))) {
return -EINVAL;
}
replylen = sizeof(struct type86_fmt2_msg) + replylen = sizeof(struct type86_fmt2_msg) +
CEIL4(xcRB->reply_control_blk_length) + CEIL4(xcRB->reply_control_blk_length) +
xcRB->reply_data_length; xcRB->reply_data_length;
if (replylen > MSGTYPE06_MAX_MSG_SIZE) if (replylen > MSGTYPE06_MAX_MSG_SIZE)
return -EINVAL; return -EINVAL;
/* Overflow check
sum must be greater (or equal) than the largest operand */
resp_sumlen = CEIL4(xcRB->reply_control_blk_length) +
xcRB->reply_data_length;
if ((CEIL4(xcRB->reply_control_blk_length) <= xcRB->reply_data_length) ?
(resp_sumlen < xcRB->reply_data_length) :
(resp_sumlen < CEIL4(xcRB->reply_control_blk_length))) {
return -EINVAL;
}
/* prepare type6 header */ /* prepare type6 header */
msg->hdr = static_type6_hdrX; msg->hdr = static_type6_hdrX;
memcpy(msg->hdr.agent_id , &(xcRB->agent_ID), sizeof(xcRB->agent_ID)); memcpy(msg->hdr.agent_id , &(xcRB->agent_ID), sizeof(xcRB->agent_ID));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment