Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 bug fixes from Martin Schwidefsky: "A couple of s390 bug fixes. The PCI segment boundary issue is a nasty one as it can lead to data corruption" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/cio: Fix missing subchannels after CHPID configure on s390/pci/dma: use correct segment boundary size s390/compat: fix sys_sched_getattr compat wrapper s390/zcrypt: additional check to avoid overflow in msg-type 6 requests
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-02-24 10:58:50 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-02-24 10:58:50 -0500
commit: 335d08b86fb48e0445de090de0dacd7404798892 (patch)
tree: 507c293991eeecde6aff064b15b7497d897cca1b /drivers
parent: cfbf8d4857c26a8a307fb7cd258074c9dcd8c691 (diff)
parent: 9955e8d15f53e53540aaed7bcef640142e65e900 (diff)
2 files changed, 24 insertions, 1 deletions
diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
index f6b9188c5af5..9f0ea6cb6922 100644
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -610,6 +610,7 @@ void chsc_chp_online(struct chp_id chpid)
                css_wait_for_slow_path();
                for_each_subchannel_staged(__s390_process_res_acc, NULL,
                                           &link);
+                css_schedule_reprobe();
        }
 }
diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c
index dc542e0a3055..0bc91e46395a 100644
--- a/drivers/s390/crypto/zcrypt_msgtype6.c
+++ b/drivers/s390/crypto/zcrypt_msgtype6.c
@@ -311,7 +311,7 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
        } __packed * msg = ap_msg->message;
        int rcblen = CEIL4(xcRB->request_control_blk_length);
-        int replylen;
+        int replylen, req_sumlen, resp_sumlen;
        char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen;
        char *function_code;
@@ -321,12 +321,34 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
                xcRB->request_data_length;
        if (ap_msg->length > MSGTYPE06_MAX_MSG_SIZE)
                return -EINVAL;
+        /* Overflow check
+           sum must be greater (or equal) than the largest operand */
+        req_sumlen = CEIL4(xcRB->request_control_blk_length) +
+                        xcRB->request_data_length;
+        if ((CEIL4(xcRB->request_control_blk_length) <=
+                                                xcRB->request_data_length) ?
+                (req_sumlen < xcRB->request_data_length) :
+                (req_sumlen < CEIL4(xcRB->request_control_blk_length))) {
+                return -EINVAL;
+        }
        replylen = sizeof(struct type86_fmt2_msg) +
                CEIL4(xcRB->reply_control_blk_length) +
                xcRB->reply_data_length;
        if (replylen > MSGTYPE06_MAX_MSG_SIZE)
                return -EINVAL;
+        /* Overflow check
+           sum must be greater (or equal) than the largest operand */
+        resp_sumlen = CEIL4(xcRB->reply_control_blk_length) +
+                        xcRB->reply_data_length;
+        if ((CEIL4(xcRB->reply_control_blk_length) <= xcRB->reply_data_length) ?
+                (resp_sumlen < xcRB->reply_data_length) :
+                (resp_sumlen < CEIL4(xcRB->reply_control_blk_length))) {
+                return -EINVAL;
+        }
        /* prepare type6 header */
        msg->hdr = static_type6_hdrX;
        memcpy(msg->hdr.agent_id , &(xcRB->agent_ID), sizeof(xcRB->agent_ID));
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-02-24 10:58:50 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-02-24 10:58:50 -0500
commit	335d08b86fb48e0445de090de0dacd7404798892 (patch)
tree	507c293991eeecde6aff064b15b7497d897cca1b /drivers
parent	cfbf8d4857c26a8a307fb7cd258074c9dcd8c691 (diff)
parent	9955e8d15f53e53540aaed7bcef640142e65e900 (diff)