diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-04-08 21:02:28 +0200 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-04-08 21:02:28 +0200 |
| commit | d586c86d50cefa0897a51a2dbc714060ccedae76 (patch) | |
| tree | 76a7f454637badb74390047aebca5c071c0988fe /drivers/s390/crypto | |
| parent | Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux (diff) | |
| parent | s390/uaccess: rework uaccess code - fix locking issues (diff) | |
| download | linux-d586c86d50cefa0897a51a2dbc714060ccedae76.tar.xz linux-d586c86d50cefa0897a51a2dbc714060ccedae76.zip | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull second set of s390 patches from Martin Schwidefsky:
"The second part of Heikos uaccess rework, the page table walker for
uaccess is now a thing of the past (yay!)
The code change to fix the theoretical TLB flush problem allows us to
add a TLB flush optimization for zEC12, this machine has new
instructions that allow to do CPU local TLB flushes for single pages
and for all pages of a specific address space.
Plus the usual bug fixing and some more cleanup"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/uaccess: rework uaccess code - fix locking issues
s390/mm,tlb: optimize TLB flushing for zEC12
s390/mm,tlb: safeguard against speculative TLB creation
s390/irq: Use defines for external interruption codes
s390/irq: Add defines for external interruption codes
s390/sclp: add timeout for queued requests
kvm/s390: also set guest pages back to stable on kexec/kdump
lcs: Add missing destroy_timer_on_stack()
s390/tape: Add missing destroy_timer_on_stack()
s390/tape: Use del_timer_sync()
s390/3270: fix crash with multiple reset device requests
s390/bitops,atomic: add missing memory barriers
s390/zcrypt: add length check for aligned data to avoid overflow in msg-type 6
Diffstat (limited to 'drivers/s390/crypto')
| -rw-r--r-- | drivers/s390/crypto/zcrypt_api.c | 4 | ||||
| -rw-r--r-- | drivers/s390/crypto/zcrypt_msgtype6.c | 18 |
2 files changed, 18 insertions, 4 deletions
diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c index 4b824b15194f..5222ebe15705 100644 --- a/drivers/s390/crypto/zcrypt_api.c +++ b/drivers/s390/crypto/zcrypt_api.c @@ -626,8 +626,8 @@ static long zcrypt_send_ep11_cprb(struct ep11_urb *xcrb) return -ENOMEM; if (copy_from_user(ep11_dev_list.targets, - (struct ep11_target_dev *)xcrb->targets, - xcrb->targets_num * + (struct ep11_target_dev __force __user *) + xcrb->targets, xcrb->targets_num * sizeof(struct ep11_target_dev))) return -EFAULT; } diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c index 0bc91e46395a..46b324ce6c7a 100644 --- a/drivers/s390/crypto/zcrypt_msgtype6.c +++ b/drivers/s390/crypto/zcrypt_msgtype6.c @@ -315,6 +315,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, char *req_data = ap_msg->message + sizeof(struct type6_hdr) + rcblen; char *function_code; + if (CEIL4(xcRB->request_control_blk_length) < + xcRB->request_control_blk_length) + return -EINVAL; /* overflow after alignment*/ + /* length checks */ ap_msg->length = sizeof(struct type6_hdr) + CEIL4(xcRB->request_control_blk_length) + @@ -333,6 +337,10 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, return -EINVAL; } + if (CEIL4(xcRB->reply_control_blk_length) < + xcRB->reply_control_blk_length) + return -EINVAL; /* overflow after alignment*/ + replylen = sizeof(struct type86_fmt2_msg) + CEIL4(xcRB->reply_control_blk_length) + xcRB->reply_data_length; @@ -415,12 +423,18 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev, unsigned int dom_val; /* domain id */ } __packed * payload_hdr; + if (CEIL4(xcRB->req_len) < xcRB->req_len) + return -EINVAL; /* overflow after alignment*/ + /* length checks */ ap_msg->length = sizeof(struct type6_hdr) + xcRB->req_len; if (CEIL4(xcRB->req_len) > MSGTYPE06_MAX_MSG_SIZE - (sizeof(struct type6_hdr))) return -EINVAL; + if (CEIL4(xcRB->resp_len) < xcRB->resp_len) + return -EINVAL; /* overflow after alignment*/ + if (CEIL4(xcRB->resp_len) > MSGTYPE06_MAX_MSG_SIZE - (sizeof(struct type86_fmt2_msg))) return -EINVAL; @@ -432,7 +446,7 @@ static int xcrb_msg_to_type6_ep11cprb_msgx(struct zcrypt_device *zdev, /* Import CPRB data from the ioctl input parameter */ if (copy_from_user(&(msg->cprbx.cprb_len), - (char *)xcRB->req, xcRB->req_len)) { + (char __force __user *)xcRB->req, xcRB->req_len)) { return -EFAULT; } @@ -645,7 +659,7 @@ static int convert_type86_ep11_xcrb(struct zcrypt_device *zdev, return -EINVAL; /* Copy response CPRB to user */ - if (copy_to_user((char *)xcRB->resp, + if (copy_to_user((char __force __user *)xcRB->resp, data + msg->fmt2.offset1, msg->fmt2.count1)) return -EFAULT; xcRB->resp_len = msg->fmt2.count1; |