Merge tag 's390-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull s390 fixes from Heiko Carstens:

- Fix per vma lock fault handling: add missing !(fault & VM_FAULT_ERROR)
check to fault handler to prevent error handling for return values
that don't indicate an error

- Use kfree_sensitive() instead of kfree() in paes crypto code to clear
memory that may contain keys before freeing it

- Fix reply buffer size calculation for CCA replies in zcrypt device
driver

* tag 's390-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/zcrypt: fix reply buffer calculations for CCA replies
s390/crypto: use kfree_sensitive() instead of kfree()
s390/mm: fix per vma lock fault handling

Linus Torvalds 2 years ago 295e1388 f036d67c

+26 -11

3 changed files

expand all

arch

s390

crypto

paes_s390.c

fault.c

drivers

s390

crypto

zcrypt_msgtype6.c

+1 -1

arch/s390/crypto/paes_s390.c

··· 103 103 { 104 104 if (kb->key && kb->key != kb->keybuf 105 105 && kb->keylen > sizeof(kb->keybuf)) { 106 - kfree(kb->key); 106 + kfree_sensitive(kb->key); 107 107 kb->key = NULL; 108 108 } 109 109 }

arch/s390/mm/fault.c

··· 421 421 vma_end_read(vma); 422 422 if (!(fault & VM_FAULT_RETRY)) { 423 423 count_vm_vma_lock_event(VMA_LOCK_SUCCESS); 424 + if (likely(!(fault & VM_FAULT_ERROR))) 425 + fault = 0; 424 426 goto out; 425 427 } 426 428 count_vm_vma_lock_event(VMA_LOCK_RETRY);

+23 -10

drivers/s390/crypto/zcrypt_msgtype6.c

··· 1101 1101 struct ica_xcRB *xcrb, 1102 1102 struct ap_message *ap_msg) 1103 1103 { 1104 - int rc; 1105 1104 struct response_type *rtype = ap_msg->private; 1106 1105 struct { 1107 1106 struct type6_hdr hdr; 1108 1107 struct CPRBX cprbx; 1109 1108 /* ... more data blocks ... */ 1110 1109 } __packed * msg = ap_msg->msg; 1110 + unsigned int max_payload_size; 1111 + int rc, delta; 1111 1112 1112 - /* 1113 - * Set the queue's reply buffer length minus 128 byte padding 1114 - * as reply limit for the card firmware. 1115 - */ 1116 - msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1, 1117 - zq->reply.bufsize - 128); 1118 - if (msg->hdr.fromcardlen2) 1119 - msg->hdr.fromcardlen2 = 1120 - zq->reply.bufsize - msg->hdr.fromcardlen1 - 128; 1113 + /* calculate maximum payload for this card and msg type */ 1114 + max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg); 1115 + 1116 + /* limit each of the two from fields to the maximum payload size */ 1117 + msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size); 1118 + msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size); 1119 + 1120 + /* calculate delta if the sum of both exceeds max payload size */ 1121 + delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2 1122 + - max_payload_size; 1123 + if (delta > 0) { 1124 + /* 1125 + * Sum exceeds maximum payload size, prune fromcardlen1 1126 + * (always trust fromcardlen2) 1127 + */ 1128 + if (delta > msg->hdr.fromcardlen1) { 1129 + rc = -EINVAL; 1130 + goto out; 1131 + } 1132 + msg->hdr.fromcardlen1 -= delta; 1133 + } 1121 1134 1122 1135 init_completion(&rtype->work); 1123 1136 rc = ap_queue_message(zq->queue, ap_msg);

Configure Feed

Configure Feed