Commit 295e1388 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 's390-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Heiko Carstens:

 - Fix per vma lock fault handling: add missing !(fault & VM_FAULT_ERROR)
   check to fault handler to prevent error handling for return values
   that don't indicate an error

 - Use kfree_sensitive() instead of kfree() in paes crypto code to clear
   memory that may contain keys before freeing it

 - Fix reply buffer size calculation for CCA replies in zcrypt device
   driver

* tag 's390-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/zcrypt: fix reply buffer calculations for CCA replies
  s390/crypto: use kfree_sensitive() instead of kfree()
  s390/mm: fix per vma lock fault handling
parents f036d67c 4cfca532
...@@ -103,7 +103,7 @@ static inline void _free_kb_keybuf(struct key_blob *kb) ...@@ -103,7 +103,7 @@ static inline void _free_kb_keybuf(struct key_blob *kb)
{ {
if (kb->key && kb->key != kb->keybuf if (kb->key && kb->key != kb->keybuf
&& kb->keylen > sizeof(kb->keybuf)) { && kb->keylen > sizeof(kb->keybuf)) {
kfree(kb->key); kfree_sensitive(kb->key);
kb->key = NULL; kb->key = NULL;
} }
} }
......
...@@ -421,6 +421,8 @@ static inline vm_fault_t do_exception(struct pt_regs *regs, int access) ...@@ -421,6 +421,8 @@ static inline vm_fault_t do_exception(struct pt_regs *regs, int access)
vma_end_read(vma); vma_end_read(vma);
if (!(fault & VM_FAULT_RETRY)) { if (!(fault & VM_FAULT_RETRY)) {
count_vm_vma_lock_event(VMA_LOCK_SUCCESS); count_vm_vma_lock_event(VMA_LOCK_SUCCESS);
if (likely(!(fault & VM_FAULT_ERROR)))
fault = 0;
goto out; goto out;
} }
count_vm_vma_lock_event(VMA_LOCK_RETRY); count_vm_vma_lock_event(VMA_LOCK_RETRY);
......
...@@ -1101,23 +1101,36 @@ static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq, ...@@ -1101,23 +1101,36 @@ static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
struct ica_xcRB *xcrb, struct ica_xcRB *xcrb,
struct ap_message *ap_msg) struct ap_message *ap_msg)
{ {
int rc;
struct response_type *rtype = ap_msg->private; struct response_type *rtype = ap_msg->private;
struct { struct {
struct type6_hdr hdr; struct type6_hdr hdr;
struct CPRBX cprbx; struct CPRBX cprbx;
/* ... more data blocks ... */ /* ... more data blocks ... */
} __packed * msg = ap_msg->msg; } __packed * msg = ap_msg->msg;
unsigned int max_payload_size;
/* int rc, delta;
* Set the queue's reply buffer length minus 128 byte padding
* as reply limit for the card firmware. /* calculate maximum payload for this card and msg type */
*/ max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
zq->reply.bufsize - 128); /* limit each of the two from fields to the maximum payload size */
if (msg->hdr.fromcardlen2) msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
msg->hdr.fromcardlen2 = msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
/* calculate delta if the sum of both exceeds max payload size */
delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
- max_payload_size;
if (delta > 0) {
/*
* Sum exceeds maximum payload size, prune fromcardlen1
* (always trust fromcardlen2)
*/
if (delta > msg->hdr.fromcardlen1) {
rc = -EINVAL;
goto out;
}
msg->hdr.fromcardlen1 -= delta;
}
init_completion(&rtype->work); init_completion(&rtype->work);
rc = ap_queue_message(zq->queue, ap_msg); rc = ap_queue_message(zq->queue, ap_msg);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment