Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-07-21 10:23:21 +0200
committerJiri Slaby <jslaby@suse.cz>2019-07-21 10:23:28 +0200
commitc04b328a49fed8a7875b7530f54825b870d98686 (patch)
treefb995e4ab892183aeff8c3d105e3599ed9c3112f
parent8686882d8c22e817593cc5120a5af970712a130c (diff)
s390: fix stfle zero padding (bnc#1012628).
-rw-r--r--patches.kernel.org/5.2.2-015-s390-fix-stfle-zero-padding.patch88
-rw-r--r--series.conf1
2 files changed, 89 insertions, 0 deletions
diff --git a/patches.kernel.org/5.2.2-015-s390-fix-stfle-zero-padding.patch b/patches.kernel.org/5.2.2-015-s390-fix-stfle-zero-padding.patch
new file mode 100644
index 0000000000..53ab6faaa7
--- /dev/null
+++ b/patches.kernel.org/5.2.2-015-s390-fix-stfle-zero-padding.patch
@@ -0,0 +1,88 @@
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Mon, 17 Jun 2019 14:02:41 +0200
+Subject: [PATCH] s390: fix stfle zero padding
+References: bnc#1012628
+Patch-mainline: 5.2.2
+Git-commit: 4f18d869ffd056c7858f3d617c71345cf19be008
+
+commit 4f18d869ffd056c7858f3d617c71345cf19be008 upstream.
+
+The stfle inline assembly returns the number of double words written
+(condition code 0) or the double words it would have written
+(condition code 3), if the memory array it got as parameter would have
+been large enough.
+
+The current stfle implementation assumes that the array is always
+large enough and clears those parts of the array that have not been
+written to with a subsequent memset call.
+
+If however the array is not large enough memset will get a negative
+length parameter, which means that memset clears memory until it gets
+an exception and the kernel crashes.
+
+To fix this simply limit the maximum length. Move also the inline
+assembly to an extra function to avoid clobbering of register 0, which
+might happen because of the added min_t invocation together with code
+instrumentation.
+
+The bug was introduced with commit 14375bc4eb8d ("[S390] cleanup
+facility list handling") but was rather harmless, since it would only
+write to a rather large array. It became a potential problem with
+commit 3ab121ab1866 ("[S390] kernel: Add z/VM LGR detection"). Since
+then it writes to an array with only four double words, while some
+machines already deliver three double words. As soon as machines have
+a facility bit within the fifth double a crash on IPL would happen.
+
+Fixes: 14375bc4eb8d ("[S390] cleanup facility list handling")
+Cc: <stable@vger.kernel.org> # v2.6.37+
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/s390/include/asm/facility.h | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/include/asm/facility.h b/arch/s390/include/asm/facility.h
+index e78cda94456b..68c476b20b57 100644
+--- a/arch/s390/include/asm/facility.h
++++ b/arch/s390/include/asm/facility.h
+@@ -59,6 +59,18 @@ static inline int test_facility(unsigned long nr)
+ return __test_facility(nr, &S390_lowcore.stfle_fac_list);
+ }
+
++static inline unsigned long __stfle_asm(u64 *stfle_fac_list, int size)
++{
++ register unsigned long reg0 asm("0") = size - 1;
++
++ asm volatile(
++ ".insn s,0xb2b00000,0(%1)" /* stfle */
++ : "+d" (reg0)
++ : "a" (stfle_fac_list)
++ : "memory", "cc");
++ return reg0;
++}
++
+ /**
+ * stfle - Store facility list extended
+ * @stfle_fac_list: array where facility list can be stored
+@@ -75,13 +87,8 @@ static inline void __stfle(u64 *stfle_fac_list, int size)
+ memcpy(stfle_fac_list, &S390_lowcore.stfl_fac_list, 4);
+ if (S390_lowcore.stfl_fac_list & 0x01000000) {
+ /* More facility bits available with stfle */
+- register unsigned long reg0 asm("0") = size - 1;
+-
+- asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */
+- : "+d" (reg0)
+- : "a" (stfle_fac_list)
+- : "memory", "cc");
+- nr = (reg0 + 1) * 8; /* # bytes stored by stfle */
++ nr = __stfle_asm(stfle_fac_list, size);
++ nr = min_t(unsigned long, (nr + 1) * 8, size * 8);
+ }
+ memset((char *) stfle_fac_list + nr, 0, size * 8 - nr);
+ }
+--
+2.22.0
+
diff --git a/series.conf b/series.conf
index 14483d9869..91964688a6 100644
--- a/series.conf
+++ b/series.conf
@@ -102,6 +102,7 @@
patches.kernel.org/5.2.2-012-x86-irq-Seperate-unused-system-vectors-from-spu.patch
patches.kernel.org/5.2.2-013-ARC-hide-unused-function-unw_hdr_alloc.patch
patches.kernel.org/5.2.2-014-s390-ipl-Fix-detection-of-has_secure-attribute.patch
+ patches.kernel.org/5.2.2-015-s390-fix-stfle-zero-padding.patch
########################################################
# Build fixes that apply to the vanilla kernel too.