Patch "s390/zcrypt: fix reply buffer calculations for CCA replies" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    s390/zcrypt: fix reply buffer calculations for CCA replies

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     s390-zcrypt-fix-reply-buffer-calculations-for-cca-re.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 191f5e2f120ce8c0e4107daf0bbac81923c41ba8
Author: Harald Freudenberger <freude@xxxxxxxxxxxxx>
Date:   Mon Jul 17 16:55:29 2023 +0200

    s390/zcrypt: fix reply buffer calculations for CCA replies
    
    [ Upstream commit 4cfca532ddc3474b3fc42592d0e4237544344b1a ]
    
    The length information for available buffer space for CCA
    replies is covered with two fields in the T6 header prepended
    on each CCA reply: fromcardlen1 and fromcardlen2. The sum of
    these both values must not exceed the AP bus limit for this
    card (24KB for CEX8, 12KB CEX7 and older) minus the always
    present headers.
    
    The current code adjusted the fromcardlen2 value in case
    of exceeding the AP bus limit when there was a non-zero
    value given from userspace. Some tests now showed that this
    was the wrong assumption. Instead the userspace value given for
    this field should always be trusted and if the sum of the
    two fields exceeds the AP bus limit for this card the first
    field fromcardlen1 should be adjusted instead.
    
    So now the calculation is done with this new insight in mind.
    Also some additional checks for overflow have been introduced
    and some comments to provide some documentation for future
    maintainers of this complicated calculation code.
    
    Furthermore the 128 bytes of fix overhead which is used
    in the current code is not correct. Investigations showed
    that for a reply always the same two header structs are
    prepended before a possible payload. So this is also fixed
    with this patch.
    
    Signed-off-by: Harald Freudenberger <freude@xxxxxxxxxxxxx>
    Reviewed-by: Holger Dengler <dengler@xxxxxxxxxxxxx>
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Heiko Carstens <hca@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/s390/crypto/zcrypt_msgtype6.c b/drivers/s390/crypto/zcrypt_msgtype6.c
index 37c01aaa21a2b..84e3ad290f6ba 100644
--- a/drivers/s390/crypto/zcrypt_msgtype6.c
+++ b/drivers/s390/crypto/zcrypt_msgtype6.c
@@ -1154,23 +1154,36 @@ static long zcrypt_msgtype6_send_cprb(bool userspace, struct zcrypt_queue *zq,
 				      struct ica_xcRB *xcrb,
 				      struct ap_message *ap_msg)
 {
-	int rc;
 	struct response_type *rtype = ap_msg->private;
 	struct {
 		struct type6_hdr hdr;
 		struct CPRBX cprbx;
 		/* ... more data blocks ... */
 	} __packed * msg = ap_msg->msg;
-
-	/*
-	 * Set the queue's reply buffer length minus 128 byte padding
-	 * as reply limit for the card firmware.
-	 */
-	msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1,
-				      zq->reply.bufsize - 128);
-	if (msg->hdr.fromcardlen2)
-		msg->hdr.fromcardlen2 =
-			zq->reply.bufsize - msg->hdr.fromcardlen1 - 128;
+	unsigned int max_payload_size;
+	int rc, delta;
+
+	/* calculate maximum payload for this card and msg type */
+	max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg);
+
+	/* limit each of the two from fields to the maximum payload size */
+	msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size);
+	msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size);
+
+	/* calculate delta if the sum of both exceeds max payload size */
+	delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2
+		- max_payload_size;
+	if (delta > 0) {
+		/*
+		 * Sum exceeds maximum payload size, prune fromcardlen1
+		 * (always trust fromcardlen2)
+		 */
+		if (delta > msg->hdr.fromcardlen1) {
+			rc = -EINVAL;
+			goto out;
+		}
+		msg->hdr.fromcardlen1 -= delta;
+	}
 
 	init_completion(&rtype->work);
 	rc = ap_queue_message(zq->queue, ap_msg);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux