Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1682789ybi; Wed, 17 Jul 2019 20:03:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqxx4x4WhBkM7Iu9fXC7k54GTYWzMpbaXKSb9pZL6bMWUxuJT0uH/8jUf98z9G9CCu48Y7wm X-Received: by 2002:a17:90a:214e:: with SMTP id a72mr5944685pje.0.1563419035588; Wed, 17 Jul 2019 20:03:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563419035; cv=none; d=google.com; s=arc-20160816; b=znfQ2QsYjCMZHuwbSd3jO9oFfmxXyzXvXKgNt1pP5xzY3mN0QBVWcr02fkQsQx0FVF gZ+3LdG4OXBcaZvG1XSfR66boCBJ+AANm4ElK8Z+mIYs3TqWVpD4IpGbAQqNS0G9EKsU UbxuD3ER5UebnsR7FLX5tix/RpvOxIV+5VVWoLl3qh3/ZRZPmZ6WQrMFLeiKfT4xFSto LN5BTjjFnEpT7bvPxd10L5hFdU8XiDsY6CDx20JnSxh9lHU6sxRH/BurdGQpdjorOnTD bZF1eO978OMRVYjRCiVM6vkGZdGi00FzeIiJeQxyb+c7NYJR/7M7AD+yNF/dobS5rhcp h1Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xFR8p8ZVhKrae2dSXlIjvXk2v/IrejawLuZUN2CXX68=; b=IBTBI1nT0QLj4bmq8Omy16o12glZyb/yQCr9z9mfYHMCW9s/k1yP11iH10mdubXKiV nP/l/cPJexn7L3rXqzxV2ko2n+pXvSZFXdd1nGukxsxZdIyNpe/rmy12IINkReFsIKE+ yIOB60eeqQppPWCk+U4eEKySRNYysWaeDfBXDRoXz7xbWMvy4uOOB0L7sgwhBM/mOoYO JvnD4Xn6G1f89xbDVA7SEYtwMnQf5Ax7kDu7ZGBry7G9T+yok6xsuixH3StYVmDocE3G 4AfEXJx1tg+SDnM3J+8VvyJ1Re/z+6QhevZ0H6DkPIXvcMEkeqv654yDIIFDQIJ3p6Rj gqDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=a1yKN7d9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i68si105733plb.13.2019.07.17.20.03.39; Wed, 17 Jul 2019 20:03:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=a1yKN7d9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389172AbfGRDDG (ORCPT + 99 others); Wed, 17 Jul 2019 23:03:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:33698 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389086AbfGRDDE (ORCPT ); Wed, 17 Jul 2019 23:03:04 -0400 Received: from localhost (115.42.148.210.bf.2iij.net [210.148.42.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 55D18204EC; Thu, 18 Jul 2019 03:03:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563418983; bh=sWK4i+p/35T5hB/RVRHRHVv3oqwIeJXgGkvOV38q0UY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=a1yKN7d9P2FsU908KylvdPMwAIazKEQgXftuLJN1RwpkHqCEb60KQ0PQ+9/rApOv2 dd9AMxWS086tdv9XbkOzPtXpxukfvySe9+AhvT4saI/0S4kJ/sQB3zRzDU+4ryY7uQ EhdNenQxuddK2de7vbFrs8OFwHgxyGX1dKADqNSs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vasily Gorbik , Heiko Carstens Subject: [PATCH 5.2 15/21] s390: fix stfle zero padding Date: Thu, 18 Jul 2019 12:01:33 +0900 Message-Id: <20190718030034.641243890@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190718030030.456918453@linuxfoundation.org> References: <20190718030030.456918453@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Heiko Carstens commit 4f18d869ffd056c7858f3d617c71345cf19be008 upstream. The stfle inline assembly returns the number of double words written (condition code 0) or the double words it would have written (condition code 3), if the memory array it got as parameter would have been large enough. The current stfle implementation assumes that the array is always large enough and clears those parts of the array that have not been written to with a subsequent memset call. If however the array is not large enough memset will get a negative length parameter, which means that memset clears memory until it gets an exception and the kernel crashes. To fix this simply limit the maximum length. Move also the inline assembly to an extra function to avoid clobbering of register 0, which might happen because of the added min_t invocation together with code instrumentation. The bug was introduced with commit 14375bc4eb8d ("[S390] cleanup facility list handling") but was rather harmless, since it would only write to a rather large array. It became a potential problem with commit 3ab121ab1866 ("[S390] kernel: Add z/VM LGR detection"). Since then it writes to an array with only four double words, while some machines already deliver three double words. As soon as machines have a facility bit within the fifth double a crash on IPL would happen. Fixes: 14375bc4eb8d ("[S390] cleanup facility list handling") Cc: # v2.6.37+ Reviewed-by: Vasily Gorbik Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman --- arch/s390/include/asm/facility.h | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) --- a/arch/s390/include/asm/facility.h +++ b/arch/s390/include/asm/facility.h @@ -59,6 +59,18 @@ static inline int test_facility(unsigned return __test_facility(nr, &S390_lowcore.stfle_fac_list); } +static inline unsigned long __stfle_asm(u64 *stfle_fac_list, int size) +{ + register unsigned long reg0 asm("0") = size - 1; + + asm volatile( + ".insn s,0xb2b00000,0(%1)" /* stfle */ + : "+d" (reg0) + : "a" (stfle_fac_list) + : "memory", "cc"); + return reg0; +} + /** * stfle - Store facility list extended * @stfle_fac_list: array where facility list can be stored @@ -75,13 +87,8 @@ static inline void __stfle(u64 *stfle_fa memcpy(stfle_fac_list, &S390_lowcore.stfl_fac_list, 4); if (S390_lowcore.stfl_fac_list & 0x01000000) { /* More facility bits available with stfle */ - register unsigned long reg0 asm("0") = size - 1; - - asm volatile(".insn s,0xb2b00000,0(%1)" /* stfle */ - : "+d" (reg0) - : "a" (stfle_fac_list) - : "memory", "cc"); - nr = (reg0 + 1) * 8; /* # bytes stored by stfle */ + nr = __stfle_asm(stfle_fac_list, size); + nr = min_t(unsigned long, (nr + 1) * 8, size * 8); } memset((char *) stfle_fac_list + nr, 0, size * 8 - nr); }