From 26a35f373fbe6f21e8ad5ca4de1c01021e38fe2f Mon Sep 17 00:00:00 2001 From: Stefan Weinhuber Date: Tue, 19 Nov 2013 14:15:57 +0100 Subject: s390/dasd: validate request size before building CCW/TCW request An I/O request that does not read or write full blocks cannot be translated into a correct CCW or TCW program and should be rejected right away. In particular the code that creates TCW requests will not notice this problem and create broken TCWs that will be rejected by the hardware. Signed-off-by: Stefan Weinhuber Reference-ID: RQM1956 --- drivers/s390/block/dasd_eckd.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/s390') diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c index cee7e2708a1f..95e45782692f 100644 --- a/drivers/s390/block/dasd_eckd.c +++ b/drivers/s390/block/dasd_eckd.c @@ -3224,6 +3224,8 @@ static struct dasd_ccw_req *dasd_eckd_build_cp(struct dasd_device *startdev, fcx_multitrack = private->features.feature[40] & 0x20; data_size = blk_rq_bytes(req); + if (data_size % blksize) + return ERR_PTR(-EINVAL); /* tpm write request add CBC data on each track boundary */ if (rq_data_dir(req) == WRITE) data_size += (last_trk - first_trk) * 4; -- cgit v1.2.3 From b2b0154e49e2b9470ae0d082128b5549cbe71152 Mon Sep 17 00:00:00 2001 From: Stefan Weinhuber Date: Fri, 29 Nov 2013 15:37:20 +0100 Subject: s390/dasd: fix memory leak caused by dangling references to request_queue After the call to del_gendisk, the gendisk still holds a reference to its request_queue. We must not modify the gendisks queue pointer before the put_disk call, or the gendisk_release function cannot release the reference and the memory for the request_queue structure is lost. Signed-off-by: Stefan Weinhuber Signed-off-by: Martin Schwidefsky --- drivers/s390/block/dasd_genhd.c | 1 - 1 file changed, 1 deletion(-) (limited to 'drivers/s390') diff --git a/drivers/s390/block/dasd_genhd.c b/drivers/s390/block/dasd_genhd.c index f64921756ad6..f224d59c4b6b 100644 --- a/drivers/s390/block/dasd_genhd.c +++ b/drivers/s390/block/dasd_genhd.c @@ -87,7 +87,6 @@ void dasd_gendisk_free(struct dasd_block *block) { if (block->gdp) { del_gendisk(block->gdp); - block->gdp->queue = NULL; block->gdp->private_data = NULL; put_disk(block->gdp); block->gdp = NULL; -- cgit v1.2.3 From 9e3ea19e35635ecd8373fc04f5dfb072be5f6d2c Mon Sep 17 00:00:00 2001 From: Hendrik Brueckner Date: Fri, 29 Nov 2013 17:29:20 +0100 Subject: s390/sclp: replace uninitialized early_event_mask_sccb variable with sccb_early Commit "s390/sclp: Consolidate early sclp init calls to sclp_early_detect()" (7b50da53f6ad2048241bef232bfc22a132a40283) replaced the sclp_event_mask_early() with sclp_set_event_mask(). The early_event_mask_sccb variable is no longer initialized but is still used in sclp_has_linemode() and sclp_has_vt220(). Replace early_event_mask_sccb with the sccb_early variable in both functions. Signed-off-by: Hendrik Brueckner Signed-off-by: Martin Schwidefsky --- drivers/s390/char/sclp_early.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'drivers/s390') diff --git a/drivers/s390/char/sclp_early.c b/drivers/s390/char/sclp_early.c index f7aa080e9b28..1465e9563101 100644 --- a/drivers/s390/char/sclp_early.c +++ b/drivers/s390/char/sclp_early.c @@ -35,7 +35,6 @@ struct read_info_sccb { u8 _reserved5[4096 - 112]; /* 112-4095 */ } __packed __aligned(PAGE_SIZE); -static __initdata struct init_sccb early_event_mask_sccb __aligned(PAGE_SIZE); static __initdata struct read_info_sccb early_read_info_sccb; static __initdata char sccb_early[PAGE_SIZE] __aligned(PAGE_SIZE); static unsigned long sclp_hsa_size; @@ -113,7 +112,7 @@ static void __init sclp_facilities_detect(void) bool __init sclp_has_linemode(void) { - struct init_sccb *sccb = &early_event_mask_sccb; + struct init_sccb *sccb = (void *) &sccb_early; if (sccb->header.response_code != 0x20) return 0; @@ -126,7 +125,7 @@ bool __init sclp_has_linemode(void) bool __init sclp_has_vt220(void) { - struct init_sccb *sccb = &early_event_mask_sccb; + struct init_sccb *sccb = (void *) &sccb_early; if (sccb->header.response_code != 0x20) return 0; -- cgit v1.2.3