From: Hans-Joachim Picht <hpicht@redhat.com> Date: Fri, 27 Feb 2009 19:56:50 +0100 Subject: [s390] sclp: handle zero-length event buffers Message-id: 20090227185650.GB2447@redhat.com O-Subject: [RHEL5 U4 PATCH 1/1] s390 sclp: handle zero-length event buffers Bugzilla: 487695 RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com> Description ============ During SE restart, some SE versions may under certain conditions present a malformed Read Event Data response block to Linux which causes an endless loop in function sclp_dispatch_evbufs. Solution: Stop event dispatching loop when a zero-length event buffer was Bugzilla ========= BZ 487695 https://bugzilla.redhat.com/show_bug.cgi?id=487695 Upstream status of the patch: ============================= The patch is included in linux-2.6 as git commit e2e5a0f2b100a5204d27def8bbf73333d1710be2 Test status: ============ The patch has been tested and fixes the problem. The fix has been verified by the IBM test department. Please ACK. With best regards, --Hans diff --git a/drivers/s390/char/sclp.c b/drivers/s390/char/sclp.c index d5b67ee..353ad2b 100644 --- a/drivers/s390/char/sclp.c +++ b/drivers/s390/char/sclp.c @@ -280,8 +280,11 @@ sclp_dispatch_evbufs(struct sccb_header *sccb) rc = 0; for (offset = sizeof(struct sccb_header); offset < sccb->length; offset += evbuf->length) { - /* Search for event handler */ evbuf = (struct evbuf_header *) ((addr_t) sccb + offset); + /* Check for malformed hardware response */ + if (evbuf->length == 0) + break; + /* Search for event handler */ reg = NULL; list_for_each(l, &sclp_reg_list) { reg = list_entry(l, struct sclp_register, list);