From: Hans-Joachim Picht <hpicht@redhat.com>
Date: Fri, 27 Feb 2009 19:56:50 +0100
Subject: [s390] sclp: handle zero-length event buffers
Message-id: 20090227185650.GB2447@redhat.com
O-Subject: [RHEL5 U4 PATCH 1/1] s390 sclp: handle zero-length event buffers
Bugzilla: 487695
RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com>

Description
============

During SE restart, some SE versions may under certain conditions
present a malformed Read Event Data response block to Linux which
causes an endless loop in function sclp_dispatch_evbufs.
Solution:  Stop event dispatching loop when a zero-length event buffer
was

Bugzilla
=========

BZ 487695
https://bugzilla.redhat.com/show_bug.cgi?id=487695

Upstream status of the patch:
=============================

The patch is included in linux-2.6 as
git commit
e2e5a0f2b100a5204d27def8bbf73333d1710be2

Test status:
============

The patch has been tested and fixes the problem.
The fix has been verified by the IBM test department.

Please ACK.

With best regards,

	--Hans

diff --git a/drivers/s390/char/sclp.c b/drivers/s390/char/sclp.c
index d5b67ee..353ad2b 100644
--- a/drivers/s390/char/sclp.c
+++ b/drivers/s390/char/sclp.c
@@ -280,8 +280,11 @@ sclp_dispatch_evbufs(struct sccb_header *sccb)
 	rc = 0;
 	for (offset = sizeof(struct sccb_header); offset < sccb->length;
 	     offset += evbuf->length) {
-		/* Search for event handler */
 		evbuf = (struct evbuf_header *) ((addr_t) sccb + offset);
+		/* Check for malformed hardware response */
+		if (evbuf->length == 0)
+			break;
+		/* Search for event handler */
 		reg = NULL;
 		list_for_each(l, &sclp_reg_list) {
 			reg = list_entry(l, struct sclp_register, list);