--- /dev/null
+From 68279380266a5fa70e664de754503338e2ec3f43 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Thu, 3 Jul 2025 10:23:16 -0700
+Subject: crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 68279380266a5fa70e664de754503338e2ec3f43 upstream.
+
+Commit 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements")
+added the field s390_sha_ctx::first_message_part and made it be used by
+s390_sha_update() (now s390_sha_update_blocks()). At the time,
+s390_sha_update() was used by all the s390 SHA-1, SHA-2, and SHA-3
+algorithms. However, only the initialization functions for SHA-3 were
+updated, leaving SHA-1 and SHA-2 using first_message_part uninitialized.
+
+This could cause e.g. the function code CPACF_KIMD_SHA_512 |
+CPACF_KIMD_NIP to be used instead of just CPACF_KIMD_SHA_512. This
+apparently was harmless, as the SHA-1 and SHA-2 function codes ignore
+CPACF_KIMD_NIP; it is recognized only by the SHA-3 function codes
+(https://lore.kernel.org/r/73477fe9-a1dc-4e38-98a6-eba9921e8afa@linux.ibm.com/).
+Therefore, this bug was found only when first_message_part was later
+converted to a boolean and UBSAN detected its uninitialized use.
+Regardless, let's fix this by just initializing to zero.
+
+Note: in 6.16, we need to patch SHA-1, SHA-384, and SHA-512. In 6.15
+and earlier, we'll also need to patch SHA-224 and SHA-256, as they
+hadn't yet been librarified (which incidentally fixed this bug).
+
+Fixes: 88c02b3f79a6 ("s390/sha3: Support sha3 performance enhancements")
+Cc: stable@vger.kernel.org
+Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Closes: https://lore.kernel.org/r/12740696-595c-4604-873e-aefe8b405fbf@linux.ibm.com
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250703172316.7914-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/crypto/sha1_s390.c | 2 ++
+ arch/s390/crypto/sha256_s390.c | 3 +++
+ arch/s390/crypto/sha512_s390.c | 3 +++
+ 3 files changed, 8 insertions(+)
+
+--- a/arch/s390/crypto/sha1_s390.c
++++ b/arch/s390/crypto/sha1_s390.c
+@@ -38,6 +38,7 @@ static int s390_sha1_init(struct shash_d
+ sctx->state[4] = SHA1_H4;
+ sctx->count = 0;
+ sctx->func = CPACF_KIMD_SHA_1;
++ sctx->first_message_part = 0;
+
+ return 0;
+ }
+@@ -62,6 +63,7 @@ static int s390_sha1_import(struct shash
+ memcpy(sctx->state, ictx->state, sizeof(ictx->state));
+ memcpy(sctx->buf, ictx->buffer, sizeof(ictx->buffer));
+ sctx->func = CPACF_KIMD_SHA_1;
++ sctx->first_message_part = 0;
+ return 0;
+ }
+
+--- a/arch/s390/crypto/sha256_s390.c
++++ b/arch/s390/crypto/sha256_s390.c
+@@ -31,6 +31,7 @@ static int s390_sha256_init(struct shash
+ sctx->state[7] = SHA256_H7;
+ sctx->count = 0;
+ sctx->func = CPACF_KIMD_SHA_256;
++ sctx->first_message_part = 0;
+
+ return 0;
+ }
+@@ -55,6 +56,7 @@ static int sha256_import(struct shash_de
+ memcpy(sctx->state, ictx->state, sizeof(ictx->state));
+ memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf));
+ sctx->func = CPACF_KIMD_SHA_256;
++ sctx->first_message_part = 0;
+ return 0;
+ }
+
+@@ -90,6 +92,7 @@ static int s390_sha224_init(struct shash
+ sctx->state[7] = SHA224_H7;
+ sctx->count = 0;
+ sctx->func = CPACF_KIMD_SHA_256;
++ sctx->first_message_part = 0;
+
+ return 0;
+ }
+--- a/arch/s390/crypto/sha512_s390.c
++++ b/arch/s390/crypto/sha512_s390.c
+@@ -32,6 +32,7 @@ static int sha512_init(struct shash_desc
+ *(__u64 *)&ctx->state[14] = SHA512_H7;
+ ctx->count = 0;
+ ctx->func = CPACF_KIMD_SHA_512;
++ ctx->first_message_part = 0;
+
+ return 0;
+ }
+@@ -60,6 +61,7 @@ static int sha512_import(struct shash_de
+ memcpy(sctx->state, ictx->state, sizeof(ictx->state));
+ memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf));
+ sctx->func = CPACF_KIMD_SHA_512;
++ sctx->first_message_part = 0;
+ return 0;
+ }
+
+@@ -97,6 +99,7 @@ static int sha384_init(struct shash_desc
+ *(__u64 *)&ctx->state[14] = SHA384_H7;
+ ctx->count = 0;
+ ctx->func = CPACF_KIMD_SHA_512;
++ ctx->first_message_part = 0;
+
+ return 0;
+ }
--- /dev/null
+From 25f602fbbcc8271f6e72211b54808ba21e677762 Mon Sep 17 00:00:00 2001
+From: Flora Cui <flora.cui@amd.com>
+Date: Tue, 11 Mar 2025 13:44:08 +0800
+Subject: drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics
+
+From: Flora Cui <flora.cui@amd.com>
+
+commit 25f602fbbcc8271f6e72211b54808ba21e677762 upstream.
+
+vega10/vega12/vega20/raven/raven2/picasso/arcturus/aldebaran
+
+Signed-off-by: Flora Cui <flora.cui@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Jonathan Gray <jsg@jsg.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 28 +++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+@@ -112,6 +112,12 @@
+ #endif
+
+ MODULE_FIRMWARE("amdgpu/ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/vega10_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/vega12_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/vega20_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/raven_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/raven2_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/picasso_ip_discovery.bin");
+
+ #define mmIP_DISCOVERY_VERSION 0x16A00
+ #define mmRCC_CONFIG_MEMSIZE 0xde3
+@@ -400,7 +406,27 @@ static const char *amdgpu_discovery_get_
+ if (amdgpu_discovery == 2)
+ return "amdgpu/ip_discovery.bin";
+
+- return NULL;
++ switch (adev->asic_type) {
++ case CHIP_VEGA10:
++ return "amdgpu/vega10_ip_discovery.bin";
++ case CHIP_VEGA12:
++ return "amdgpu/vega12_ip_discovery.bin";
++ case CHIP_RAVEN:
++ if (adev->apu_flags & AMD_APU_IS_RAVEN2)
++ return "amdgpu/raven2_ip_discovery.bin";
++ else if (adev->apu_flags & AMD_APU_IS_PICASSO)
++ return "amdgpu/picasso_ip_discovery.bin";
++ else
++ return "amdgpu/raven_ip_discovery.bin";
++ case CHIP_VEGA20:
++ return "amdgpu/vega20_ip_discovery.bin";
++ case CHIP_ARCTURUS:
++ return "amdgpu/arcturus_ip_discovery.bin";
++ case CHIP_ALDEBARAN:
++ return "amdgpu/aldebaran_ip_discovery.bin";
++ default:
++ return NULL;
++ }
+ }
+
+ static int amdgpu_discovery_init(struct amdgpu_device *adev)
--- /dev/null
+From 2f6dd741cdcdadb9e125cc66d4fcfbe5ab92d36a Mon Sep 17 00:00:00 2001
+From: Flora Cui <flora.cui@amd.com>
+Date: Wed, 26 Mar 2025 20:06:13 +0800
+Subject: drm/amdgpu/ip_discovery: add missing ip_discovery fw
+
+From: Flora Cui <flora.cui@amd.com>
+
+commit 2f6dd741cdcdadb9e125cc66d4fcfbe5ab92d36a upstream.
+
+Signed-off-by: Flora Cui <flora.cui@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: Jonathan Gray <jsg@jsg.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
+@@ -118,6 +118,8 @@ MODULE_FIRMWARE("amdgpu/vega20_ip_discov
+ MODULE_FIRMWARE("amdgpu/raven_ip_discovery.bin");
+ MODULE_FIRMWARE("amdgpu/raven2_ip_discovery.bin");
+ MODULE_FIRMWARE("amdgpu/picasso_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/arcturus_ip_discovery.bin");
++MODULE_FIRMWARE("amdgpu/aldebaran_ip_discovery.bin");
+
+ #define mmIP_DISCOVERY_VERSION 0x16A00
+ #define mmRCC_CONFIG_MEMSIZE 0xde3
eventpoll-don-t-decrement-ep-refcount-while-still-holding-the-ep-mutex.patch
drm-exynos-exynos7_drm_decon-add-vblank-check-in-irq-handling.patch
+x86-cpu-amd-properly-check-the-tsa-microcode.patch
+drm-amdgpu-discovery-use-specific-ip_discovery.bin-for-legacy-asics.patch
+drm-amdgpu-ip_discovery-add-missing-ip_discovery-fw.patch
+crypto-s390-sha-fix-uninitialized-variable-in-sha-1-and-sha-2.patch
--- /dev/null
+From bp@alien8.de Sat Jul 12 14:01:48 2025
+From: Borislav Petkov <bp@alien8.de>
+Date: Fri, 11 Jul 2025 21:18:44 +0200
+Subject: x86/CPU/AMD: Properly check the TSA microcode
+To: stable@vger.kernel.org
+Cc: Thomas Voegtle <tv@lio96.de>, kim.phillips@amd.com
+Message-ID: <20250711191844.GIaHFjlJiQi_HxyyWG@fat_crate.local>
+Content-Disposition: inline
+
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+
+In order to simplify backports, I resorted to an older version of the
+microcode revision checking which didn't pull in the whole struct
+x86_cpu_id matching machinery.
+
+My simpler method, however, forgot to add the extended CPU model to the
+patch revision, which lead to mismatches when determining whether TSA
+mitigation support is present.
+
+So add that forgotten extended model.
+
+This is a stable-only fix and the preference is to do it this way
+because it is a lot simpler. Also, the Fixes: tag below points to the
+respective stable patch.
+
+Fixes: 7a0395f6607a ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
+Reported-by: Thomas Voegtle <tv@lio96.de>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Thomas Voegtle <tv@lio96.de>
+Message-ID: <04ea0a8e-edb0-c59e-ce21-5f3d5d167af3@lio96.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -376,6 +376,7 @@ static bool amd_check_tsa_microcode(void
+
+ p.ext_fam = c->x86 - 0xf;
+ p.model = c->x86_model;
++ p.ext_model = c->x86_model >> 4;
+ p.stepping = c->x86_stepping;
+
+ if (cpu_has(c, X86_FEATURE_ZEN3) ||
projects / thirdparty / kernel / stable-queue.git / commitdiff
