From: Greg Kroah-Hartman Date: Mon, 28 Apr 2025 12:04:50 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.293~69 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f790fda2cf07613c3df781dc1c7807bcddfa4d32;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch usb-storage-quirk-for-adata-portable-hdd-ch94.patch virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch --- diff --git a/queue-5.4/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch b/queue-5.4/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch new file mode 100644 index 0000000000..c6ad2e5b57 --- /dev/null +++ b/queue-5.4/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch @@ -0,0 +1,45 @@ +From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Tue, 22 Apr 2025 11:57:18 +0200 +Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream. + +According to the review by Bill Cox [1], the Atmel SHA204A random number +generator produces random numbers with very low entropy. + +Set the lowest possible entropy for this chip just to be safe. + +[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html + +Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator") +Cc: +Signed-off-by: Marek Behún +Acked-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-sha204a.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/atmel-sha204a.c ++++ b/drivers/crypto/atmel-sha204a.c +@@ -109,6 +109,12 @@ static int atmel_sha204a_probe(struct i2 + i2c_priv->hwrng.read = atmel_sha204a_rng_read; + i2c_priv->hwrng.quality = 1024; + ++ /* ++ * According to review by Bill Cox [1], this HWRNG has very low entropy. ++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html ++ */ ++ i2c_priv->hwrng.quality = 1; ++ + ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng); + if (ret) + dev_warn(&client->dev, "failed to register RNG (%d)\n", ret); diff --git a/queue-5.4/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch b/queue-5.4/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch new file mode 100644 index 0000000000..91b90307b9 --- /dev/null +++ b/queue-5.4/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch @@ -0,0 +1,35 @@ +From 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 10 Mar 2025 09:46:57 +0100 +Subject: mcb: fix a double free bug in chameleon_parse_gdd() + +From: Haoxiang Li + +commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream. + +In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' +would be released in mcb_device_register() via put_device(). +Thus, goto 'err' label and free 'mdev' again causes a double free. +Just return if mcb_device_register() fails. + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Cc: stable +Signed-off-by: Haoxiang Li +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mcb/mcb-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -101,7 +101,7 @@ static int chameleon_parse_gdd(struct mc + + ret = mcb_device_register(bus, mdev); + if (ret < 0) +- goto err; ++ return ret; + + return 0; + diff --git a/queue-5.4/series b/queue-5.4/series index 99fbe16b1c..ff11b2cbaa 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -143,3 +143,7 @@ net-phy-leds-fix-memory-leak.patch tipc-fix-null-pointer-dereference-in-tipc_mon_reinit.patch net_sched-hfsc-fix-a-uaf-vulnerability-in-class-hand.patch net_sched-hfsc-fix-a-potential-uaf-in-hfsc_dequeue-t.patch +virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch +crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch +mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch +usb-storage-quirk-for-adata-portable-hdd-ch94.patch diff --git a/queue-5.4/usb-storage-quirk-for-adata-portable-hdd-ch94.patch b/queue-5.4/usb-storage-quirk-for-adata-portable-hdd-ch94.patch new file mode 100644 index 0000000000..9c76def8c6 --- /dev/null +++ b/queue-5.4/usb-storage-quirk-for-adata-portable-hdd-ch94.patch @@ -0,0 +1,36 @@ +From 9ab75eee1a056f896b87d139044dd103adc532b9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 3 Apr 2025 19:59:45 +0200 +Subject: USB: storage: quirk for ADATA Portable HDD CH94 + +From: Oliver Neukum + +commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream. + +Version 1.60 specifically needs this quirk. +Version 2.00 is known good. + +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_LUNS), + ++/* Reported-by: Oliver Neukum */ ++UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160, ++ "ADATA", ++ "Portable HDD CH94", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ + /* Reported-by: Benjamin Tissoires */ + UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999, + "Initio Corporation", diff --git a/queue-5.4/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch b/queue-5.4/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch new file mode 100644 index 0000000000..dff87f88ab --- /dev/null +++ b/queue-5.4/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch @@ -0,0 +1,60 @@ +From fbd3039a64b01b769040677c4fc68badeca8e3b2 Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Sat, 22 Mar 2025 01:29:54 +0100 +Subject: virtio_console: fix missing byte order handling for cols and rows + +From: Halil Pasic + +commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream. + +As per virtio spec the fields cols and rows are specified as little +endian. Although there is no legacy interface requirement that would +state that cols and rows need to be handled as native endian when legacy +interface is used, unlike for the fields of the adjacent struct +virtio_console_control, I decided to err on the side of caution based +on some non-conclusive virtio spec repo archaeology and opt for using +virtio16_to_cpu() much like for virtio_console_control.event. Strictly +by the letter of the spec virtio_le_to_cpu() would have been sufficient. +But when the legacy interface is not used, it boils down to the same. + +And when using the legacy interface, the device formatting these as +little endian when the guest is big endian would surprise me more than +it using guest native byte order (which would make it compatible with +the current implementation). Nevertheless somebody trying to implement +the spec following it to the letter could end up forcing little endian +byte order when the legacy interface is in use. So IMHO this ultimately +needs a judgement call by the maintainers. + +Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message") +Signed-off-by: Halil Pasic +Cc: stable@vger.kernel.org # v2.6.35+ +Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/virtio_console.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1619,8 +1619,8 @@ static void handle_control_message(struc + break; + case VIRTIO_CONSOLE_RESIZE: { + struct { +- __u16 rows; +- __u16 cols; ++ __virtio16 rows; ++ __virtio16 cols; + } size; + + if (!is_console_port(port)) +@@ -1628,7 +1628,8 @@ static void handle_control_message(struc + + memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt), + sizeof(size)); +- set_console_size(port, size.rows, size.cols); ++ set_console_size(port, virtio16_to_cpu(vdev, size.rows), ++ virtio16_to_cpu(vdev, size.cols)); + + port->cons.hvc->irq_requested = 1; + resize_console(port);