From: Greg Kroah-Hartman Date: Mon, 28 Apr 2025 12:05:06 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.293~68 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd23c0f8f5cadbf3c7647607c36c1e37252fb33d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch kvm-svm-allocate-ir-data-using-atomic-allocation.patch mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch mei-me-add-panther-lake-h-did.patch usb-storage-quirk-for-adata-portable-hdd-ch94.patch virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch --- diff --git a/queue-5.10/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch b/queue-5.10/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch new file mode 100644 index 0000000000..c6ad2e5b57 --- /dev/null +++ b/queue-5.10/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch @@ -0,0 +1,45 @@ +From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Tue, 22 Apr 2025 11:57:18 +0200 +Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream. + +According to the review by Bill Cox [1], the Atmel SHA204A random number +generator produces random numbers with very low entropy. + +Set the lowest possible entropy for this chip just to be safe. + +[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html + +Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator") +Cc: +Signed-off-by: Marek Behún +Acked-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-sha204a.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/atmel-sha204a.c ++++ b/drivers/crypto/atmel-sha204a.c +@@ -109,6 +109,12 @@ static int atmel_sha204a_probe(struct i2 + i2c_priv->hwrng.read = atmel_sha204a_rng_read; + i2c_priv->hwrng.quality = 1024; + ++ /* ++ * According to review by Bill Cox [1], this HWRNG has very low entropy. ++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html ++ */ ++ i2c_priv->hwrng.quality = 1; ++ + ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng); + if (ret) + dev_warn(&client->dev, "failed to register RNG (%d)\n", ret); diff --git a/queue-5.10/kvm-svm-allocate-ir-data-using-atomic-allocation.patch b/queue-5.10/kvm-svm-allocate-ir-data-using-atomic-allocation.patch new file mode 100644 index 0000000000..63de77f3b0 --- /dev/null +++ b/queue-5.10/kvm-svm-allocate-ir-data-using-atomic-allocation.patch @@ -0,0 +1,34 @@ +From 7537deda36521fa8fff9133b39c46e31893606f2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:16 -0700 +Subject: KVM: SVM: Allocate IR data using atomic allocation + +From: Sean Christopherson + +commit 7537deda36521fa8fff9133b39c46e31893606f2 upstream. + +Allocate SVM's interrupt remapping metadata using GFP_ATOMIC as +svm_ir_list_add() is called with IRQs are disabled and irqfs.lock held +when kvm_irq_routing_update() reacts to GSI routing changes. + +Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/avic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/avic.c ++++ b/arch/x86/kvm/svm/avic.c +@@ -742,7 +742,7 @@ static int svm_ir_list_add(struct vcpu_s + * Allocating new amd_iommu_pi_data, which will get + * add to the per-vcpu ir_list. + */ +- ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT); ++ ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_ATOMIC | __GFP_ACCOUNT); + if (!ir) { + ret = -ENOMEM; + goto out; diff --git a/queue-5.10/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch b/queue-5.10/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch new file mode 100644 index 0000000000..91b90307b9 --- /dev/null +++ b/queue-5.10/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch @@ -0,0 +1,35 @@ +From 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 10 Mar 2025 09:46:57 +0100 +Subject: mcb: fix a double free bug in chameleon_parse_gdd() + +From: Haoxiang Li + +commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream. + +In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' +would be released in mcb_device_register() via put_device(). +Thus, goto 'err' label and free 'mdev' again causes a double free. +Just return if mcb_device_register() fails. + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Cc: stable +Signed-off-by: Haoxiang Li +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mcb/mcb-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -101,7 +101,7 @@ static int chameleon_parse_gdd(struct mc + + ret = mcb_device_register(bus, mdev); + if (ret < 0) +- goto err; ++ return ret; + + return 0; + diff --git a/queue-5.10/mei-me-add-panther-lake-h-did.patch b/queue-5.10/mei-me-add-panther-lake-h-did.patch new file mode 100644 index 0000000000..e3dbba369f --- /dev/null +++ b/queue-5.10/mei-me-add-panther-lake-h-did.patch @@ -0,0 +1,42 @@ +From 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Tue, 8 Apr 2025 16:00:05 +0300 +Subject: mei: me: add panther lake H DID + +From: Alexander Usyskin + +commit 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c upstream. + +Add Panther Lake H device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://lore.kernel.org/r/20250408130005.1358140-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -117,6 +117,7 @@ + + #define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */ + ++#define MEI_DEV_ID_PTL_H 0xE370 /* Panther Lake H */ + #define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */ + + /* +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -123,6 +123,7 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_H, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)}, + + /* required last entry */ diff --git a/queue-5.10/series b/queue-5.10/series index 5857af7694..557567f5aa 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -240,3 +240,9 @@ tipc-fix-null-pointer-dereference-in-tipc_mon_reinit.patch net_sched-hfsc-fix-a-uaf-vulnerability-in-class-hand.patch net_sched-hfsc-fix-a-potential-uaf-in-hfsc_dequeue-t.patch iommu-amd-return-an-error-if-vcpu-affinity-is-set-fo.patch +virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch +crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch +kvm-svm-allocate-ir-data-using-atomic-allocation.patch +mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch +usb-storage-quirk-for-adata-portable-hdd-ch94.patch +mei-me-add-panther-lake-h-did.patch diff --git a/queue-5.10/usb-storage-quirk-for-adata-portable-hdd-ch94.patch b/queue-5.10/usb-storage-quirk-for-adata-portable-hdd-ch94.patch new file mode 100644 index 0000000000..9c76def8c6 --- /dev/null +++ b/queue-5.10/usb-storage-quirk-for-adata-portable-hdd-ch94.patch @@ -0,0 +1,36 @@ +From 9ab75eee1a056f896b87d139044dd103adc532b9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 3 Apr 2025 19:59:45 +0200 +Subject: USB: storage: quirk for ADATA Portable HDD CH94 + +From: Oliver Neukum + +commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream. + +Version 1.60 specifically needs this quirk. +Version 2.00 is known good. + +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_LUNS), + ++/* Reported-by: Oliver Neukum */ ++UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160, ++ "ADATA", ++ "Portable HDD CH94", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ + /* Reported-by: Benjamin Tissoires */ + UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999, + "Initio Corporation", diff --git a/queue-5.10/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch b/queue-5.10/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch new file mode 100644 index 0000000000..9de1cdaec3 --- /dev/null +++ b/queue-5.10/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch @@ -0,0 +1,60 @@ +From fbd3039a64b01b769040677c4fc68badeca8e3b2 Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Sat, 22 Mar 2025 01:29:54 +0100 +Subject: virtio_console: fix missing byte order handling for cols and rows + +From: Halil Pasic + +commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream. + +As per virtio spec the fields cols and rows are specified as little +endian. Although there is no legacy interface requirement that would +state that cols and rows need to be handled as native endian when legacy +interface is used, unlike for the fields of the adjacent struct +virtio_console_control, I decided to err on the side of caution based +on some non-conclusive virtio spec repo archaeology and opt for using +virtio16_to_cpu() much like for virtio_console_control.event. Strictly +by the letter of the spec virtio_le_to_cpu() would have been sufficient. +But when the legacy interface is not used, it boils down to the same. + +And when using the legacy interface, the device formatting these as +little endian when the guest is big endian would surprise me more than +it using guest native byte order (which would make it compatible with +the current implementation). Nevertheless somebody trying to implement +the spec following it to the letter could end up forcing little endian +byte order when the legacy interface is in use. So IMHO this ultimately +needs a judgement call by the maintainers. + +Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message") +Signed-off-by: Halil Pasic +Cc: stable@vger.kernel.org # v2.6.35+ +Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/virtio_console.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1617,8 +1617,8 @@ static void handle_control_message(struc + break; + case VIRTIO_CONSOLE_RESIZE: { + struct { +- __u16 rows; +- __u16 cols; ++ __virtio16 rows; ++ __virtio16 cols; + } size; + + if (!is_console_port(port)) +@@ -1626,7 +1626,8 @@ static void handle_control_message(struc + + memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt), + sizeof(size)); +- set_console_size(port, size.rows, size.cols); ++ set_console_size(port, virtio16_to_cpu(vdev, size.rows), ++ virtio16_to_cpu(vdev, size.cols)); + + port->cons.hvc->irq_requested = 1; + resize_console(port);