s390 fixes for 6.16-rc4

- Fix incorrectly dropped dereferencing of the stack nth entry
   introduced with a previous KASAN false positive fix
 
 - Use a proper memdup_array_user() helper to prevent overflow
   in a protected key size calculation
 -----BEGIN PGP SIGNATURE-----
 
 iI0EABYKADUWIQQrtrZiYVkVzKQcYivNdxKlNrRb8AUCaF1tnRccYWdvcmRlZXZA
 bGludXguaWJtLmNvbQAKCRDNdxKlNrRb8LQXAP47ZqfoOoWig2uO3j2JuEOLF7fo
 9Pvp1593fgpX1+BlowEAw6zRb1KF4hRcuOI/9rUD2AE6Xjh/xTE6qa7hR8GHHgA=
 =Q5GY
 -----END PGP SIGNATURE-----

Merge tag 's390-6.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Alexander Gordeev:

 - Fix incorrectly dropped dereferencing of the stack nth entry
   introduced with a previous KASAN false positive fix

 - Use a proper memdup_array_user() helper to prevent overflow in a
   protected key size calculation

* tag 's390-6.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/ptrace: Fix pointer dereferencing in regs_get_kernel_stack_nth()
  s390/pkey: Prevent overflow in size calculation for memdup_user()

arch/s390/include/asm/ptrace.h

@@ -265,7 +265,7 @@ static __always_inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *r
 	addr = kernel_stack_pointer(regs) + n * sizeof(long);
 	if (!regs_within_kernel_stack(regs, addr))
 		return 0;
-	return READ_ONCE_NOCHECK(addr);
+	return READ_ONCE_NOCHECK(*(unsigned long *)addr);
 }
 
 /**

drivers/s390/crypto/pkey_api.c

@@ -86,7 +86,7 @@ static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns)
 	if (!uapqns || nr_apqns == 0)
 		return NULL;
 
-	return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
+	return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn));
 }
 
 static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs)