5.4-stable patches

added patches:
	media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch
	scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch

diff --git a/queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch b/queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch
new file mode 100644 (file)
index 0000000..6b9b49d
--- /dev/null
+++ b/queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch
@@ -0,0 +1,119 @@
+From 01e03fb7db419d39e18d6090d4873c1bff103914 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Wed, 17 Sep 2025 17:59:26 +0800
+Subject: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 01e03fb7db419d39e18d6090d4873c1bff103914 upstream.
+
+The original code uses cancel_delayed_work() in flexcop_pci_remove(), which
+does not guarantee that the delayed work item irq_check_work has fully
+completed if it was already running. This leads to use-after-free scenarios
+where flexcop_pci_remove() may free the flexcop_device while irq_check_work
+is still active and attempts to dereference the device.
+
+A typical race condition is illustrated below:
+
+CPU 0 (remove)                         | CPU 1 (delayed work callback)
+flexcop_pci_remove()                   | flexcop_pci_irq_check_work()
+  cancel_delayed_work()                |
+  flexcop_device_kfree(fc_pci->fc_dev) |
+                                       |   fc = fc_pci->fc_dev; // UAF
+
+This is confirmed by a KASAN report:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
+Write of size 8 at addr ffff8880093aa8c8 by task bash/135
+...
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x55/0x70
+ print_report+0xcf/0x610
+ ? __run_timer_base.part.0+0x7d7/0x8c0
+ kasan_report+0xb8/0xf0
+ ? __run_timer_base.part.0+0x7d7/0x8c0
+ __run_timer_base.part.0+0x7d7/0x8c0
+ ? __pfx___run_timer_base.part.0+0x10/0x10
+ ? __pfx_read_tsc+0x10/0x10
+ ? ktime_get+0x60/0x140
+ ? lapic_next_event+0x11/0x20
+ ? clockevents_program_event+0x1d4/0x2a0
+ run_timer_softirq+0xd1/0x190
+ handle_softirqs+0x16a/0x550
+ irq_exit_rcu+0xaf/0xe0
+ sysvec_apic_timer_interrupt+0x70/0x80
+ </IRQ>
+...
+
+Allocated by task 1:
+ kasan_save_stack+0x24/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x1be/0x460
+ flexcop_device_kmalloc+0x54/0xe0
+ flexcop_pci_probe+0x1f/0x9d0
+ local_pci_probe+0xdc/0x190
+ pci_device_probe+0x2fe/0x470
+ really_probe+0x1ca/0x5c0
+ __driver_probe_device+0x248/0x310
+ driver_probe_device+0x44/0x120
+ __driver_attach+0xd2/0x310
+ bus_for_each_dev+0xed/0x170
+ bus_add_driver+0x208/0x500
+ driver_register+0x132/0x460
+ do_one_initcall+0x89/0x300
+ kernel_init_freeable+0x40d/0x720
+ kernel_init+0x1a/0x150
+ ret_from_fork+0x10c/0x1a0
+ ret_from_fork_asm+0x1a/0x30
+
+Freed by task 135:
+ kasan_save_stack+0x24/0x50
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3a/0x60
+ __kasan_slab_free+0x3f/0x50
+ kfree+0x137/0x370
+ flexcop_device_kfree+0x32/0x50
+ pci_device_remove+0xa6/0x1d0
+ device_release_driver_internal+0xf8/0x210
+ pci_stop_bus_device+0x105/0x150
+ pci_stop_and_remove_bus_device_locked+0x15/0x30
+ remove_store+0xcc/0xe0
+ kernfs_fop_write_iter+0x2c3/0x440
+ vfs_write+0x871/0xd70
+ ksys_write+0xee/0x1c0
+ do_syscall_64+0xac/0x280
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+...
+
+Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
+that the delayed work item is properly canceled and any executing delayed
+work has finished before the device memory is deallocated.
+
+This bug was initially identified through static analysis. To reproduce
+and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced
+artificial delays within the flexcop_pci_irq_check_work() function to
+increase the likelihood of triggering the bug.
+
+Fixes: 382c5546d618 ("V4L/DVB (10694): [PATCH] software IRQ watchdog for Flexcop B2C2 DVB PCI cards")
+Cc: stable@vger.kernel.org
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/b2c2/flexcop-pci.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/pci/b2c2/flexcop-pci.c
++++ b/drivers/media/pci/b2c2/flexcop-pci.c
+@@ -411,7 +411,7 @@ static void flexcop_pci_remove(struct pc
+       struct flexcop_pci *fc_pci = pci_get_drvdata(pdev);
+ 
+       if (irq_chk_intv > 0)
+-              cancel_delayed_work(&fc_pci->irq_check_work);
++              cancel_delayed_work_sync(&fc_pci->irq_check_work);
+ 
+       flexcop_pci_dma_exit(fc_pci);
+       flexcop_device_exit(fc_pci->fc_dev);

diff --git a/queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch b/queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch
new file mode 100644 (file)
index 0000000..7679d78
--- /dev/null
+++ b/queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch
@@ -0,0 +1,47 @@
+From 27e06650a5eafe832a90fd2604f0c5e920857fae Mon Sep 17 00:00:00 2001
+From: Wang Haoran <haoranwangsec@gmail.com>
+Date: Sat, 20 Sep 2025 15:44:41 +0800
+Subject: scsi: target: target_core_configfs: Add length check to avoid buffer overflow
+
+From: Wang Haoran <haoranwangsec@gmail.com>
+
+commit 27e06650a5eafe832a90fd2604f0c5e920857fae upstream.
+
+A buffer overflow arises from the usage of snprintf to write into the
+buffer "buf" in target_lu_gp_members_show function located in
+/drivers/target/target_core_configfs.c. This buffer is allocated with
+size LU_GROUP_NAME_BUF (256 bytes).
+
+snprintf(...) formats multiple strings into buf with the HBA name
+(hba->hba_group.cg_item), a slash character, a devicename (dev->
+dev_group.cg_item) and a newline character, the total formatted string
+length may exceed the buffer size of 256 bytes.
+
+Since snprintf() returns the total number of bytes that would have been
+written (the length of %s/%sn ), this value may exceed the buffer length
+(256 bytes) passed to memcpy(), this will ultimately cause function
+memcpy reporting a buffer overflow error.
+
+An additional check of the return value of snprintf() can avoid this
+buffer overflow.
+
+Reported-by: Wang Haoran <haoranwangsec@gmail.com>
+Reported-by: ziiiro <yuanmingbuaa@gmail.com>
+Signed-off-by: Wang Haoran <haoranwangsec@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_configfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -2563,7 +2563,7 @@ static ssize_t target_lu_gp_members_show
+                       config_item_name(&dev->dev_group.cg_item));
+               cur_len++; /* Extra byte for NULL terminator */
+ 
+-              if ((cur_len + len) > PAGE_SIZE) {
++              if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) {
+                       pr_warn("Ran out of lu_gp_show_attr"
+                               "_members buffer\n");
+                       break;

diff --git a/queue-5.4/series b/queue-5.4/series
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..d204733d6917b5c8e7f3a49c1a3cd3f491e836c7 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -0,0 +1,2 @@
+scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch
+media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch