From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 1 Apr 2024 09:09:03 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.7.12~70
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d35b37458fc3e69c3295af082d9f2da797e8766;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	scsi-core-fix-unremoved-procfs-host-directory-regression.patch
	staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
	staging-vc04_services-fix-information-leak-in-create_component.patch
---

diff --git a/queue-6.1/scsi-core-fix-unremoved-procfs-host-directory-regression.patch b/queue-6.1/scsi-core-fix-unremoved-procfs-host-directory-regression.patch
new file mode 100644
index 00000000000..3116e1958ca
--- /dev/null
+++ b/queue-6.1/scsi-core-fix-unremoved-procfs-host-directory-regression.patch
@@ -0,0 +1,80 @@
+From f23a4d6e07570826fe95023ca1aa96a011fa9f84 Mon Sep 17 00:00:00 2001
+From: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
+Date: Wed, 13 Mar 2024 08:21:20 -0300
+Subject: scsi: core: Fix unremoved procfs host directory regression
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+commit f23a4d6e07570826fe95023ca1aa96a011fa9f84 upstream.
+
+Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name}
+directory earlier") fixed a bug related to modules loading/unloading, by
+adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led
+to a potential duplicate call to the hostdir_rm() routine, since it's also
+called from scsi_host_dev_release(). That triggered a regression report,
+which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host
+directory removal regression"). The fix just dropped the hostdir_rm() call
+from dev_release().
+
+But it happens that this proc directory is created on scsi_host_alloc(),
+and that function "pairs" with scsi_host_dev_release(), while
+scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the
+reason for removing the proc directory on dev_release() was meant to cover
+cases in which a SCSI host structure was allocated, but the call to
+scsi_add_host() didn't happen. And that pattern happens to exist in some
+error paths, for example.
+
+Syzkaller causes that by using USB raw gadget device, error'ing on
+usb-storage driver, at usb_stor_probe2(). By checking that path, we can see
+that the BadDevice label leads to a scsi_host_put() after a SCSI host
+allocation, but there's no call to scsi_add_host() in such path. That leads
+to messages like this in dmesg (and a leak of the SCSI host proc
+structure):
+
+usb-storage 4-1:87.51: USB Mass Storage device detected
+proc_dir_entry 'scsi/usb-storage' already registered
+WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376
+
+The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),
+but guard that with the state check for SHOST_CREATED; there is even a
+comment in scsi_host_dev_release() detailing that: such conditional is
+meant for cases where the SCSI host was allocated but there was no calls to
+{add,remove}_host(), like the usb-storage case.
+
+This is what we propose here and with that, the error path of usb-storage
+does not trigger the warning anymore.
+
+Reported-by: syzbot+c645abf505ed21f931b5@syzkaller.appspotmail.com
+Fixes: be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression")
+Cc: stable@vger.kernel.org
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Link: https://lore.kernel.org/r/20240313113006.2834799-1-gpiccoli@igalia.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -353,12 +353,13 @@ static void scsi_host_dev_release(struct
+ 
+ 	if (shost->shost_state == SHOST_CREATED) {
+ 		/*
+-		 * Free the shost_dev device name here if scsi_host_alloc()
+-		 * and scsi_host_put() have been called but neither
++		 * Free the shost_dev device name and remove the proc host dir
++		 * here if scsi_host_{alloc,put}() have been called but neither
+ 		 * scsi_host_add() nor scsi_host_remove() has been called.
+ 		 * This avoids that the memory allocated for the shost_dev
+-		 * name is leaked.
++		 * name as well as the proc dir structure are leaked.
+ 		 */
++		scsi_proc_hostdir_rm(shost->hostt);
+ 		kfree(dev_name(&shost->shost_dev));
+ 	}
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index 21fdc843111..e7cdef4efad 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -234,3 +234,6 @@ usb-uas-return-enodev-when-submit-urbs-fail-with-device-not-attached.patch
 usb-dwc3-am62-rename-private-data.patch
 usb-dwc3-am62-fix-module-unload-reload-behavior.patch
 alsa-sh-aica-reorder-cleanup-operations-to-avoid-uaf-bugs.patch
+scsi-core-fix-unremoved-procfs-host-directory-regression.patch
+staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
+staging-vc04_services-fix-information-leak-in-create_component.patch
diff --git a/queue-6.1/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch b/queue-6.1/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
new file mode 100644
index 00000000000..b05cc5c7dc2
--- /dev/null
+++ b/queue-6.1/staging-vc04_services-changen-strncpy-to-strscpy_pad.patch
@@ -0,0 +1,42 @@
+From ef25725b7f8aaffd7756974d3246ec44fae0a5cf Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 13 Mar 2024 17:36:56 +0100
+Subject: staging: vc04_services: changen strncpy() to strscpy_pad()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit ef25725b7f8aaffd7756974d3246ec44fae0a5cf upstream.
+
+gcc-14 warns about this strncpy() that results in a non-terminated
+string for an overflow:
+
+In file included from include/linux/string.h:369,
+                 from drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:20:
+In function 'strncpy',
+    inlined from 'create_component' at drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c:940:2:
+include/linux/fortify-string.h:108:33: error: '__builtin_strncpy' specified bound 128 equals destination size [-Werror=stringop-truncation]
+
+Change it to strscpy_pad(), which produces a properly terminated and
+zero-padded string.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20240313163712.224585-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
+@@ -938,8 +938,8 @@ static int create_component(struct vchiq
+ 	/* build component create message */
+ 	m.h.type = MMAL_MSG_TYPE_COMPONENT_CREATE;
+ 	m.u.component_create.client_component = component->client_component;
+-	strncpy(m.u.component_create.name, name,
+-		sizeof(m.u.component_create.name));
++	strscpy_pad(m.u.component_create.name, name,
++		    sizeof(m.u.component_create.name));
+ 
+ 	ret = send_synchronous_mmal_msg(instance, &m,
+ 					sizeof(m.u.component_create),
diff --git a/queue-6.1/staging-vc04_services-fix-information-leak-in-create_component.patch b/queue-6.1/staging-vc04_services-fix-information-leak-in-create_component.patch
new file mode 100644
index 00000000000..d96b429334f
--- /dev/null
+++ b/queue-6.1/staging-vc04_services-fix-information-leak-in-create_component.patch
@@ -0,0 +1,33 @@
+From f37e76abd614b68987abc8e5c22d986013349771 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 13 Mar 2024 21:07:43 +0300
+Subject: staging: vc04_services: fix information leak in create_component()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit f37e76abd614b68987abc8e5c22d986013349771 upstream.
+
+The m.u.component_create.pid field is for debugging and in the mainline
+kernel it's not used anything.  However, it still needs to be set to
+something to prevent disclosing uninitialized stack data.  Set it to
+zero.
+
+Fixes: 7b3ad5abf027 ("staging: Import the BCM2835 MMAL-based V4L2 camera driver.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/2d972847-9ebd-481b-b6f9-af390f5aabd3@moroto.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
++++ b/drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c
+@@ -940,6 +940,7 @@ static int create_component(struct vchiq
+ 	m.u.component_create.client_component = component->client_component;
+ 	strscpy_pad(m.u.component_create.name, name,
+ 		    sizeof(m.u.component_create.name));
++	m.u.component_create.pid = 0;
+ 
+ 	ret = send_synchronous_mmal_msg(instance, &m,
+ 					sizeof(m.u.component_create),