From a7d37cbcd68da143dc390cd74c25864e483e3d7e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 3 Oct 2025 15:20:38 +0200 Subject: [PATCH] 5.4-stable patches added patches: media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch --- ...irq_check_work-in-flexcop_pci_remove.patch | 119 ++++++++++++++++++ ...ength-check-to-avoid-buffer-overflow.patch | 47 +++++++ queue-5.4/series | 2 + 3 files changed, 168 insertions(+) create mode 100644 queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch create mode 100644 queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch diff --git a/queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch b/queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch new file mode 100644 index 00000000000..6b9b49d456a --- /dev/null +++ b/queue-5.4/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch @@ -0,0 +1,119 @@ +From 01e03fb7db419d39e18d6090d4873c1bff103914 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 17 Sep 2025 17:59:26 +0800 +Subject: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove + +From: Duoming Zhou + +commit 01e03fb7db419d39e18d6090d4873c1bff103914 upstream. + +The original code uses cancel_delayed_work() in flexcop_pci_remove(), which +does not guarantee that the delayed work item irq_check_work has fully +completed if it was already running. This leads to use-after-free scenarios +where flexcop_pci_remove() may free the flexcop_device while irq_check_work +is still active and attempts to dereference the device. + +A typical race condition is illustrated below: + +CPU 0 (remove) | CPU 1 (delayed work callback) +flexcop_pci_remove() | flexcop_pci_irq_check_work() + cancel_delayed_work() | + flexcop_device_kfree(fc_pci->fc_dev) | + | fc = fc_pci->fc_dev; // UAF + +This is confirmed by a KASAN report: + +================================================================== +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff8880093aa8c8 by task bash/135 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... + +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x1be/0x460 + flexcop_device_kmalloc+0x54/0xe0 + flexcop_pci_probe+0x1f/0x9d0 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 135: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + flexcop_device_kfree+0x32/0x50 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled and any executing delayed +work has finished before the device memory is deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced +artificial delays within the flexcop_pci_irq_check_work() function to +increase the likelihood of triggering the bug. + +Fixes: 382c5546d618 ("V4L/DVB (10694): [PATCH] software IRQ watchdog for Flexcop B2C2 DVB PCI cards") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/b2c2/flexcop-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/b2c2/flexcop-pci.c ++++ b/drivers/media/pci/b2c2/flexcop-pci.c +@@ -411,7 +411,7 @@ static void flexcop_pci_remove(struct pc + struct flexcop_pci *fc_pci = pci_get_drvdata(pdev); + + if (irq_chk_intv > 0) +- cancel_delayed_work(&fc_pci->irq_check_work); ++ cancel_delayed_work_sync(&fc_pci->irq_check_work); + + flexcop_pci_dma_exit(fc_pci); + flexcop_device_exit(fc_pci->fc_dev); diff --git a/queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch b/queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch new file mode 100644 index 00000000000..7679d785155 --- /dev/null +++ b/queue-5.4/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch @@ -0,0 +1,47 @@ +From 27e06650a5eafe832a90fd2604f0c5e920857fae Mon Sep 17 00:00:00 2001 +From: Wang Haoran +Date: Sat, 20 Sep 2025 15:44:41 +0800 +Subject: scsi: target: target_core_configfs: Add length check to avoid buffer overflow + +From: Wang Haoran + +commit 27e06650a5eafe832a90fd2604f0c5e920857fae upstream. + +A buffer overflow arises from the usage of snprintf to write into the +buffer "buf" in target_lu_gp_members_show function located in +/drivers/target/target_core_configfs.c. This buffer is allocated with +size LU_GROUP_NAME_BUF (256 bytes). + +snprintf(...) formats multiple strings into buf with the HBA name +(hba->hba_group.cg_item), a slash character, a devicename (dev-> +dev_group.cg_item) and a newline character, the total formatted string +length may exceed the buffer size of 256 bytes. + +Since snprintf() returns the total number of bytes that would have been +written (the length of %s/%sn ), this value may exceed the buffer length +(256 bytes) passed to memcpy(), this will ultimately cause function +memcpy reporting a buffer overflow error. + +An additional check of the return value of snprintf() can avoid this +buffer overflow. + +Reported-by: Wang Haoran +Reported-by: ziiiro +Signed-off-by: Wang Haoran +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_configfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -2563,7 +2563,7 @@ static ssize_t target_lu_gp_members_show + config_item_name(&dev->dev_group.cg_item)); + cur_len++; /* Extra byte for NULL terminator */ + +- if ((cur_len + len) > PAGE_SIZE) { ++ if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { + pr_warn("Ran out of lu_gp_show_attr" + "_members buffer\n"); + break; diff --git a/queue-5.4/series b/queue-5.4/series index e69de29bb2d..d204733d691 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -0,0 +1,2 @@ +scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch +media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch -- 2.47.3