[PATCH AUTOSEL 6.16-5.4] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()

[PATCH AUTOSEL 6.16-5.4] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()

[Sasha Levin]

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ]

The on_treeview2_cursor_changed() handler is connected to both the left
and right tree views, but it hardcodes model2 (the GtkTreeModel of the
right tree view). This is incorrect. Get the associated model from the
view.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Let me check the commit you provided more carefully. Looking at the
diff:

The commit changes line 851-852 in the `on_treeview2_cursor_changed`
function from:
```c
if (gtk_tree_selection_get_selected(selection, &model2, &iter)) {
    gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
```

To:
```c
if (gtk_tree_selection_get_selected(selection, &model, &iter)) {
    gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1);
```

Where `model` is obtained from: `GtkTreeModel *model =
gtk_tree_view_get_model(treeview);`

This is indeed a bug fix. The function `on_treeview2_cursor_changed()`
is connected as a signal handler to BOTH tree views (tree1_w and
tree2_w), as shown in the connection code around lines 989 and 997.
However, the old code hardcoded `model2` which is specifically the model
for the right tree view. This would cause incorrect behavior when the
handler is triggered from the left tree view (tree1_w).

**Backport Status: YES**

## Extensive Analysis:

### Bug Description:
The commit fixes a clear bug in the gconf GUI tool for kernel
configuration. The `on_treeview2_cursor_changed()` function is used as a
signal handler for cursor changes in both the left and right tree views
of the configuration interface. However, the function incorrectly
hardcoded `model2` (the GtkTreeModel for the right tree view) instead of
dynamically getting the model from whichever view triggered the event.

### Code Analysis:
1. **Signal Connection** (lines 988-997 in the repository):
   - The same handler is connected to both tree views:
   ```c
   g_signal_connect(tree1_w, "cursor-changed",
                    G_CALLBACK(on_treeview2_cursor_changed), NULL);
   g_signal_connect(tree2_w, "cursor-changed",
                    G_CALLBACK(on_treeview2_cursor_changed), NULL);
   ```

2. **The Bug**: When the cursor changes in tree1_w (left tree), the
   handler would incorrectly use model2 (right tree's model) to get the
   selected item, potentially causing:
   - Incorrect help text display
   - Crashes if the models have different structures
   - Undefined behavior when accessing invalid iterators

3. **The Fix**: The commit correctly obtains the model from the treeview
   parameter that triggered the event:
  ```c
  GtkTreeModel *model = gtk_tree_view_get_model(treeview);
  ```
  This ensures the correct model is used regardless of which tree view
  triggered the event.

### Backport Justification:
1. **Clear Bug Fix**: This fixes an obvious programming error that
   affects functionality
2. **Small and Contained**: The change is minimal (2 lines modified) and
   localized to a single function
3. **Low Risk**: The fix is straightforward and correct - getting the
   model from the actual tree view instead of hardcoding
4. **User Impact**: This bug could affect users of the gconf
   configuration tool, potentially causing crashes or incorrect behavior
5. **No Architectural Changes**: This is a simple bug fix with no design
   changes
6. **No New Features**: Pure bug fix, no functionality additions

This is an ideal candidate for stable backporting as it's a clear,
minimal bug fix that improves reliability without introducing risk.

 scripts/kconfig/gconf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
index c0f46f189060..abe4cfe66b14 100644
--- a/scripts/kconfig/gconf.c
+++ b/scripts/kconfig/gconf.c
@@ -942,13 +942,14 @@ on_treeview2_key_press_event(GtkWidget * widget,
 void
 on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data)
 {
+	GtkTreeModel *model = gtk_tree_view_get_model(treeview);
 	GtkTreeSelection *selection;
 	GtkTreeIter iter;
 	struct menu *menu;
 
 	selection = gtk_tree_view_get_selection(treeview);
-	if (gtk_tree_selection_get_selected(selection, &model2, &iter)) {
-		gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
+	if (gtk_tree_selection_get_selected(selection, &model, &iter)) {
+		gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1);
 		text_insert_help(menu);
 	}
 }
-- 
2.39.5

[PATCH AUTOSEL 6.16-5.4] kconfig: gconf: fix potential memory leak in renderer_edited()

[Sasha Levin]

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ]

If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Based on my analysis of the commit and examination of the code, here is
my assessment:

**Backport Status: YES**

## Extensive Analysis:

### 1. **Nature of the Bug**
The commit fixes a clear memory leak in the `renderer_edited()` function
in scripts/kconfig/gconf.c. The function allocates a GtkTreePath object
using `gtk_tree_path_new_from_string()` at line 782, but if
`gtk_tree_model_get_iter()` fails on line 788, the function returns
early without calling `gtk_tree_path_free()`, causing a memory leak.

### 2. **Bug Impact**
- **Resource leak**: Every time a user attempts to edit a value in the
  GTK-based kernel configuration tool (gconfig) and the operation fails
  to get the iterator, memory is leaked.
- **User-facing impact**: While gconfig is not used by all kernel users,
  those who do use it for configuring the kernel could experience memory
  leaks during interactive configuration sessions.
- **Accumulation potential**: In a long configuration session with
  multiple failed edits, these leaks could accumulate.

### 3. **Fix Analysis**
The fix is minimal and straightforward:
- Changes the early `return` to a `goto free` statement
- Adds a `free:` label before the existing `gtk_tree_path_free(path)`
  call
- This ensures the allocated path is always freed, whether the function
  succeeds or fails

### 4. **Risk Assessment**
- **Minimal risk**: The change only affects the error path and ensures
  proper cleanup
- **No functional changes**: The fix doesn't alter any program logic, it
  only adds proper resource cleanup
- **Well-contained**: The change is limited to a single function in the
  gconfig tool
- **Standard pattern**: Using goto for cleanup is a common and accepted
  pattern in kernel code

### 5. **Stable Tree Criteria Compliance**
The commit meets stable tree requirements:
- ✓ Fixes a real bug (memory leak)
- ✓ Small and contained (2 lines changed)
- ✓ No new features or architectural changes
- ✓ Clear and obvious correctness
- ✓ Minimal regression risk

### 6. **Historical Context**
Looking at the git history, there have been multiple memory leak fixes
in the kconfig subsystem (e.g., commits a409fc1463d6, ae1eff0349f2,
fbac5977d81c), indicating this is an area where such fixes are
considered important and regularly backported.

### 7. **Code Pattern Analysis**
Examining other uses of `gtk_tree_model_get_iter()` in the same file
shows that other call sites don't have this issue because they either:
- Don't allocate resources before the call (lines 902, 962, 1015)
- Or are in different contexts where the path is managed differently

This makes the fix in `renderer_edited()` particularly important as it's
the only place with this specific leak pattern.

The commit should be backported to stable kernels to ensure users of the
gconfig tool don't experience memory leaks during kernel configuration
sessions.

 scripts/kconfig/gconf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
index abe4cfe66b14..0caf0ced13df 100644
--- a/scripts/kconfig/gconf.c
+++ b/scripts/kconfig/gconf.c
@@ -748,7 +748,7 @@ static void renderer_edited(GtkCellRendererText * cell,
 	struct symbol *sym;
 
 	if (!gtk_tree_model_get_iter(model2, &iter, path))
-		return;
+		goto free;
 
 	gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
 	sym = menu->sym;
@@ -760,6 +760,7 @@ static void renderer_edited(GtkCellRendererText * cell,
 
 	update_tree(&rootmenu, NULL);
 
+free:
 	gtk_tree_path_free(path);
 }
 
-- 
2.39.5

[PATCH AUTOSEL 6.16-5.4] kconfig: nconf: Ensure null termination where strncpy is used

[Sasha Levin]

From: Shankari Anand <shankari.ak0208@gmail.com>

[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]

strncpy() does not guarantee null-termination if the source string is
longer than the destination buffer.

Ensure the buffer is explicitly null-terminated to prevent potential
string overflows or undefined behavior.

Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Nicolas Schier <n.schier@avm.de>
Acked-by: Nicolas Schier <n.schier@avm.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

**Backport Status: YES**

This commit is a clear security/safety fix that should be backported to
stable kernel trees. Here's my detailed analysis:

## Code Changes Analysis

The commit adds explicit null termination after `strncpy()` calls in two
locations:

1. **scripts/kconfig/nconf.c** (line ~596):
   - After copying with `strncpy(k_menu_items[index].str, tmp_str,
     sizeof(k_menu_items[index].str))`
   - Adds: `k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1]
     = '\0';`

2. **scripts/kconfig/nconf.gui.c** (line ~361):
   - After copying with `strncpy(result, init, *result_len)`
   - Adds: `result[*result_len - 1] = '\0';`

## Why This Should Be Backported

1. **Bug Fix**: This fixes a genuine security issue where `strncpy()`
   does not guarantee null-termination if the source string equals or
   exceeds the destination buffer size. This can lead to:
   - Buffer overruns when the string is later used
   - Information disclosure (reading past buffer boundaries)
   - Potential crashes or undefined behavior

2. **Small and Contained**: The fix is minimal - just two single-line
   additions that ensure null termination. No architectural changes or
   new features.

3. **Low Risk**: The changes are straightforward defensive programming
   practices that cannot introduce regressions. They only ensure strings
   are properly terminated.

4. **Security Impact**: String handling bugs are a common source of
   security vulnerabilities. While kconfig tools are build-time
   utilities (not runtime kernel code), they process user-provided
   configuration data and should handle strings safely.

5. **Meets Stable Criteria**:
   - Fixes a real bug (improper string termination)
   - Minimal change (2 lines added)
   - Obviously correct (standard C string safety practice)
   - No new functionality

6. **Testing**: The commit has been tested by multiple developers (Randy
   Dunlap, Nicolas Schier) and acked by them, indicating confidence in
   the fix.

The defensive null-termination pattern after `strncpy()` is a well-
established best practice in C programming to prevent string-related
bugs. This type of fix is exactly what stable kernels should include to
improve reliability and security without introducing new risks.

 scripts/kconfig/nconf.c     | 2 ++
 scripts/kconfig/nconf.gui.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
index c0b2dabf6c89..ae1fe5f60327 100644
--- a/scripts/kconfig/nconf.c
+++ b/scripts/kconfig/nconf.c
@@ -593,6 +593,8 @@ static void item_add_str(const char *fmt, ...)
 		tmp_str,
 		sizeof(k_menu_items[index].str));
 
+	k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';
+
 	free_item(curses_menu_items[index]);
 	curses_menu_items[index] = new_item(
 			k_menu_items[index].str,
diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 4bfdf8ac2a9a..7206437e784a 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -359,6 +359,7 @@ int dialog_inputbox(WINDOW *main_window,
 	x = (columns-win_cols)/2;
 
 	strncpy(result, init, *result_len);
+	result[*result_len - 1] = '\0';
 
 	/* create the windows */
 	win = newwin(win_lines, win_cols, y, x);
-- 
2.39.5