From: Mykyta Yatsenko <yatsenko@meta.com>
Date: Fri, 23 May 2025 18:17:05 +0000 (+0100)
Subject: bpf: Fix error return value in bpf_copy_from_user_dynptr
X-Git-Tag: v6.16-rc1~131^2~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=079e5c56a5c41d285068939ff7b0041ab10386fa;p=thirdparty%2Fkernel%2Fstable.git

bpf: Fix error return value in bpf_copy_from_user_dynptr

On error, copy_from_user returns number of bytes not copied to
destination, but current implementation of copy_user_data_sleepable does
not handle that correctly and returns it as error value, which may
confuse user, expecting meaningful negative error value.

Fixes: a498ee7576de ("bpf: Implement dynptr copy kfuncs")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250523181705.261585-1-mykyta.yatsenko5@gmail.com
---

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 289ff0caa83e0..132c8be6f635c 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -3555,8 +3555,12 @@ static __always_inline int copy_user_data_sleepable(void *dst, const void *unsaf
 {
 	int ret;
 
-	if (!tsk) /* Read from the current task */
-		return copy_from_user(dst, (const void __user *)unsafe_src, size);
+	if (!tsk) { /* Read from the current task */
+		ret = copy_from_user(dst, (const void __user *)unsafe_src, size);
+		if (ret)
+			return -EFAULT;
+		return 0;
+	}
 
 	ret = access_process_vm(tsk, (unsigned long)unsafe_src, dst, size, 0);
 	if (ret != size)