From: Greg Kroah-Hartman Date: Thu, 15 Jan 2026 15:12:26 +0000 (+0100) Subject: drop queue-5.15/mm-fix-copy_from_user_nofault.patch X-Git-Tag: v6.6.121~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6177d9f525e904f0cea10b34a7119267b162fc51;p=thirdparty%2Fkernel%2Fstable-queue.git drop queue-5.15/mm-fix-copy_from_user_nofault.patch Breaks the build --- diff --git a/queue-5.15/mm-fix-copy_from_user_nofault.patch b/queue-5.15/mm-fix-copy_from_user_nofault.patch deleted file mode 100644 index 36f653831b..0000000000 --- a/queue-5.15/mm-fix-copy_from_user_nofault.patch +++ /dev/null @@ -1,77 +0,0 @@ -From stable+bounces-206300-greg=kroah.com@vger.kernel.org Thu Jan 8 14:49:31 2026 -From: Thadeu Lima de Souza Cascardo -Date: Thu, 8 Jan 2026 07:15:45 -0300 -Subject: mm: Fix copy_from_user_nofault(). -To: stable@vger.kernel.org -Cc: Kees Cook , Alexei Starovoitov , Hsin-Wei Hung , Florian Lehner , Thadeu Lima de Souza Cascardo -Message-ID: <20260108101545.2982626-2-cascardo@igalia.com> - -From: Alexei Starovoitov - -commit d319f344561de23e810515d109c7278919bff7b0 upstream. - -There are several issues with copy_from_user_nofault(): - -- access_ok() is designed for user context only and for that reason -it has WARN_ON_IN_IRQ() which triggers when bpf, kprobe, eprobe -and perf on ppc are calling it from irq. - -- it's missing nmi_uaccess_okay() which is a nop on all architectures -except x86 where it's required. -The comment in arch/x86/mm/tlb.c explains the details why it's necessary. -Calling copy_from_user_nofault() from bpf, [ke]probe without this check is not safe. - -- __copy_from_user_inatomic() under CONFIG_HARDENED_USERCOPY is calling -check_object_size()->__check_object_size()->check_heap_object()->find_vmap_area()->spin_lock() -which is not safe to do from bpf, [ke]probe and perf due to potential deadlock. - -Fix all three issues. At the end the copy_from_user_nofault() becomes -equivalent to copy_from_user_nmi() from safety point of view with -a difference in the return value. - -Reported-by: Hsin-Wei Hung -Signed-off-by: Alexei Starovoitov -Signed-off-by: Florian Lehner -Tested-by: Hsin-Wei Hung -Tested-by: Florian Lehner -Link: https://lore.kernel.org/r/20230410174345.4376-2-dev@der-flo.net -Signed-off-by: Alexei Starovoitov -[cascardo: the test in check_heap_objects did not exist] -Signed-off-by: Thadeu Lima de Souza Cascardo -Signed-off-by: Greg Kroah-Hartman ---- - mm/maccess.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - ---- a/mm/maccess.c -+++ b/mm/maccess.c -@@ -5,6 +5,7 @@ - #include - #include - #include -+#include - - bool __weak copy_from_kernel_nofault_allowed(const void *unsafe_src, - size_t size) -@@ -223,11 +224,16 @@ long copy_from_user_nofault(void *dst, c - long ret = -EFAULT; - mm_segment_t old_fs = force_uaccess_begin(); - -- if (access_ok(src, size)) { -- pagefault_disable(); -- ret = __copy_from_user_inatomic(dst, src, size); -- pagefault_enable(); -- } -+ if (!__access_ok(src, size)) -+ return ret; -+ -+ if (!nmi_uaccess_okay()) -+ return ret; -+ -+ pagefault_disable(); -+ ret = __copy_from_user_inatomic(dst, src, size); -+ pagefault_enable(); -+ - force_uaccess_end(old_fs); - - if (ret) diff --git a/queue-5.15/series b/queue-5.15/series index e6732e24c1..7e327162a6 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -491,7 +491,6 @@ ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch ipv4-fix-uninit-value-access-in-__ip_make_skb.patch selftests-net-test_vxlan_under_vrf-fix-hv-connectivity-test.patch x86-remove-__range_not_ok.patch -mm-fix-copy_from_user_nofault.patch pwm-stm32-always-program-polarity.patch ext4-filesystems-without-casefold-feature-cannot-be-mounted-with-siphash.patch ext4-factor-out-ext4_hash_info_init.patch