From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Mark Brown <broonie@kernel.org>,
"Russell King (Oracle)" <rmk+kernel@armlinux.org.uk>,
Ard Biesheuvel <ardb@kernel.org>,
Wang Kefeng <wangkefeng.wang@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>,
Ben Hutchings <ben@decadent.org.uk>,
linux-arm-kernel@lists.infradead.org,
Kees Cook <keescook@chromium.org>
Subject: [PATCH 6.6 04/26] ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
Date: Thu, 3 Apr 2025 16:20:25 +0100 [thread overview]
Message-ID: <20250403151622.542513914@linuxfoundation.org> (raw)
In-Reply-To: <20250403151622.415201055@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 169f9102f9198b04afffa6164372a4ba4070f412 upstream.
Under PAN emulation when dumping backtraces from things like the
LKDTM EXEC_USERSPACE test[1], a double fault (which would hang a CPU)
would happen because of dump_instr() attempting to read a userspace
address. Make sure copy_from_kernel_nofault() does not attempt this
any more.
Closes: https://lava.sirena.org.uk/scheduler/job/497571
Link: https://lore.kernel.org/all/202401181125.D48DCB4C@keescook/ [1]
Reported-by: Mark Brown <broonie@kernel.org>
Suggested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Cc: Wang Kefeng <wangkefeng.wang@huawei.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mm/fault.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -25,6 +25,13 @@
#include "fault.h"
+bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
+{
+ unsigned long addr = (unsigned long)unsafe_src;
+
+ return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
+}
+
#ifdef CONFIG_MMU
/*
next prev parent reply other threads:[~2025-04-03 15:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 15:20 [PATCH 6.6 00/26] 6.6.86-rc1 review Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 01/26] ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 02/26] HID: hid-plantronics: Add mic mute mapping and generalize quirks Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 03/26] atm: Fix NULL pointer dereference Greg Kroah-Hartman
2025-04-03 15:20 ` Greg Kroah-Hartman [this message]
2025-04-03 15:20 ` [PATCH 6.6 05/26] ARM: 9351/1: fault: Add "cut here" line for prefetch aborts Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 06/26] ARM: Remove address checking for MMUless devices Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 07/26] drm/amd/display: Check denominator crb_pipes before used Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 08/26] drm/dp_mst: Factor out function to queue a topology probe work Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 09/26] drm/dp_mst: Add a helper to queue a topology probe Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 10/26] drm/amd/display: Dont write DP_MSTM_CTRL after LT Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 11/26] mm/page_alloc: fix memory accept before watermarks gets initialized Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 12/26] reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 13/26] scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 14/26] netfilter: socket: Lookup orig tuple for IPv6 SNAT Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 15/26] ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 16/26] counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 17/26] counter: microchip-tcb-capture: Fix undefined counter channel state on probe Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 18/26] tty: serial: 8250: Add some more device IDs Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 19/26] tty: serial: 8250: Add Brainboxes XC devices Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 20/26] tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 21/26] net: usb: qmi_wwan: add Telit Cinterion FN990B composition Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 22/26] net: usb: qmi_wwan: add Telit Cinterion FE990B composition Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 23/26] net: usb: usbnet: restore usb%d name exception for local mac addresses Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 24/26] memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 25/26] serial: 8250_dma: terminate correct DMA in tx_dma_flush() Greg Kroah-Hartman
2025-04-03 15:20 ` [PATCH 6.6 26/26] usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c Greg Kroah-Hartman
2025-04-03 22:40 ` [PATCH 6.6 00/26] 6.6.86-rc1 review Peter Schneider
2025-04-03 23:54 ` Florian Fainelli
2025-04-04 13:35 ` Mark Brown
2025-04-04 14:48 ` Shuah Khan
2025-04-04 17:59 ` Naresh Kamboju
2025-04-04 19:30 ` Jon Hunter
2025-04-05 2:26 ` Ron Economos
2025-04-05 7:30 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403151622.542513914@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=ben@decadent.org.uk \
--cc=broonie@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=patches@lists.linux.dev \
--cc=rmk+kernel@armlinux.org.uk \
--cc=stable@vger.kernel.org \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.