Linux 7.0.3

Linux 7.0.3

[Greg Kroah-Hartman]

I'm announcing the release of the 7.0.3 kernel.

Only users of Xen in the 7.0 kernel series must upgrade.

The updated 7.0.y git tree can be found at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-7.0.y
and can be browsed at the normal kernel.org git web browser:
	https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary

thanks,

greg k-h

------------

 Makefile                     |    2 +-
 drivers/xen/privcmd.c        |    7 +++++++
 drivers/xen/sys-hypervisor.c |    8 ++++++--
 3 files changed, 14 insertions(+), 3 deletions(-)

Greg Kroah-Hartman (1):
      Linux 7.0.3

Juergen Gross (2):
      Buffer overflow in drivers/xen/sys-hypervisor.c
      xen/privcmd: fix double free via VMA splitting

Re: Linux 7.0.3

[Greg Kroah-Hartman]

diff --git a/Makefile b/Makefile
index b17ca865bcee..61f8019efd5a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 7
 PATCHLEVEL = 0
-SUBLEVEL = 2
+SUBLEVEL = 3
 EXTRAVERSION =
 NAME = Baby Opossum Posse
 
diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index 15ba592236e8..725a49a0eee7 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -1620,6 +1620,12 @@ static void privcmd_close(struct vm_area_struct *vma)
 	kvfree(pages);
 }
 
+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr)
+{
+	/* Forbid splitting, avoids double free via privcmd_close(). */
+	return -EINVAL;
+}
+
 static vm_fault_t privcmd_fault(struct vm_fault *vmf)
 {
 	printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n",
@@ -1631,6 +1637,7 @@ static vm_fault_t privcmd_fault(struct vm_fault *vmf)
 
 static const struct vm_operations_struct privcmd_vm_ops = {
 	.close = privcmd_close,
+	.may_split = privcmd_may_split,
 	.fault = privcmd_fault
 };
 
diff --git a/drivers/xen/sys-hypervisor.c b/drivers/xen/sys-hypervisor.c
index b1bb01ba82f8..91923242a5ae 100644
--- a/drivers/xen/sys-hypervisor.c
+++ b/drivers/xen/sys-hypervisor.c
@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer)
 			ret = sprintf(buffer, "<denied>");
 		return ret;
 	}
+	if (ret > PAGE_SIZE)
+		return -ENOSPC;
 
 	buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL);
 	if (!buildid)
@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_sysfs_attr *attr, char *buffer)
 
 	buildid->len = ret;
 	ret = HYPERVISOR_xen_version(XENVER_build_id, buildid);
-	if (ret > 0)
-		ret = sprintf(buffer, "%s", buildid->buf);
+	if (ret > 0) {
+		/* Build id is binary, not a string. */
+		memcpy(buffer, buildid->buf, ret);
+	}
 	kfree(buildid);
 
 	return ret;

Re: Linux 7.0.3

[Luna Jernberg]

Hey!

Works fine

patching: https://copy.fail/ next ? ;)

Den tors 30 apr. 2026 kl 11:51 skrev Greg Kroah-Hartman
<gregkh@linuxfoundation.org>:
>
> I'm announcing the release of the 7.0.3 kernel.
>
> Only users of Xen in the 7.0 kernel series must upgrade.
>
> The updated 7.0.y git tree can be found at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-7.0.y
> and can be browsed at the normal kernel.org git web browser:
>         https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary
>
> thanks,
>
> greg k-h
>
> ------------
>
>  Makefile                     |    2 +-
>  drivers/xen/privcmd.c        |    7 +++++++
>  drivers/xen/sys-hypervisor.c |    8 ++++++--
>  3 files changed, 14 insertions(+), 3 deletions(-)
>
> Greg Kroah-Hartman (1):
>       Linux 7.0.3
>
> Juergen Gross (2):
>       Buffer overflow in drivers/xen/sys-hypervisor.c
>       xen/privcmd: fix double free via VMA splitting
>
>

Re: Linux 7.0.3

[Greg Kroah-Hartman]

On Thu, Apr 30, 2026 at 03:09:05PM +0200, Luna Jernberg wrote:
> Hey!
> 
> Works fine
> 
> patching: https://copy.fail/ next ? ;)

That was fixed a while ago in older kernel releases that you should
already be running :)

thanks,

greg k-h

Re: Linux 7.0.3

[Luna Jernberg]

Ah alright then i know, its me thats not keeping up thank you

Den tors 30 apr. 2026 kl 15:15 skrev Greg Kroah-Hartman
<gregkh@linuxfoundation.org>:
>
> On Thu, Apr 30, 2026 at 03:09:05PM +0200, Luna Jernberg wrote:
> > Hey!
> >
> > Works fine
> >
> > patching: https://copy.fail/ next ? ;)
>
> That was fixed a while ago in older kernel releases that you should
> already be running :)
>
> thanks,
>
> greg k-h

copy.fail and backport to LTS 6.12 and earlier (was: Linux 7.0.3)

[Paul Menzel]

Dear Greg,


Am 30.04.26 um 15:15 schrieb Greg Kroah-Hartman:
> On Thu, Apr 30, 2026 at 03:09:05PM +0200, Luna Jernberg wrote:

>> Works fine
>>
>> patching: https://copy.fail/ next ? ;)
> 
> That was fixed a while ago in older kernel releases that you should
> already be running :)

Thank you for maintaining the stable and LTS series. Release from 6.12.y 
and older do not seem to have had the fix included upon public disclosure.

Commit a664bf3d603d (crypto: algif_aead - Revert to operating 
out-of-place) [1] fixing Copy Fail [2] went into v7.0-rc7, released on 
Sunday, April 5th, and the backport appeared in 6.18.22 and 6.19.12, 
both tagged and released on April 11th. For some reason, for older 
series, the backport appeared in 6.12.85, 6.6.137, and 6.1.170 and 
5.15.204 yesterday on April 30th. Several Distributions like Debian 
stable did not have the fix included upon disclosure to my knowledge.

Do you know what happened? (Not that I have any demands or expectations, 
as most Linux kernel users use it for free and do not contribute to it 
financially or by active participation. Also, my institute 
infrastructure was also not affected, as we build Linux ourselves and do 
not have the module enabled.)


Kind regards,

Paul


[1]: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5
[2]: https://copy.fail/


$ git log --oneline --grep a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 
stable/linux-6.19.y
ce42ee423e58d crypto: algif_aead - Revert to operating out-of-place
$ git tag --contains ce42ee423e58d
v6.19.12
v6.19.13
v6.19.14

$ git log --oneline --grep a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 
stable/linux-6.18.y
fafe0fa2995a0 crypto: algif_aead - Revert to operating out-of-place
$ git tag --contains fafe0fa2995a0
v6.18.22
v6.18.23
v6.18.24
v6.18.25
v6.18.26

$ git log --oneline --grep a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 
stable/linux-6.12.y
8b88d99341f13 crypto: algif_aead - Revert to operating out-of-place
$ git tag --contains 8b88d99341f13
v6.12.85

$ git log --oneline --grep a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 
stable/linux-6.6.y
3115af9644c34 crypto: algif_aead - Revert to operating out-of-place
$ git tag --contains 3115af9644c34
v6.6.137

$ git log --oneline --grep a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 
stable/linux-6.1.y
961cfa271a918 crypto: algif_aead - Revert to operating out-of-place
$ git tag --contains 961cfa271a918
v6.1.170

$ git log --oneline --grep a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5 
stable/linux-5.15.y
19d43105a97be crypto: algif_aead - Revert to operating out-of-place
$ git tag --contains 19d43105a97be
v5.15.204

Re: copy.fail and backport to LTS 6.12 and earlier (was: Linux 7.0.3)

[Greg Kroah-Hartman]

On Fri, May 01, 2026 at 11:56:39AM +0200, Paul Menzel wrote:
> Dear Greg,
> 
> 
> Am 30.04.26 um 15:15 schrieb Greg Kroah-Hartman:
> > On Thu, Apr 30, 2026 at 03:09:05PM +0200, Luna Jernberg wrote:
> 
> > > Works fine
> > > 
> > > patching: https://copy.fail/ next ? ;)
> > 
> > That was fixed a while ago in older kernel releases that you should
> > already be running :)
> 
> Thank you for maintaining the stable and LTS series. Release from 6.12.y and
> older do not seem to have had the fix included upon public disclosure.
> 
> Commit a664bf3d603d (crypto: algif_aead - Revert to operating out-of-place)
> [1] fixing Copy Fail [2] went into v7.0-rc7, released on Sunday, April 5th,
> and the backport appeared in 6.18.22 and 6.19.12, both tagged and released
> on April 11th. For some reason, for older series, the backport appeared in
> 6.12.85, 6.6.137, and 6.1.170 and 5.15.204 yesterday on April 30th. Several
> Distributions like Debian stable did not have the fix included upon
> disclosure to my knowledge.
> 
> Do you know what happened? (Not that I have any demands or expectations, as
> most Linux kernel users use it for free and do not contribute to it
> financially or by active participation. Also, my institute infrastructure
> was also not affected, as we build Linux ourselves and do not have the
> module enabled.)

We have no control, or insight, into what anyone does with regards to
"disclosure", nor do you want us to.

No one had taken the time to do the backporting of these patches to
older kernels for various reasons, not the least being that probably no
one noticed or cared at the time.  If you look there are thousands of
unfixed CVEs in the older LTS kernels right now, and if distros or users
that rely on those older branches wish to see those resolved, they need
to provide working backports to us to apply, as our first attempt did
not work (which is why they are unfixed in those branches.)

thanks,

greg k-h