6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook keescook@chromium.org
commit 169f9102f9198b04afffa6164372a4ba4070f412 upstream.
Under PAN emulation when dumping backtraces from things like the LKDTM EXEC_USERSPACE test[1], a double fault (which would hang a CPU) would happen because of dump_instr() attempting to read a userspace address. Make sure copy_from_kernel_nofault() does not attempt this any more.
Closes: https://lava.sirena.org.uk/scheduler/job/497571 Link: https://lore.kernel.org/all/202401181125.D48DCB4C@keescook/ [1]
Reported-by: Mark Brown broonie@kernel.org Suggested-by: Russell King (Oracle) rmk+kernel@armlinux.org.uk Reviewed-by: Ard Biesheuvel ardb@kernel.org Tested-by: Mark Brown broonie@kernel.org Cc: Wang Kefeng wangkefeng.wang@huawei.com Cc: Andrew Morton akpm@linux-foundation.org Cc: Ben Hutchings ben@decadent.org.uk Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Russell King (Oracle) rmk+kernel@armlinux.org.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- arch/arm/mm/fault.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/arch/arm/mm/fault.c +++ b/arch/arm/mm/fault.c @@ -25,6 +25,13 @@
#include "fault.h"
+bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) +{ + unsigned long addr = (unsigned long)unsafe_src; + + return addr >= TASK_SIZE && ULONG_MAX - addr >= size; +} + #ifdef CONFIG_MMU
/*