Re: copy.fail and backport to LTS 6.12 and earlier (was: Linux 7.0.3)

[Greg Kroah-Hartman]

On Fri, May 01, 2026 at 11:56:39AM +0200, Paul Menzel wrote:
> Dear Greg,
> 
> 
> Am 30.04.26 um 15:15 schrieb Greg Kroah-Hartman:
> > On Thu, Apr 30, 2026 at 03:09:05PM +0200, Luna Jernberg wrote:
> 
> > > Works fine
> > > 
> > > patching: https://copy.fail/ next ? ;)
> > 
> > That was fixed a while ago in older kernel releases that you should
> > already be running :)
> 
> Thank you for maintaining the stable and LTS series. Release from 6.12.y and
> older do not seem to have had the fix included upon public disclosure.
> 
> Commit a664bf3d603d (crypto: algif_aead - Revert to operating out-of-place)
> [1] fixing Copy Fail [2] went into v7.0-rc7, released on Sunday, April 5th,
> and the backport appeared in 6.18.22 and 6.19.12, both tagged and released
> on April 11th. For some reason, for older series, the backport appeared in
> 6.12.85, 6.6.137, and 6.1.170 and 5.15.204 yesterday on April 30th. Several
> Distributions like Debian stable did not have the fix included upon
> disclosure to my knowledge.
> 
> Do you know what happened? (Not that I have any demands or expectations, as
> most Linux kernel users use it for free and do not contribute to it
> financially or by active participation. Also, my institute infrastructure
> was also not affected, as we build Linux ourselves and do not have the
> module enabled.)

We have no control, or insight, into what anyone does with regards to
"disclosure", nor do you want us to.

No one had taken the time to do the backporting of these patches to
older kernels for various reasons, not the least being that probably no
one noticed or cared at the time.  If you look there are thousands of
unfixed CVEs in the older LTS kernels right now, and if distros or users
that rely on those older branches wish to see those resolved, they need
to provide working backports to us to apply, as our first attempt did
not work (which is why they are unfixed in those branches.)

thanks,

greg k-h