--- /dev/null
+From e7850f4d844e0acfac7e570af611d89deade3146 Mon Sep 17 00:00:00 2001
+From: Lior Ribak <liorribak@gmail.com>
+Date: Fri, 12 Mar 2021 21:07:41 -0800
+Subject: binfmt_misc: fix possible deadlock in bm_register_write
+
+From: Lior Ribak <liorribak@gmail.com>
+
+commit e7850f4d844e0acfac7e570af611d89deade3146 upstream.
+
+There is a deadlock in bm_register_write:
+
+First, in the begining of the function, a lock is taken on the binfmt_misc
+root inode with inode_lock(d_inode(root)).
+
+Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
+open_exec on the user-provided interpreter.
+
+open_exec will call a path lookup, and if the path lookup process includes
+the root of binfmt_misc, it will try to take a shared lock on its inode
+again, but it is already locked, and the code will get stuck in a deadlock
+
+To reproduce the bug:
+$ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
+
+backtrace of where the lock occurs (#5):
+0 schedule () at ./arch/x86/include/asm/current.h:15
+1 0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
+2 0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
+3 __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
+4 down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
+5 0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
+6 open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
+7 path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
+8 0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
+9 0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
+10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
+11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
+12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
+", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
+13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
+", count=19) at fs/read_write.c:658
+14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
+15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
+
+To solve the issue, the open_exec call is moved to before the write
+lock is taken by bm_register_write
+
+Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
+Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
+Signed-off-by: Lior Ribak <liorribak@gmail.com>
+Acked-by: Helge Deller <deller@gmx.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_misc.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -696,12 +696,24 @@ static ssize_t bm_register_write(struct
+ struct super_block *sb = file_inode(file)->i_sb;
+ struct dentry *root = sb->s_root, *dentry;
+ int err = 0;
++ struct file *f = NULL;
+
+ e = create_entry(buffer, count);
+
+ if (IS_ERR(e))
+ return PTR_ERR(e);
+
++ if (e->flags & MISC_FMT_OPEN_FILE) {
++ f = open_exec(e->interpreter);
++ if (IS_ERR(f)) {
++ pr_notice("register: failed to install interpreter file %s\n",
++ e->interpreter);
++ kfree(e);
++ return PTR_ERR(f);
++ }
++ e->interp_file = f;
++ }
++
+ inode_lock(d_inode(root));
+ dentry = lookup_one_len(e->name, root, strlen(e->name));
+ err = PTR_ERR(dentry);
+@@ -725,21 +737,6 @@ static ssize_t bm_register_write(struct
+ goto out2;
+ }
+
+- if (e->flags & MISC_FMT_OPEN_FILE) {
+- struct file *f;
+-
+- f = open_exec(e->interpreter);
+- if (IS_ERR(f)) {
+- err = PTR_ERR(f);
+- pr_notice("register: failed to install interpreter file %s\n", e->interpreter);
+- simple_release_fs(&bm_mnt, &entry_count);
+- iput(inode);
+- inode = NULL;
+- goto out2;
+- }
+- e->interp_file = f;
+- }
+-
+ e->dentry = dget(dentry);
+ inode->i_private = e;
+ inode->i_fop = &bm_entry_operations;
+@@ -756,6 +753,8 @@ out:
+ inode_unlock(d_inode(root));
+
+ if (err) {
++ if (f)
++ filp_close(f, NULL);
+ kfree(e);
+ return err;
+ }
--- /dev/null
+From 262b003d059c6671601a19057e9fe1a5e7f23722 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Thu, 11 Mar 2021 10:00:16 +0000
+Subject: KVM: arm64: Fix exclusive limit for IPA size
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 262b003d059c6671601a19057e9fe1a5e7f23722 upstream.
+
+When registering a memslot, we check the size and location of that
+memslot against the IPA size to ensure that we can provide guest
+access to the whole of the memory.
+
+Unfortunately, this check rejects memslot that end-up at the exact
+limit of the addressing capability for a given IPA size. For example,
+it refuses the creation of a 2GB memslot at 0x8000000 with a 32bit
+IPA space.
+
+Fix it by relaxing the check to accept a memslot reaching the
+limit of the IPA space.
+
+Fixes: c3058d5da222 ("arm/arm64: KVM: Ensure memslots are within KVM_PHYS_SIZE")
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Andrew Jones <drjones@redhat.com>
+Link: https://lore.kernel.org/r/20210311100016.3830038-3-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/mmu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/mmu.c
++++ b/virt/kvm/arm/mmu.c
+@@ -2307,8 +2307,7 @@ int kvm_arch_prepare_memory_region(struc
+ * Prevent userspace from creating a memory region outside of the IPA
+ * space addressable by the KVM guest IPA space.
+ */
+- if (memslot->base_gfn + memslot->npages >=
+- (kvm_phys_size(kvm) >> PAGE_SHIFT))
++ if ((memslot->base_gfn + memslot->npages) > (kvm_phys_size(kvm) >> PAGE_SHIFT))
+ return -EFAULT;
+
+ down_read(¤t->mm->mmap_sem);
--- /dev/null
+From cea15316ceee2d4a51dfdecd79e08a438135416c Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 4 Mar 2021 07:34:11 +0530
+Subject: powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit cea15316ceee2d4a51dfdecd79e08a438135416c upstream.
+
+'lis r2,N' is 'addis r2,0,N' and the instruction encoding in the macro
+LIS_R2 is incorrect (it currently maps to 'addis r0,r2,N'). Fix the
+same.
+
+Fixes: c71b7eff426f ("powerpc: Add ABIv2 support to ppc_function_entry")
+Cc: stable@vger.kernel.org # v3.16+
+Reported-by: Jiri Olsa <jolsa@redhat.com>
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Segher Boessenkool <segher@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210304020411.16796-1-naveen.n.rao@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/code-patching.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/code-patching.h
++++ b/arch/powerpc/include/asm/code-patching.h
+@@ -72,7 +72,7 @@ void __patch_exception(int exc, unsigned
+ #endif
+
+ #define OP_RT_RA_MASK 0xffff0000UL
+-#define LIS_R2 0x3c020000UL
++#define LIS_R2 0x3c400000UL
+ #define ADDIS_R2_R12 0x3c4c0000UL
+ #define ADDI_R2_R2 0x38420000UL
+
--- /dev/null
+From ce29ddc47b91f97e7f69a0fb7cbb5845f52a9825 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Wed, 17 Feb 2021 11:56:51 -0500
+Subject: sched/membarrier: fix missing local execution of ipi_sync_rq_state()
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit ce29ddc47b91f97e7f69a0fb7cbb5845f52a9825 upstream.
+
+The function sync_runqueues_membarrier_state() should copy the
+membarrier state from the @mm received as parameter to each runqueue
+currently running tasks using that mm.
+
+However, the use of smp_call_function_many() skips the current runqueue,
+which is unintended. Replace by a call to on_each_cpu_mask().
+
+Fixes: 227a4aadc75b ("sched/membarrier: Fix p->mm->membarrier_state racy load")
+Reported-by: Nadav Amit <nadav.amit@gmail.com>
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@vger.kernel.org # 5.4.x+
+Link: https://lore.kernel.org/r/74F1E842-4A84-47BF-B6C2-5407DFDD4A4A@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/membarrier.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/sched/membarrier.c
++++ b/kernel/sched/membarrier.c
+@@ -265,9 +265,7 @@ static int sync_runqueues_membarrier_sta
+ }
+ rcu_read_unlock();
+
+- preempt_disable();
+- smp_call_function_many(tmpmask, ipi_sync_rq_state, mm, 1);
+- preempt_enable();
++ on_each_cpu_mask(tmpmask, ipi_sync_rq_state, mm, true);
+
+ free_cpumask_var(tmpmask);
+ cpus_read_unlock();
stop_machine-mark-helpers-__always_inline.patch
include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch
prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch
+zram-fix-return-value-on-writeback_store.patch
+sched-membarrier-fix-missing-local-execution-of-ipi_sync_rq_state.patch
+powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch
+binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch
+x86-unwind-orc-disable-kasan-checking-in-the-orc-unwinder-part-2.patch
+kvm-arm64-fix-exclusive-limit-for-ipa-size.patch
--- /dev/null
+From e504e74cc3a2c092b05577ce3e8e013fae7d94e6 Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Fri, 5 Feb 2021 08:24:02 -0600
+Subject: x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit e504e74cc3a2c092b05577ce3e8e013fae7d94e6 upstream.
+
+KASAN reserves "redzone" areas between stack frames in order to detect
+stack overruns. A read or write to such an area triggers a KASAN
+"stack-out-of-bounds" BUG.
+
+Normally, the ORC unwinder stays in-bounds and doesn't access the
+redzone. But sometimes it can't find ORC metadata for a given
+instruction. This can happen for code which is missing ORC metadata, or
+for generated code. In such cases, the unwinder attempts to fall back
+to frame pointers, as a best-effort type thing.
+
+This fallback often works, but when it doesn't, the unwinder can get
+confused and go off into the weeds into the KASAN redzone, triggering
+the aforementioned KASAN BUG.
+
+But in this case, the unwinder's confusion is actually harmless and
+working as designed. It already has checks in place to prevent
+off-stack accesses, but those checks get short-circuited by the KASAN
+BUG. And a BUG is a lot more disruptive than a harmless unwinder
+warning.
+
+Disable the KASAN checks by using READ_ONCE_NOCHECK() for all stack
+accesses. This finishes the job started by commit 881125bfe65b
+("x86/unwind: Disable KASAN checking in the ORC unwinder"), which only
+partially fixed the issue.
+
+Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
+Reported-by: Ivan Babrou <ivan@cloudflare.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Tested-by: Ivan Babrou <ivan@cloudflare.com>
+Cc: stable@kernel.org
+Link: https://lkml.kernel.org/r/9583327904ebbbeda399eca9c56d6c7085ac20fe.1612534649.git.jpoimboe@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/unwind_orc.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -357,8 +357,8 @@ static bool deref_stack_regs(struct unwi
+ if (!stack_access_ok(state, addr, sizeof(struct pt_regs)))
+ return false;
+
+- *ip = regs->ip;
+- *sp = regs->sp;
++ *ip = READ_ONCE_NOCHECK(regs->ip);
++ *sp = READ_ONCE_NOCHECK(regs->sp);
+ return true;
+ }
+
+@@ -370,8 +370,8 @@ static bool deref_stack_iret_regs(struct
+ if (!stack_access_ok(state, addr, IRET_FRAME_SIZE))
+ return false;
+
+- *ip = regs->ip;
+- *sp = regs->sp;
++ *ip = READ_ONCE_NOCHECK(regs->ip);
++ *sp = READ_ONCE_NOCHECK(regs->sp);
+ return true;
+ }
+
+@@ -392,12 +392,12 @@ static bool get_reg(struct unwind_state
+ return false;
+
+ if (state->full_regs) {
+- *val = ((unsigned long *)state->regs)[reg];
++ *val = READ_ONCE_NOCHECK(((unsigned long *)state->regs)[reg]);
+ return true;
+ }
+
+ if (state->prev_regs) {
+- *val = ((unsigned long *)state->prev_regs)[reg];
++ *val = READ_ONCE_NOCHECK(((unsigned long *)state->prev_regs)[reg]);
+ return true;
+ }
+
--- /dev/null
+From 57e0076e6575a7b7cef620a0bd2ee2549ef77818 Mon Sep 17 00:00:00 2001
+From: Minchan Kim <minchan@kernel.org>
+Date: Fri, 12 Mar 2021 21:08:38 -0800
+Subject: zram: fix return value on writeback_store
+
+From: Minchan Kim <minchan@kernel.org>
+
+commit 57e0076e6575a7b7cef620a0bd2ee2549ef77818 upstream.
+
+writeback_store's return value is overwritten by submit_bio_wait's return
+value. Thus, writeback_store will return zero since there was no IO
+error. In the end, write syscall from userspace will see the zero as
+return value, which could make the process stall to keep trying the write
+until it will succeed.
+
+Link: https://lkml.kernel.org/r/20210312173949.2197662-1-minchan@kernel.org
+Fixes: 3b82a051c101("drivers/block/zram/zram_drv.c: fix error return codes not being returned in writeback_store")
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: John Dias <joaodias@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -627,7 +627,7 @@ static ssize_t writeback_store(struct de
+ struct bio_vec bio_vec;
+ struct page *page;
+ ssize_t ret = len;
+- int mode;
++ int mode, err;
+ unsigned long blk_idx = 0;
+
+ if (sysfs_streq(buf, "idle"))
+@@ -719,12 +719,17 @@ static ssize_t writeback_store(struct de
+ * XXX: A single page IO would be inefficient for write
+ * but it would be not bad as starter.
+ */
+- ret = submit_bio_wait(&bio);
+- if (ret) {
++ err = submit_bio_wait(&bio);
++ if (err) {
+ zram_slot_lock(zram, index);
+ zram_clear_flag(zram, index, ZRAM_UNDER_WB);
+ zram_clear_flag(zram, index, ZRAM_IDLE);
+ zram_slot_unlock(zram, index);
++ /*
++ * Return last IO error unless every IO were
++ * not suceeded.
++ */
++ ret = err;
+ continue;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
