--- /dev/null
+From 2217b982624680d19a80ebb4600d05c8586c4f96 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Sat, 8 Aug 2020 11:37:13 -0700
+Subject: binfmt_flat: revert "binfmt_flat: don't offset the data start"
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 2217b982624680d19a80ebb4600d05c8586c4f96 upstream.
+
+binfmt_flat loader uses the gap between text and data to store data
+segment pointers for the libraries. Even in the absence of shared
+libraries it stores at least one pointer to the executable's own data
+segment. Text and data can go back to back in the flat binary image and
+without offsetting data segment last few instructions in the text
+segment may get corrupted by the data segment pointer.
+
+Fix it by reverting commit a2357223c50a ("binfmt_flat: don't offset the
+data start").
+
+Cc: stable@vger.kernel.org
+Fixes: a2357223c50a ("binfmt_flat: don't offset the data start")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_flat.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/binfmt_flat.c
++++ b/fs/binfmt_flat.c
+@@ -576,7 +576,7 @@ static int load_flat_file(struct linux_b
+ goto err;
+ }
+
+- len = data_len + extra;
++ len = data_len + extra + MAX_SHARED_LIBS * sizeof(unsigned long);
+ len = PAGE_ALIGN(len);
+ realdatastart = vm_mmap(NULL, 0, len,
+ PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 0);
+@@ -590,7 +590,9 @@ static int load_flat_file(struct linux_b
+ vm_munmap(textpos, text_len);
+ goto err;
+ }
+- datapos = ALIGN(realdatastart, FLAT_DATA_ALIGN);
++ datapos = ALIGN(realdatastart +
++ MAX_SHARED_LIBS * sizeof(unsigned long),
++ FLAT_DATA_ALIGN);
+
+ pr_debug("Allocated data+bss+stack (%u bytes): %lx\n",
+ data_len + bss_len + stack_len, datapos);
+@@ -620,7 +622,7 @@ static int load_flat_file(struct linux_b
+ memp_size = len;
+ } else {
+
+- len = text_len + data_len + extra;
++ len = text_len + data_len + extra + MAX_SHARED_LIBS * sizeof(u32);
+ len = PAGE_ALIGN(len);
+ textpos = vm_mmap(NULL, 0, len,
+ PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, 0);
+@@ -635,7 +637,9 @@ static int load_flat_file(struct linux_b
+ }
+
+ realdatastart = textpos + ntohl(hdr->data_start);
+- datapos = ALIGN(realdatastart, FLAT_DATA_ALIGN);
++ datapos = ALIGN(realdatastart +
++ MAX_SHARED_LIBS * sizeof(u32),
++ FLAT_DATA_ALIGN);
+
+ reloc = (__be32 __user *)
+ (datapos + (ntohl(hdr->reloc_start) - text_len));
+@@ -652,9 +656,8 @@ static int load_flat_file(struct linux_b
+ (text_len + full_data
+ - sizeof(struct flat_hdr)),
+ 0);
+- if (datapos != realdatastart)
+- memmove((void *)datapos, (void *)realdatastart,
+- full_data);
++ memmove((void *) datapos, (void *) realdatastart,
++ full_data);
+ #else
+ /*
+ * This is used on MMU systems mainly for testing.
+@@ -710,7 +713,8 @@ static int load_flat_file(struct linux_b
+ if (IS_ERR_VALUE(result)) {
+ ret = result;
+ pr_err("Unable to read code+data+bss, errno %d\n", ret);
+- vm_munmap(textpos, text_len + data_len + extra);
++ vm_munmap(textpos, text_len + data_len + extra +
++ MAX_SHARED_LIBS * sizeof(u32));
+ goto err;
+ }
+ }
--- /dev/null
+From axboe@kernel.dk Wed Aug 26 12:29:49 2020
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 24 Aug 2020 16:42:35 -0600
+Subject: io_uring: fix missing ->mm on exit
+To: stable@vger.kernel.org
+Message-ID: <eac5cc64-641f-58b9-5f58-7bc1c4393bbb@kernel.dk>
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+Upstream commits:
+
+8eb06d7e8dd85 ("io_uring: fix missing ->mm on exit")
+cbcf72148da4a ("io_uring: return locked and pinned page accounting")
+
+do_exit() first drops current->mm and then runs task_work, from where
+io_sq_thread_acquire_mm() would try to set mm for a user dying process.
+
+[ 208.004249] WARNING: CPU: 2 PID: 1854 at
+ kernel/kthread.c:1238 kthread_use_mm+0x244/0x270
+[ 208.004287] kthread_use_mm+0x244/0x270
+[ 208.004288] io_sq_thread_acquire_mm.part.0+0x54/0x80
+[ 208.004290] io_async_task_func+0x258/0x2ac
+[ 208.004291] task_work_run+0xc8/0x210
+[ 208.004294] do_exit+0x1b8/0x430
+[ 208.004295] do_group_exit+0x44/0xac
+[ 208.004296] get_signal+0x164/0x69c
+[ 208.004298] do_signal+0x94/0x1d0
+[ 208.004299] do_notify_resume+0x18c/0x340
+[ 208.004300] work_pending+0x8/0x3d4
+
+Reported-by: Roman Gershman <romange@gmail.com>
+Tested-by: Roman Gershman <romange@gmail.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4363,7 +4363,8 @@ static int io_sq_thread_acquire_mm(struc
+ struct io_kiocb *req)
+ {
+ if (io_op_defs[req->opcode].needs_mm && !current->mm) {
+- if (unlikely(!mmget_not_zero(ctx->sqo_mm)))
++ if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) ||
++ !mmget_not_zero(ctx->sqo_mm)))
+ return -EFAULT;
+ kthread_use_mm(ctx->sqo_mm);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
