From: Greg Kroah-Hartman Date: Wed, 26 Aug 2020 10:35:16 +0000 (+0200) Subject: 5.8-stable patches X-Git-Tag: v5.7.19~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da807ef756e9016f0ce569a981e4b0039eb20ab6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.8-stable patches added patches: binfmt_flat-revert-binfmt_flat-don-t-offset-the-data-start.patch io_uring-fix-missing-mm-on-exit.patch --- diff --git a/queue-5.8/binfmt_flat-revert-binfmt_flat-don-t-offset-the-data-start.patch b/queue-5.8/binfmt_flat-revert-binfmt_flat-don-t-offset-the-data-start.patch new file mode 100644 index 00000000000..5ca770fd0a3 --- /dev/null +++ b/queue-5.8/binfmt_flat-revert-binfmt_flat-don-t-offset-the-data-start.patch @@ -0,0 +1,93 @@ +From 2217b982624680d19a80ebb4600d05c8586c4f96 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Sat, 8 Aug 2020 11:37:13 -0700 +Subject: binfmt_flat: revert "binfmt_flat: don't offset the data start" + +From: Max Filippov + +commit 2217b982624680d19a80ebb4600d05c8586c4f96 upstream. + +binfmt_flat loader uses the gap between text and data to store data +segment pointers for the libraries. Even in the absence of shared +libraries it stores at least one pointer to the executable's own data +segment. Text and data can go back to back in the flat binary image and +without offsetting data segment last few instructions in the text +segment may get corrupted by the data segment pointer. + +Fix it by reverting commit a2357223c50a ("binfmt_flat: don't offset the +data start"). + +Cc: stable@vger.kernel.org +Fixes: a2357223c50a ("binfmt_flat: don't offset the data start") +Signed-off-by: Max Filippov +Signed-off-by: Greg Ungerer +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_flat.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/fs/binfmt_flat.c ++++ b/fs/binfmt_flat.c +@@ -576,7 +576,7 @@ static int load_flat_file(struct linux_b + goto err; + } + +- len = data_len + extra; ++ len = data_len + extra + MAX_SHARED_LIBS * sizeof(unsigned long); + len = PAGE_ALIGN(len); + realdatastart = vm_mmap(NULL, 0, len, + PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 0); +@@ -590,7 +590,9 @@ static int load_flat_file(struct linux_b + vm_munmap(textpos, text_len); + goto err; + } +- datapos = ALIGN(realdatastart, FLAT_DATA_ALIGN); ++ datapos = ALIGN(realdatastart + ++ MAX_SHARED_LIBS * sizeof(unsigned long), ++ FLAT_DATA_ALIGN); + + pr_debug("Allocated data+bss+stack (%u bytes): %lx\n", + data_len + bss_len + stack_len, datapos); +@@ -620,7 +622,7 @@ static int load_flat_file(struct linux_b + memp_size = len; + } else { + +- len = text_len + data_len + extra; ++ len = text_len + data_len + extra + MAX_SHARED_LIBS * sizeof(u32); + len = PAGE_ALIGN(len); + textpos = vm_mmap(NULL, 0, len, + PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE, 0); +@@ -635,7 +637,9 @@ static int load_flat_file(struct linux_b + } + + realdatastart = textpos + ntohl(hdr->data_start); +- datapos = ALIGN(realdatastart, FLAT_DATA_ALIGN); ++ datapos = ALIGN(realdatastart + ++ MAX_SHARED_LIBS * sizeof(u32), ++ FLAT_DATA_ALIGN); + + reloc = (__be32 __user *) + (datapos + (ntohl(hdr->reloc_start) - text_len)); +@@ -652,9 +656,8 @@ static int load_flat_file(struct linux_b + (text_len + full_data + - sizeof(struct flat_hdr)), + 0); +- if (datapos != realdatastart) +- memmove((void *)datapos, (void *)realdatastart, +- full_data); ++ memmove((void *) datapos, (void *) realdatastart, ++ full_data); + #else + /* + * This is used on MMU systems mainly for testing. +@@ -710,7 +713,8 @@ static int load_flat_file(struct linux_b + if (IS_ERR_VALUE(result)) { + ret = result; + pr_err("Unable to read code+data+bss, errno %d\n", ret); +- vm_munmap(textpos, text_len + data_len + extra); ++ vm_munmap(textpos, text_len + data_len + extra + ++ MAX_SHARED_LIBS * sizeof(u32)); + goto err; + } + } diff --git a/queue-5.8/io_uring-fix-missing-mm-on-exit.patch b/queue-5.8/io_uring-fix-missing-mm-on-exit.patch new file mode 100644 index 00000000000..af008ff5a1d --- /dev/null +++ b/queue-5.8/io_uring-fix-missing-mm-on-exit.patch @@ -0,0 +1,51 @@ +From axboe@kernel.dk Wed Aug 26 12:29:49 2020 +From: Jens Axboe +Date: Mon, 24 Aug 2020 16:42:35 -0600 +Subject: io_uring: fix missing ->mm on exit +To: stable@vger.kernel.org +Message-ID: + +From: Pavel Begunkov + +Upstream commits: + +8eb06d7e8dd85 ("io_uring: fix missing ->mm on exit") +cbcf72148da4a ("io_uring: return locked and pinned page accounting") + +do_exit() first drops current->mm and then runs task_work, from where +io_sq_thread_acquire_mm() would try to set mm for a user dying process. + +[ 208.004249] WARNING: CPU: 2 PID: 1854 at + kernel/kthread.c:1238 kthread_use_mm+0x244/0x270 +[ 208.004287] kthread_use_mm+0x244/0x270 +[ 208.004288] io_sq_thread_acquire_mm.part.0+0x54/0x80 +[ 208.004290] io_async_task_func+0x258/0x2ac +[ 208.004291] task_work_run+0xc8/0x210 +[ 208.004294] do_exit+0x1b8/0x430 +[ 208.004295] do_group_exit+0x44/0xac +[ 208.004296] get_signal+0x164/0x69c +[ 208.004298] do_signal+0x94/0x1d0 +[ 208.004299] do_notify_resume+0x18c/0x340 +[ 208.004300] work_pending+0x8/0x3d4 + +Reported-by: Roman Gershman +Tested-by: Roman Gershman +Signed-off-by: Pavel Begunkov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4363,7 +4363,8 @@ static int io_sq_thread_acquire_mm(struc + struct io_kiocb *req) + { + if (io_op_defs[req->opcode].needs_mm && !current->mm) { +- if (unlikely(!mmget_not_zero(ctx->sqo_mm))) ++ if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) || ++ !mmget_not_zero(ctx->sqo_mm))) + return -EFAULT; + kthread_use_mm(ctx->sqo_mm); + } diff --git a/queue-5.8/series b/queue-5.8/series index 703f0798990..1d314fd9e1b 100644 --- a/queue-5.8/series +++ b/queue-5.8/series @@ -12,3 +12,5 @@ ethtool-fix-preserving-of-wanted-feature-bits-in-netlink-interface.patch ethtool-account-for-hw_features-in-netlink-interface.patch ethtool-don-t-omit-the-netlink-reply-if-no-features-were-changed.patch netlink-fix-state-reallocation-in-policy-export.patch +io_uring-fix-missing-mm-on-exit.patch +binfmt_flat-revert-binfmt_flat-don-t-offset-the-data-start.patch