--- /dev/null
+From e7850f4d844e0acfac7e570af611d89deade3146 Mon Sep 17 00:00:00 2001
+From: Lior Ribak <liorribak@gmail.com>
+Date: Fri, 12 Mar 2021 21:07:41 -0800
+Subject: binfmt_misc: fix possible deadlock in bm_register_write
+
+From: Lior Ribak <liorribak@gmail.com>
+
+commit e7850f4d844e0acfac7e570af611d89deade3146 upstream.
+
+There is a deadlock in bm_register_write:
+
+First, in the begining of the function, a lock is taken on the binfmt_misc
+root inode with inode_lock(d_inode(root)).
+
+Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call
+open_exec on the user-provided interpreter.
+
+open_exec will call a path lookup, and if the path lookup process includes
+the root of binfmt_misc, it will try to take a shared lock on its inode
+again, but it is already locked, and the code will get stuck in a deadlock
+
+To reproduce the bug:
+$ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register
+
+backtrace of where the lock occurs (#5):
+0 schedule () at ./arch/x86/include/asm/current.h:15
+1 0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=<optimized out>, state=state@entry=2) at kernel/locking/rwsem.c:992
+2 0xffffffff81b5150a in __down_read_common (state=2, sem=<optimized out>) at kernel/locking/rwsem.c:1213
+3 __down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1222
+4 down_read (sem=<optimized out>) at kernel/locking/rwsem.c:1355
+5 0xffffffff811ee22a in inode_lock_shared (inode=<optimized out>) at ./include/linux/fs.h:783
+6 open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177
+7 path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366
+8 0xffffffff811efe1c in do_filp_open (dfd=<optimized out>, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396
+9 0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=<optimized out>, flags@entry=0) at fs/exec.c:913
+10 0xffffffff811e4a92 in open_exec (name=<optimized out>) at fs/exec.c:948
+11 0xffffffff8124aa84 in bm_register_write (file=<optimized out>, buffer=<optimized out>, count=19, ppos=<optimized out>) at fs/binfmt_misc.c:682
+12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF
+", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603
+13 0xffffffff811defda in ksys_write (fd=<optimized out>, buf=0xa758d0 ":iiiii:E::ii::i:CF
+", count=19) at fs/read_write.c:658
+14 0xffffffff81b49813 in do_syscall_64 (nr=<optimized out>, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46
+15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120
+
+To solve the issue, the open_exec call is moved to before the write
+lock is taken by bm_register_write
+
+Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com
+Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers")
+Signed-off-by: Lior Ribak <liorribak@gmail.com>
+Acked-by: Helge Deller <deller@gmx.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/binfmt_misc.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -694,12 +694,24 @@ static ssize_t bm_register_write(struct
+ struct super_block *sb = file_inode(file)->i_sb;
+ struct dentry *root = sb->s_root, *dentry;
+ int err = 0;
++ struct file *f = NULL;
+
+ e = create_entry(buffer, count);
+
+ if (IS_ERR(e))
+ return PTR_ERR(e);
+
++ if (e->flags & MISC_FMT_OPEN_FILE) {
++ f = open_exec(e->interpreter);
++ if (IS_ERR(f)) {
++ pr_notice("register: failed to install interpreter file %s\n",
++ e->interpreter);
++ kfree(e);
++ return PTR_ERR(f);
++ }
++ e->interp_file = f;
++ }
++
+ inode_lock(d_inode(root));
+ dentry = lookup_one_len(e->name, root, strlen(e->name));
+ err = PTR_ERR(dentry);
+@@ -723,21 +735,6 @@ static ssize_t bm_register_write(struct
+ goto out2;
+ }
+
+- if (e->flags & MISC_FMT_OPEN_FILE) {
+- struct file *f;
+-
+- f = open_exec(e->interpreter);
+- if (IS_ERR(f)) {
+- err = PTR_ERR(f);
+- pr_notice("register: failed to install interpreter file %s\n", e->interpreter);
+- simple_release_fs(&bm_mnt, &entry_count);
+- iput(inode);
+- inode = NULL;
+- goto out2;
+- }
+- e->interp_file = f;
+- }
+-
+ e->dentry = dget(dentry);
+ inode->i_private = e;
+ inode->i_fop = &bm_entry_operations;
+@@ -754,6 +751,8 @@ out:
+ inode_unlock(d_inode(root));
+
+ if (err) {
++ if (f)
++ filp_close(f, NULL);
+ kfree(e);
+ return err;
+ }
--- /dev/null
+From cea15316ceee2d4a51dfdecd79e08a438135416c Mon Sep 17 00:00:00 2001
+From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
+Date: Thu, 4 Mar 2021 07:34:11 +0530
+Subject: powerpc/64s: Fix instruction encoding for lis in ppc_function_entry()
+
+From: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+
+commit cea15316ceee2d4a51dfdecd79e08a438135416c upstream.
+
+'lis r2,N' is 'addis r2,0,N' and the instruction encoding in the macro
+LIS_R2 is incorrect (it currently maps to 'addis r0,r2,N'). Fix the
+same.
+
+Fixes: c71b7eff426f ("powerpc: Add ABIv2 support to ppc_function_entry")
+Cc: stable@vger.kernel.org # v3.16+
+Reported-by: Jiri Olsa <jolsa@redhat.com>
+Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Segher Boessenkool <segher@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210304020411.16796-1-naveen.n.rao@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/code-patching.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/code-patching.h
++++ b/arch/powerpc/include/asm/code-patching.h
+@@ -51,7 +51,7 @@ void __patch_exception(int exc, unsigned
+ #endif
+
+ #define OP_RT_RA_MASK 0xffff0000UL
+-#define LIS_R2 0x3c020000UL
++#define LIS_R2 0x3c400000UL
+ #define ADDIS_R2_R12 0x3c4c0000UL
+ #define ADDI_R2_R2 0x38420000UL
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
