From 910c0fbdaf6adeb1026b276b9190377fb112d3d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 15 Mar 2021 09:57:03 +0100 Subject: [PATCH] 4.14-stable patches added patches: binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch --- ...ssible-deadlock-in-bm_register_write.patch | 118 ++++++++++++++++++ ...coding-for-lis-in-ppc_function_entry.patch | 36 ++++++ queue-4.14/series | 2 + 3 files changed, 156 insertions(+) create mode 100644 queue-4.14/binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch create mode 100644 queue-4.14/powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch diff --git a/queue-4.14/binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch b/queue-4.14/binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch new file mode 100644 index 00000000000..dddcd0b412d --- /dev/null +++ b/queue-4.14/binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch @@ -0,0 +1,118 @@ +From e7850f4d844e0acfac7e570af611d89deade3146 Mon Sep 17 00:00:00 2001 +From: Lior Ribak +Date: Fri, 12 Mar 2021 21:07:41 -0800 +Subject: binfmt_misc: fix possible deadlock in bm_register_write + +From: Lior Ribak + +commit e7850f4d844e0acfac7e570af611d89deade3146 upstream. + +There is a deadlock in bm_register_write: + +First, in the begining of the function, a lock is taken on the binfmt_misc +root inode with inode_lock(d_inode(root)). + +Then, if the user used the MISC_FMT_OPEN_FILE flag, the function will call +open_exec on the user-provided interpreter. + +open_exec will call a path lookup, and if the path lookup process includes +the root of binfmt_misc, it will try to take a shared lock on its inode +again, but it is already locked, and the code will get stuck in a deadlock + +To reproduce the bug: +$ echo ":iiiii:E::ii::/proc/sys/fs/binfmt_misc/bla:F" > /proc/sys/fs/binfmt_misc/register + +backtrace of where the lock occurs (#5): +0 schedule () at ./arch/x86/include/asm/current.h:15 +1 0xffffffff81b51237 in rwsem_down_read_slowpath (sem=0xffff888003b202e0, count=, state=state@entry=2) at kernel/locking/rwsem.c:992 +2 0xffffffff81b5150a in __down_read_common (state=2, sem=) at kernel/locking/rwsem.c:1213 +3 __down_read (sem=) at kernel/locking/rwsem.c:1222 +4 down_read (sem=) at kernel/locking/rwsem.c:1355 +5 0xffffffff811ee22a in inode_lock_shared (inode=) at ./include/linux/fs.h:783 +6 open_last_lookups (op=0xffffc9000022fe34, file=0xffff888004098600, nd=0xffffc9000022fd10) at fs/namei.c:3177 +7 path_openat (nd=nd@entry=0xffffc9000022fd10, op=op@entry=0xffffc9000022fe34, flags=flags@entry=65) at fs/namei.c:3366 +8 0xffffffff811efe1c in do_filp_open (dfd=, pathname=pathname@entry=0xffff8880031b9000, op=op@entry=0xffffc9000022fe34) at fs/namei.c:3396 +9 0xffffffff811e493f in do_open_execat (fd=fd@entry=-100, name=name@entry=0xffff8880031b9000, flags=, flags@entry=0) at fs/exec.c:913 +10 0xffffffff811e4a92 in open_exec (name=) at fs/exec.c:948 +11 0xffffffff8124aa84 in bm_register_write (file=, buffer=, count=19, ppos=) at fs/binfmt_misc.c:682 +12 0xffffffff811decd2 in vfs_write (file=file@entry=0xffff888004098500, buf=buf@entry=0xa758d0 ":iiiii:E::ii::i:CF +", count=count@entry=19, pos=pos@entry=0xffffc9000022ff10) at fs/read_write.c:603 +13 0xffffffff811defda in ksys_write (fd=, buf=0xa758d0 ":iiiii:E::ii::i:CF +", count=19) at fs/read_write.c:658 +14 0xffffffff81b49813 in do_syscall_64 (nr=, regs=0xffffc9000022ff58) at arch/x86/entry/common.c:46 +15 0xffffffff81c0007c in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:120 + +To solve the issue, the open_exec call is moved to before the write +lock is taken by bm_register_write + +Link: https://lkml.kernel.org/r/20210228224414.95962-1-liorribak@gmail.com +Fixes: 948b701a607f1 ("binfmt_misc: add persistent opened binary handler for containers") +Signed-off-by: Lior Ribak +Acked-by: Helge Deller +Cc: Al Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_misc.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -694,12 +694,24 @@ static ssize_t bm_register_write(struct + struct super_block *sb = file_inode(file)->i_sb; + struct dentry *root = sb->s_root, *dentry; + int err = 0; ++ struct file *f = NULL; + + e = create_entry(buffer, count); + + if (IS_ERR(e)) + return PTR_ERR(e); + ++ if (e->flags & MISC_FMT_OPEN_FILE) { ++ f = open_exec(e->interpreter); ++ if (IS_ERR(f)) { ++ pr_notice("register: failed to install interpreter file %s\n", ++ e->interpreter); ++ kfree(e); ++ return PTR_ERR(f); ++ } ++ e->interp_file = f; ++ } ++ + inode_lock(d_inode(root)); + dentry = lookup_one_len(e->name, root, strlen(e->name)); + err = PTR_ERR(dentry); +@@ -723,21 +735,6 @@ static ssize_t bm_register_write(struct + goto out2; + } + +- if (e->flags & MISC_FMT_OPEN_FILE) { +- struct file *f; +- +- f = open_exec(e->interpreter); +- if (IS_ERR(f)) { +- err = PTR_ERR(f); +- pr_notice("register: failed to install interpreter file %s\n", e->interpreter); +- simple_release_fs(&bm_mnt, &entry_count); +- iput(inode); +- inode = NULL; +- goto out2; +- } +- e->interp_file = f; +- } +- + e->dentry = dget(dentry); + inode->i_private = e; + inode->i_fop = &bm_entry_operations; +@@ -754,6 +751,8 @@ out: + inode_unlock(d_inode(root)); + + if (err) { ++ if (f) ++ filp_close(f, NULL); + kfree(e); + return err; + } diff --git a/queue-4.14/powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch b/queue-4.14/powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch new file mode 100644 index 00000000000..4e0ce16880a --- /dev/null +++ b/queue-4.14/powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch @@ -0,0 +1,36 @@ +From cea15316ceee2d4a51dfdecd79e08a438135416c Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Thu, 4 Mar 2021 07:34:11 +0530 +Subject: powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() + +From: Naveen N. Rao + +commit cea15316ceee2d4a51dfdecd79e08a438135416c upstream. + +'lis r2,N' is 'addis r2,0,N' and the instruction encoding in the macro +LIS_R2 is incorrect (it currently maps to 'addis r0,r2,N'). Fix the +same. + +Fixes: c71b7eff426f ("powerpc: Add ABIv2 support to ppc_function_entry") +Cc: stable@vger.kernel.org # v3.16+ +Reported-by: Jiri Olsa +Signed-off-by: Naveen N. Rao +Acked-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210304020411.16796-1-naveen.n.rao@linux.vnet.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/code-patching.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/code-patching.h ++++ b/arch/powerpc/include/asm/code-patching.h +@@ -51,7 +51,7 @@ void __patch_exception(int exc, unsigned + #endif + + #define OP_RT_RA_MASK 0xffff0000UL +-#define LIS_R2 0x3c020000UL ++#define LIS_R2 0x3c400000UL + #define ADDIS_R2_R12 0x3c4c0000UL + #define ADDI_R2_R2 0x38420000UL + diff --git a/queue-4.14/series b/queue-4.14/series index 35c9b3980fa..1099d872aad 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -85,3 +85,5 @@ configfs-fix-a-use-after-free-in-__configfs_open_fil.patch stop_machine-mark-helpers-__always_inline.patch include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch +powerpc-64s-fix-instruction-encoding-for-lis-in-ppc_function_entry.patch +binfmt_misc-fix-possible-deadlock-in-bm_register_write.patch -- 2.47.3