From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
This reverts commit d62ba2a5536df83473a2ac15ab302258e3845251 which is
commit 0d196e7589cefe207d5d41f37a0a28a1fdeeb7c6 upstream.
A later commit needs to be reverted so revert this one as well to allow
that to happen properly.
Cc: Mateusz Guzik <mjguzik@xxxxxxxxx>
Cc: Christian Brauner <brauner@xxxxxxxxxx>
Cc: Sasha Levin <sashal@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/exec.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -145,11 +145,13 @@ SYSCALL_DEFINE1(uselib, const char __use
goto out;
/*
- * Check do_open_execat() for an explanation.
+ * may_open() has already checked for this, so it should be
+ * impossible to trip now. But we need to be extra cautious
+ * and check again at the very end too.
*/
error = -EACCES;
- if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) ||
- path_noexec(&file->f_path))
+ if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
+ path_noexec(&file->f_path)))
goto exit;
error = -ENOEXEC;
@@ -953,6 +955,7 @@ EXPORT_SYMBOL(transfer_args_to_stack);
static struct file *do_open_execat(int fd, struct filename *name, int flags)
{
struct file *file;
+ int err;
struct open_flags open_exec_flags = {
.open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
.acc_mode = MAY_EXEC,
@@ -969,20 +972,24 @@ static struct file *do_open_execat(int f
file = do_filp_open(fd, name, &open_exec_flags);
if (IS_ERR(file))
- return file;
+ goto out;
/*
- * In the past the regular type check was here. It moved to may_open() in
- * 633fb6ac3980 ("exec: move S_ISREG() check earlier"). Since then it is
- * an invariant that all non-regular files error out before we get here.
- */
- if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)) ||
- path_noexec(&file->f_path)) {
- fput(file);
- return ERR_PTR(-EACCES);
- }
+ * may_open() has already checked for this, so it should be
+ * impossible to trip now. But we need to be extra cautious
+ * and check again at the very end too.
+ */
+ err = -EACCES;
+ if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
+ path_noexec(&file->f_path)))
+ goto exit;
+out:
return file;
+
+exit:
+ fput(file);
+ return ERR_PTR(err);
}
/**
Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are
queue-6.11/usb-chaoskey-fail-open-after-removal.patch
queue-6.11/kvm-arm64-vgic-v3-sanitise-guest-writes-to-gicr_invlpir.patch
queue-6.11/xhci-don-t-issue-reset-device-command-to-etron-xhci-host.patch
queue-6.11/io_uring-fix-corner-case-forgetting-to-vunmap.patch
queue-6.11/asoc-amd-yc-add-a-quirk-for-microfone-on-lenovo-thinkpad-p14s-gen-5-21mes00b00.patch
queue-6.11/pci-fix-use-after-free-of-slot-bus-on-hot-remove.patch
queue-6.11/spi-fix-acpi-deferred-irq-probe.patch
queue-6.11/dt-bindings-pinctrl-samsung-fix-interrupt-constraint-for-variants-with-fallbacks.patch
queue-6.11/irqdomain-always-associate-interrupts-for-legacy-domains.patch
queue-6.11/kvm-x86-switch-hugepage-recovery-thread-to-vhost_task.patch
queue-6.11/clk-clk-loongson2-fix-memory-corruption-bug-in-struct-loongson2_clk_provider.patch
queue-6.11/apparmor-test-fix-memory-leak-for-aa_unpack_strdup.patch
queue-6.11/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch
queue-6.11/asoc-intel-sst-fix-used-of-uninitialized-ctx-to-log-an-error.patch
queue-6.11/bluetooth-fix-type-of-len-in-rfcomm_sock_getsockopt-_old.patch
queue-6.11/dt-bindings-iio-dac-ad3552r-fix-maximum-spi-speed.patch
queue-6.11/net_sched-sch_fq-don-t-follow-the-fast-path-if-tx-is-behind-now.patch
queue-6.11/parisc-ftrace-fix-function-graph-tracing-disablement.patch
queue-6.11/ext4-fix-fs_ioc_getfsmap-handling.patch
queue-6.11/ext4-supress-data-race-warnings-in-ext4_free_inodes_-count-set.patch
queue-6.11/wifi-brcmfmac-release-root-node-in-all-execution-paths.patch
queue-6.11/asoc-codecs-fix-atomicity-violation-in-snd_soc_component_get_drvdata.patch
queue-6.11/usb-yurex-make-waiting-on-yurex_write-interruptible.patch
queue-6.11/wifi-nl80211-fix-bounds-checker-error-in-nl80211_parse_sched_scan.patch
queue-6.11/usb-typec-fix-potential-array-underflow-in-ucsi_ccg_.patch
queue-6.11/mtd-spi-nor-core-replace-dummy-buswidth-from-addr-to-data.patch
queue-6.11/soc-qcom-socinfo-fix-revision-check-in-qcom_socinfo_probe.patch
queue-6.11/comedi-flush-partial-mappings-in-error-case.patch
queue-6.11/usb-typec-use-cleanup-facility-for-altmodes_node.patch
queue-6.11/exfat-fix-uninit-value-in-__exfat_get_dentry_set.patch
queue-6.11/arm-dts-omap36xx-declare-1ghz-opp-as-turbo-again.patch
queue-6.11/kvm-arm64-ignore-pmcntenset_el0-while-checking-for-overflow-status.patch
queue-6.11/wifi-ath12k-fix-crash-when-unbinding.patch
queue-6.11/kvm-arm64-get-rid-of-userspace_irqchip_in_use.patch
queue-6.11/serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch
queue-6.11/loongarch-explicitly-specify-code-model-in-makefile.patch
queue-6.11/asoc-da7213-populate-max_register-to-regmap_config.patch
queue-6.11/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch
queue-6.11/rust-kernel-fix-this_module-header-path-in-thismodul.patch
queue-6.11/clk-clk-loongson2-fix-potential-buffer-overflow-in-flexible-array-member-access.patch
queue-6.11/revert-usb-gadget-composite-fix-os-descriptors-w_value-logic.patch
queue-6.11/kvm-arm64-vgic-its-clear-dte-when-mapd-unmaps-a-device.patch
queue-6.11/blk-settings-round-down-io_opt-to-physical_block_size.patch
queue-6.11/dm-bufio-fix-warnings-about-duplicate-slab-caches.patch
queue-6.11/usb-chaoskey-fix-possible-deadlock-chaoskey_list_loc.patch
queue-6.11/usb-xhci-limit-stop-endpoint-retries.patch
queue-6.11/usb-gadget-uvc-wake-pump-everytime-we-update-the-fre.patch
queue-6.11/usb-using-mutex-lock-and-supporting-o_nonblock-flag-.patch
queue-6.11/crypto-x86-aegis128-access-32-bit-arguments-as-32-bit.patch
queue-6.11/cpufreq-mediatek-hw-fix-wrong-return-value-in-mtk_cpufreq_get_cpu_power.patch
queue-6.11/wifi-ath12k-fix-warning-when-unbinding.patch
queue-6.11/kvm-x86-mmu-skip-the-try-unsync-path-iff-the-old-spte-was-a-leaf-spte.patch
queue-6.11/iio-dac-adi-axi-dac-fix-wrong-register-bitfield.patch
queue-6.11/tools-nolibc-s390-include-std.h.patch
queue-6.11/phy-realtek-usb-fix-null-deref-in-rtk_usb2phy_probe.patch
queue-6.11/jfs-xattr-check-invalid-xattr-size-more-strictly.patch
queue-6.11/fsnotify-fix-sending-inotify-event-with-unexpected-filename.patch
queue-6.11/powerpc-pseries-fix-kvm-guest-detection-for-disabling-hardlockup-detector.patch
queue-6.11/xhci-don-t-perform-soft-retry-for-etron-xhci-host.patch
queue-6.11/revert-serial-sh-sci-clean-sci_ports-after-at-earlycon-exit.patch
queue-6.11/kvm-arm64-don-t-retire-aborted-mmio-instruction.patch
queue-6.11/f2fs-fix-fiemap-failure-issue-when-page-size-is-16kb.patch
queue-6.11/smb-client-fix-null-ptr-deref-in-crypto_aead_setkey.patch
queue-6.11/locking-lockdep-avoid-creating-new-name-string-literals-in-lockdep_set_subclass.patch
queue-6.11/pinctrl-qcom-spmi-fix-debugfs-drive-strength.patch
queue-6.11/kvm-arm64-vgic-its-add-a-data-length-check-in-vgic_its_save_.patch
queue-6.11/dm-cache-fix-warnings-about-duplicate-slab-caches.patch
queue-6.11/platform-chrome-cros_ec_typec-fix-missing-fwnode-reference-decrement.patch
queue-6.11/firmware_loader-fix-possible-resource-leak-in-fw_log.patch
queue-6.11/ksmbd-fix-use-after-free-in-smb-request-handling.patch
queue-6.11/wifi-rtlwifi-drastically-reduce-the-attempts-to-read-efuse-in-case-of-failures.patch
queue-6.11/tty-ldsic-fix-tty_ldisc_autoload-sysctl-s-proc_handler.patch
queue-6.11/gpio-exar-set-value-when-external-pull-up-or-pull-down-is-present.patch
queue-6.11/netfilter-ipset-add-missing-range-check-in-bitmap_ip_uadt.patch
queue-6.11/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch
queue-6.11/exfat-fix-out-of-bounds-access-of-directory-entries.patch
queue-6.11/io_uring-check-for-overflows-in-io_pin_pages.patch
queue-6.11/revert-fs-don-t-block-i_writecount-during-exec.patch
queue-6.11/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch
queue-6.11/xhci-fix-control-transfer-error-on-etron-xhci-host.patch
queue-6.11/risc-v-scalar-unaligned-access-emulated-on-hotplug-cpus.patch
queue-6.11/compiler-attributes-disable-__counted_by-for-clang-19.1.3.patch
queue-6.11/cifs-support-mounting-with-alternate-password-to-allow-password-rotation.patch
queue-6.11/mfd-intel_soc_pmic_bxtwc-use-irq-domain-for-usb-type.patch
queue-6.11/perf-x86-intel-pt-fix-buffer-full-but-size-is-0-case.patch
queue-6.11/usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch
queue-6.11/misc-apds990x-fix-missing-pm_runtime_disable.patch
queue-6.11/revert-f2fs-remove-unreachable-lazytime-mount-option-parsing.patch
queue-6.11/risc-v-check-scalar-unaligned-access-on-all-cpus.patch
queue-6.11/xhci-combine-two-if-statements-for-etron-xhci-host.patch
queue-6.11/usb-xhci-fix-td-invalidation-under-pending-set-tr-dequeue.patch
queue-6.11/kvm-arm64-vgic-its-clear-ite-when-discard-frees-an-ite.patch
queue-6.11/fsnotify-fix-ordering-of-iput-and-watched_objects-decrement.patch
queue-6.11/revert-exec-don-t-warn-for-racy-path_noexec-check.patch
queue-6.11/usb-xhci-avoid-queuing-redundant-stop-endpoint-commands.patch
queue-6.11/devres-fix-page-faults-when-tracing-devres-from-unlo.patch
queue-6.11/phy-realtek-usb-fix-null-deref-in-rtk_usb3phy_probe.patch
