From: Zilin Guan <zilin@seu.edu.cn> mainline inclusion from mainline-v6.18-rc7 commit 90f601b497d76f40fa66795c3ecf625b6aced9fd category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11533 CVE: CVE-2025-68239 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly. Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn Signed-off-by: Christian Brauner <brauner@kernel.org> Conflicts: fs/binfmt_misc.c [Context conflicts as exe_file_allow_write_access() is introduced in commit 0357ef03c94e ("fs: don't block write during exec on pre-content watched files"), which is not merged. Use allow_write_access() instead.] Signed-off-by: Pan Taixi <pantaixi1@huawei.com> --- fs/binfmt_misc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c index ce0047feea72..760a270fd7d5 100644 --- a/fs/binfmt_misc.c +++ b/fs/binfmt_misc.c @@ -704,8 +704,10 @@ static ssize_t bm_register_write(struct file *file, const char __user *buffer, inode_unlock(d_inode(root)); if (err) { - if (f) + if (f) { + allow_write_access(f); filp_close(f, NULL); + } kfree(e); return err; } -- 2.34.1