Linux v5.6-rc2-47-g4b205766d8fc
This commit is contained in:
parent
c1ca6835f0
commit
5c9dca7e5c
@ -0,0 +1,95 @@
|
||||
From a34309d16f41c48ffd90e56a6f865d6a1a8c49f0 Mon Sep 17 00:00:00 2001
|
||||
From: Catalin Marinas <catalin.marinas@arm.com>
|
||||
Date: Wed, 19 Feb 2020 12:31:56 +0000
|
||||
Subject: [PATCH] mm: Avoid creating virtual address aliases in
|
||||
brk()/mmap()/mremap()
|
||||
|
||||
Currently the arm64 kernel ignores the top address byte passed to brk(),
|
||||
mmap() and mremap(). When the user is not aware of the 56-bit address
|
||||
limit or relies on the kernel to return an error, untagging such
|
||||
pointers has the potential to create address aliases in user-space.
|
||||
Passing a tagged address to munmap(), madvise() is permitted since the
|
||||
tagged pointer is expected to be inside an existing mapping.
|
||||
|
||||
The current behaviour breaks the existing glibc malloc() implementation
|
||||
which relies on brk() with an address beyond 56-bit to be rejected by
|
||||
the kernel.
|
||||
|
||||
Remove untagging in the above functions by partially reverting commit
|
||||
ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
|
||||
addition, update the arm64 tagged-address-abi.rst document accordingly.
|
||||
|
||||
Link: https://bugzilla.redhat.com/1797052
|
||||
Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
|
||||
Cc: <stable@vger.kernel.org> # 5.4.x-
|
||||
Cc: Andrew Morton <akpm@linux-foundation.org>
|
||||
Cc: Florian Weimer <fweimer@redhat.com>
|
||||
Reported-by: Victor Stinner <vstinner@redhat.com>
|
||||
Acked-by: Will Deacon <will@kernel.org>
|
||||
Acked-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
|
||||
---
|
||||
Documentation/arm64/tagged-address-abi.rst | 11 +++++++++--
|
||||
mm/mmap.c | 4 ----
|
||||
mm/mremap.c | 1 -
|
||||
3 files changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst
|
||||
index d4a85d535bf9..f6289116893c 100644
|
||||
--- a/Documentation/arm64/tagged-address-abi.rst
|
||||
+++ b/Documentation/arm64/tagged-address-abi.rst
|
||||
@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending
|
||||
how the user addresses are used by the kernel:
|
||||
|
||||
1. User addresses not accessed by the kernel but used for address space
|
||||
- management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use
|
||||
- of valid tagged pointers in this context is always allowed.
|
||||
+ management (e.g. ``mprotect()``, ``madvise()``). The use of valid
|
||||
+ tagged pointers in this context is allowed with the exception of
|
||||
+ ``brk()``, ``mmap()`` and the ``new_address`` argument to
|
||||
+ ``mremap()`` as these have the potential of aliasing with existing
|
||||
+ user addresses.
|
||||
+
|
||||
+ NOTE: This behaviour changed in v5.6 and so some earlier kernels may
|
||||
+ incorrectly accept valid tagged pointers for the ``brk()``,
|
||||
+ ``mmap()`` and ``mremap()`` system calls.
|
||||
|
||||
2. User addresses accessed by the kernel (e.g. ``write()``). This ABI
|
||||
relaxation is disabled by default and the application thread needs to
|
||||
diff --git a/mm/mmap.c b/mm/mmap.c
|
||||
index 4390dbea4aa5..514cc19c5916 100644
|
||||
--- a/mm/mmap.c
|
||||
+++ b/mm/mmap.c
|
||||
@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
|
||||
bool downgraded = false;
|
||||
LIST_HEAD(uf);
|
||||
|
||||
- brk = untagged_addr(brk);
|
||||
-
|
||||
if (down_write_killable(&mm->mmap_sem))
|
||||
return -EINTR;
|
||||
|
||||
@@ -1583,8 +1581,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
|
||||
struct file *file = NULL;
|
||||
unsigned long retval;
|
||||
|
||||
- addr = untagged_addr(addr);
|
||||
-
|
||||
if (!(flags & MAP_ANONYMOUS)) {
|
||||
audit_mmap_fd(fd, flags);
|
||||
file = fget(fd);
|
||||
diff --git a/mm/mremap.c b/mm/mremap.c
|
||||
index 1fc8a29fbe3f..1d98281f7204 100644
|
||||
--- a/mm/mremap.c
|
||||
+++ b/mm/mremap.c
|
||||
@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
|
||||
LIST_HEAD(uf_unmap);
|
||||
|
||||
addr = untagged_addr(addr);
|
||||
- new_addr = untagged_addr(new_addr);
|
||||
|
||||
if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
|
||||
return ret;
|
||||
--
|
||||
2.24.1
|
||||
|
2
gitrev
2
gitrev
@ -1 +1 @@
|
||||
b1da3acc781ce445445d959b41064d209a27bc2d
|
||||
4b205766d8fcb1627429ff31a4b36248b71a0df1
|
||||
|
@ -107,7 +107,7 @@ Summary: The Linux kernel
|
||||
# The rc snapshot level
|
||||
%global rcrev 2
|
||||
# The git snapshot level
|
||||
%define gitrev 1
|
||||
%define gitrev 2
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 5.%{upstream_sublevel}.0
|
||||
%endif
|
||||
@ -865,6 +865,8 @@ Patch529: 0001-Include-kvm_asm.h-and-kvm_arm.h-in-kvm-arm-trace.h.patch
|
||||
|
||||
Patch530: 0001-Replace-.ioctl-with-.compat_ioctl-in-three-appropria.patch
|
||||
|
||||
Patch531: 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2894,6 +2896,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Feb 19 2020 Jeremy Cline <jcline@redhat.com> - 5.6.0-0.rc2.git2.1
|
||||
- Linux v5.6-rc2-47-g4b205766d8fc
|
||||
|
||||
* Tue Feb 18 2020 Jeremy Cline <jcline@redhat.com> - 5.6.0-0.rc2.git1.1
|
||||
- Linux v5.6-rc2-8-gb1da3acc781c
|
||||
- Enable CONFIG_INET_ESPINTCP (rhbz 1804255)
|
||||
|
2
sources
2
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (linux-5.5.tar.xz) = fa74fdabb5e63384a39e54da05b86a9ae9ea16179524b041fbbdffc7177e80b53600ae98d76be127ba216148f9dc55fe07ab20637e22c6d6030cb4aa09eb2f86
|
||||
SHA512 (patch-5.6-rc2.xz) = b49dfa43e7dcdf90bd68e582eb676f3cac53f7212d8abde6e41e18f8bd0eecc3ae2384639f8aaef8925c8e4385e75b0b49ec54e5bcfc23dec5fe2169cbce1af2
|
||||
SHA512 (patch-5.6-rc2-git1.xz) = ead71bb0efb09750beee0d3880571673f5d9063909aec055f8ab9158142ea2764d7faf421290090bdc2f7304375d08cd98d930be7db6ebff12569d0ec73495d4
|
||||
SHA512 (patch-5.6-rc2-git2.xz) = 023befa3b800d346736b5537c8d94b7856b594ee9f60150cb9989ed5d78b24defb4891e3bfb6fcbd7c13ecbadad7120d9626c07f9b9edeba8584f4e9bbf2372f
|
||||
|
Loading…
Reference in New Issue
Block a user