Linux v5.6-rc2-47-g4b205766d8fc

This commit is contained in:
Jeremy Cline 2020-02-19 16:24:55 -05:00
parent c1ca6835f0
commit 5c9dca7e5c
4 changed files with 103 additions and 3 deletions

View File

@ -0,0 +1,95 @@
From a34309d16f41c48ffd90e56a6f865d6a1a8c49f0 Mon Sep 17 00:00:00 2001
From: Catalin Marinas <catalin.marinas@arm.com>
Date: Wed, 19 Feb 2020 12:31:56 +0000
Subject: [PATCH] mm: Avoid creating virtual address aliases in
brk()/mmap()/mremap()
Currently the arm64 kernel ignores the top address byte passed to brk(),
mmap() and mremap(). When the user is not aware of the 56-bit address
limit or relies on the kernel to return an error, untagging such
pointers has the potential to create address aliases in user-space.
Passing a tagged address to munmap(), madvise() is permitted since the
tagged pointer is expected to be inside an existing mapping.
The current behaviour breaks the existing glibc malloc() implementation
which relies on brk() with an address beyond 56-bit to be rejected by
the kernel.
Remove untagging in the above functions by partially reverting commit
ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
addition, update the arm64 tagged-address-abi.rst document accordingly.
Link: https://bugzilla.redhat.com/1797052
Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
Cc: <stable@vger.kernel.org> # 5.4.x-
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Reported-by: Victor Stinner <vstinner@redhat.com>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
---
Documentation/arm64/tagged-address-abi.rst | 11 +++++++++--
mm/mmap.c | 4 ----
mm/mremap.c | 1 -
3 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst
index d4a85d535bf9..f6289116893c 100644
--- a/Documentation/arm64/tagged-address-abi.rst
+++ b/Documentation/arm64/tagged-address-abi.rst
@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending
how the user addresses are used by the kernel:
1. User addresses not accessed by the kernel but used for address space
- management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use
- of valid tagged pointers in this context is always allowed.
+ management (e.g. ``mprotect()``, ``madvise()``). The use of valid
+ tagged pointers in this context is allowed with the exception of
+ ``brk()``, ``mmap()`` and the ``new_address`` argument to
+ ``mremap()`` as these have the potential of aliasing with existing
+ user addresses.
+
+ NOTE: This behaviour changed in v5.6 and so some earlier kernels may
+ incorrectly accept valid tagged pointers for the ``brk()``,
+ ``mmap()`` and ``mremap()`` system calls.
2. User addresses accessed by the kernel (e.g. ``write()``). This ABI
relaxation is disabled by default and the application thread needs to
diff --git a/mm/mmap.c b/mm/mmap.c
index 4390dbea4aa5..514cc19c5916 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
bool downgraded = false;
LIST_HEAD(uf);
- brk = untagged_addr(brk);
-
if (down_write_killable(&mm->mmap_sem))
return -EINTR;
@@ -1583,8 +1581,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
struct file *file = NULL;
unsigned long retval;
- addr = untagged_addr(addr);
-
if (!(flags & MAP_ANONYMOUS)) {
audit_mmap_fd(fd, flags);
file = fget(fd);
diff --git a/mm/mremap.c b/mm/mremap.c
index 1fc8a29fbe3f..1d98281f7204 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
LIST_HEAD(uf_unmap);
addr = untagged_addr(addr);
- new_addr = untagged_addr(new_addr);
if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
return ret;
--
2.24.1

2
gitrev
View File

@ -1 +1 @@
b1da3acc781ce445445d959b41064d209a27bc2d
4b205766d8fcb1627429ff31a4b36248b71a0df1

View File

@ -107,7 +107,7 @@ Summary: The Linux kernel
# The rc snapshot level
%global rcrev 2
# The git snapshot level
%define gitrev 1
%define gitrev 2
# Set rpm version accordingly
%define rpmversion 5.%{upstream_sublevel}.0
%endif
@ -865,6 +865,8 @@ Patch529: 0001-Include-kvm_asm.h-and-kvm_arm.h-in-kvm-arm-trace.h.patch
Patch530: 0001-Replace-.ioctl-with-.compat_ioctl-in-three-appropria.patch
Patch531: 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch
# END OF PATCH DEFINITIONS
%endif
@ -2894,6 +2896,9 @@ fi
#
#
%changelog
* Wed Feb 19 2020 Jeremy Cline <jcline@redhat.com> - 5.6.0-0.rc2.git2.1
- Linux v5.6-rc2-47-g4b205766d8fc
* Tue Feb 18 2020 Jeremy Cline <jcline@redhat.com> - 5.6.0-0.rc2.git1.1
- Linux v5.6-rc2-8-gb1da3acc781c
- Enable CONFIG_INET_ESPINTCP (rhbz 1804255)

View File

@ -1,3 +1,3 @@
SHA512 (linux-5.5.tar.xz) = fa74fdabb5e63384a39e54da05b86a9ae9ea16179524b041fbbdffc7177e80b53600ae98d76be127ba216148f9dc55fe07ab20637e22c6d6030cb4aa09eb2f86
SHA512 (patch-5.6-rc2.xz) = b49dfa43e7dcdf90bd68e582eb676f3cac53f7212d8abde6e41e18f8bd0eecc3ae2384639f8aaef8925c8e4385e75b0b49ec54e5bcfc23dec5fe2169cbce1af2
SHA512 (patch-5.6-rc2-git1.xz) = ead71bb0efb09750beee0d3880571673f5d9063909aec055f8ab9158142ea2764d7faf421290090bdc2f7304375d08cd98d930be7db6ebff12569d0ec73495d4
SHA512 (patch-5.6-rc2-git2.xz) = 023befa3b800d346736b5537c8d94b7856b594ee9f60150cb9989ed5d78b24defb4891e3bfb6fcbd7c13ecbadad7120d9626c07f9b9edeba8584f4e9bbf2372f