From 5c9dca7e5c1eb454d55c2b3b867fc94374f5d686 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 19 Feb 2020 16:24:55 -0500 Subject: Linux v5.6-rc2-47-g4b205766d8fc --- ...eating-virtual-address-aliases-in-brk-mma.patch | 95 ++++++++++++++++++++++ gitrev | 2 +- kernel.spec | 7 +- sources | 2 +- 4 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch diff --git a/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch b/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch new file mode 100644 index 000000000..6f3bd3c72 --- /dev/null +++ b/0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch @@ -0,0 +1,95 @@ +From a34309d16f41c48ffd90e56a6f865d6a1a8c49f0 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Wed, 19 Feb 2020 12:31:56 +0000 +Subject: [PATCH] mm: Avoid creating virtual address aliases in + brk()/mmap()/mremap() + +Currently the arm64 kernel ignores the top address byte passed to brk(), +mmap() and mremap(). When the user is not aware of the 56-bit address +limit or relies on the kernel to return an error, untagging such +pointers has the potential to create address aliases in user-space. +Passing a tagged address to munmap(), madvise() is permitted since the +tagged pointer is expected to be inside an existing mapping. + +The current behaviour breaks the existing glibc malloc() implementation +which relies on brk() with an address beyond 56-bit to be rejected by +the kernel. + +Remove untagging in the above functions by partially reverting commit +ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In +addition, update the arm64 tagged-address-abi.rst document accordingly. + +Link: https://bugzilla.redhat.com/1797052 +Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk") +Cc: # 5.4.x- +Cc: Andrew Morton +Cc: Florian Weimer +Reported-by: Victor Stinner +Acked-by: Will Deacon +Acked-by: Andrey Konovalov +Signed-off-by: Catalin Marinas +--- + Documentation/arm64/tagged-address-abi.rst | 11 +++++++++-- + mm/mmap.c | 4 ---- + mm/mremap.c | 1 - + 3 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst +index d4a85d535bf9..f6289116893c 100644 +--- a/Documentation/arm64/tagged-address-abi.rst ++++ b/Documentation/arm64/tagged-address-abi.rst +@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending + how the user addresses are used by the kernel: + + 1. User addresses not accessed by the kernel but used for address space +- management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use +- of valid tagged pointers in this context is always allowed. ++ management (e.g. ``mprotect()``, ``madvise()``). The use of valid ++ tagged pointers in this context is allowed with the exception of ++ ``brk()``, ``mmap()`` and the ``new_address`` argument to ++ ``mremap()`` as these have the potential of aliasing with existing ++ user addresses. ++ ++ NOTE: This behaviour changed in v5.6 and so some earlier kernels may ++ incorrectly accept valid tagged pointers for the ``brk()``, ++ ``mmap()`` and ``mremap()`` system calls. + + 2. User addresses accessed by the kernel (e.g. ``write()``). This ABI + relaxation is disabled by default and the application thread needs to +diff --git a/mm/mmap.c b/mm/mmap.c +index 4390dbea4aa5..514cc19c5916 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + bool downgraded = false; + LIST_HEAD(uf); + +- brk = untagged_addr(brk); +- + if (down_write_killable(&mm->mmap_sem)) + return -EINTR; + +@@ -1583,8 +1581,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len, + struct file *file = NULL; + unsigned long retval; + +- addr = untagged_addr(addr); +- + if (!(flags & MAP_ANONYMOUS)) { + audit_mmap_fd(fd, flags); + file = fget(fd); +diff --git a/mm/mremap.c b/mm/mremap.c +index 1fc8a29fbe3f..1d98281f7204 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, + LIST_HEAD(uf_unmap); + + addr = untagged_addr(addr); +- new_addr = untagged_addr(new_addr); + + if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE)) + return ret; +-- +2.24.1 + diff --git a/gitrev b/gitrev index ae633a5c5..1f3feefd7 100644 --- a/gitrev +++ b/gitrev @@ -1 +1 @@ -b1da3acc781ce445445d959b41064d209a27bc2d +4b205766d8fcb1627429ff31a4b36248b71a0df1 diff --git a/kernel.spec b/kernel.spec index cf25cc214..4590bb7df 100644 --- a/kernel.spec +++ b/kernel.spec @@ -107,7 +107,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 2 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -865,6 +865,8 @@ Patch529: 0001-Include-kvm_asm.h-and-kvm_arm.h-in-kvm-arm-trace.h.patch Patch530: 0001-Replace-.ioctl-with-.compat_ioctl-in-three-appropria.patch +Patch531: 0001-mm-Avoid-creating-virtual-address-aliases-in-brk-mma.patch + # END OF PATCH DEFINITIONS %endif @@ -2894,6 +2896,9 @@ fi # # %changelog +* Wed Feb 19 2020 Jeremy Cline - 5.6.0-0.rc2.git2.1 +- Linux v5.6-rc2-47-g4b205766d8fc + * Tue Feb 18 2020 Jeremy Cline - 5.6.0-0.rc2.git1.1 - Linux v5.6-rc2-8-gb1da3acc781c - Enable CONFIG_INET_ESPINTCP (rhbz 1804255) diff --git a/sources b/sources index 1d7a55fcf..327a4a4dd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-5.5.tar.xz) = fa74fdabb5e63384a39e54da05b86a9ae9ea16179524b041fbbdffc7177e80b53600ae98d76be127ba216148f9dc55fe07ab20637e22c6d6030cb4aa09eb2f86 SHA512 (patch-5.6-rc2.xz) = b49dfa43e7dcdf90bd68e582eb676f3cac53f7212d8abde6e41e18f8bd0eecc3ae2384639f8aaef8925c8e4385e75b0b49ec54e5bcfc23dec5fe2169cbce1af2 -SHA512 (patch-5.6-rc2-git1.xz) = ead71bb0efb09750beee0d3880571673f5d9063909aec055f8ab9158142ea2764d7faf421290090bdc2f7304375d08cd98d930be7db6ebff12569d0ec73495d4 +SHA512 (patch-5.6-rc2-git2.xz) = 023befa3b800d346736b5537c8d94b7856b594ee9f60150cb9989ed5d78b24defb4891e3bfb6fcbd7c13ecbadad7120d9626c07f9b9edeba8584f4e9bbf2372f -- cgit