From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F31F015823F for ; Sun, 19 Nov 2023 14:41:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3B16F2BC023; Sun, 19 Nov 2023 14:41:58 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 164B22BC023 for ; Sun, 19 Nov 2023 14:41:58 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2219F335CB4 for ; Sun, 19 Nov 2023 14:41:57 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 78CDB1164 for ; Sun, 19 Nov 2023 14:41:55 +0000 (UTC) From: "Mike Pagano" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Pagano" Message-ID: <1700404891.568ff3e5b235bccb34abf3ea566552365d99d127.mpagano@gentoo> Subject: [gentoo-commits] proj/linux-patches:6.6 commit in: / X-VCS-Repository: proj/linux-patches X-VCS-Files: 0000_README 1720_parisc-gen-mmap-top-down-layout-and-brk-randomization.patch X-VCS-Directories: / X-VCS-Committer: mpagano X-VCS-Committer-Name: Mike Pagano X-VCS-Revision: 568ff3e5b235bccb34abf3ea566552365d99d127 X-VCS-Branch: 6.6 Date: Sun, 19 Nov 2023 14:41:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 2c93d7f5-adeb-4cd9-84e8-fcdbf4a6e70f X-Archives-Hash: 525fefd72194834b6db13613a7d60c3d commit: 568ff3e5b235bccb34abf3ea566552365d99d127 Author: Mike Pagano gentoo org> AuthorDate: Sun Nov 19 14:41:31 2023 +0000 Commit: Mike Pagano gentoo org> CommitDate: Sun Nov 19 14:41:31 2023 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=568ff3e5 parisc: Fix mmap_base calculation when stack grows upwards Signed-off-by: Mike Pagano gentoo.org> 0000_README | 4 + ...map-top-down-layout-and-brk-randomization.patch | 239 +++++++++++++++++++++ 2 files changed, 243 insertions(+) diff --git a/0000_README b/0000_README index bb74cf79..b98c4b39 100644 --- a/0000_README +++ b/0000_README @@ -55,6 +55,10 @@ Patch: 1700_sparc-address-warray-bound-warnings.patch From: https://github.com/KSPP/linux/issues/109 Desc: Address -Warray-bounds warnings +Patch: 1720_parisc-gen-mmap-top-down-layout-and-brk-randomization.patch +From: https://lore.kernel.org/linux-parisc/ZVH2qeS1bG7%2F1J%2Fl@p100/T/#u +Desc: Fix the mmap_base() calculation to include the stack-grows-upwards case + Patch: 1805_mm-disable-CONFIG-PER-VMA-LOCK-by-def.patch From: https://lore.kernel.org/all/20230703182150.2193578-1-surenb@google.com/ Desc: mm: disable CONFIG_PER_VMA_LOCK by default until its fixed diff --git a/1720_parisc-gen-mmap-top-down-layout-and-brk-randomization.patch b/1720_parisc-gen-mmap-top-down-layout-and-brk-randomization.patch new file mode 100644 index 00000000..5fe2fe9d --- /dev/null +++ b/1720_parisc-gen-mmap-top-down-layout-and-brk-randomization.patch @@ -0,0 +1,239 @@ +parisc: Fix mmap_base calculation when stack grows upwards + +Matoro reported various userspace crashes on the parisc platform with kernel +6.6 and bisected it to commit 3033cd430768 ("parisc: Use generic mmap top-down +layout and brk randomization"). + +That commit switched parisc to use the common infrastructure to calculate +mmap_base, but missed that the mmap_base() function takes care for +architectures where the stack grows downwards only. + +Fix the mmap_base() calculation to include the stack-grows-upwards case +and thus fix the userspace crashes on parisc. + +Reported-by: matoro +Signed-off-by: Helge Deller +Tested-by: matoro +Fixes: 3033cd430768 ("parisc: Use generic mmap top-down layout and brk randomization") +Cc: # v6.6+ + +diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig +index fd69dfa0cdab..a7c9c0e69e5a 100644 +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -140,11 +140,11 @@ config ARCH_MMAP_RND_COMPAT_BITS_MIN + default 8 + + config ARCH_MMAP_RND_BITS_MAX +- default 24 if 64BIT +- default 17 ++ default 18 if 64BIT ++ default 13 + + config ARCH_MMAP_RND_COMPAT_BITS_MAX +- default 17 ++ default 13 + + # unless you want to implement ACPI on PA-RISC ... ;-) + config PM +diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h +index 140eaa97bf21..2d73d3c3cd37 100644 +--- a/arch/parisc/include/asm/elf.h ++++ b/arch/parisc/include/asm/elf.h +@@ -349,15 +349,7 @@ struct pt_regs; /* forward declaration... */ + + #define ELF_HWCAP 0 + +-/* Masks for stack and mmap randomization */ +-#define BRK_RND_MASK (is_32bit_task() ? 0x07ffUL : 0x3ffffUL) +-#define MMAP_RND_MASK (is_32bit_task() ? 0x1fffUL : 0x3ffffUL) +-#define STACK_RND_MASK MMAP_RND_MASK +- +-struct mm_struct; +-extern unsigned long arch_randomize_brk(struct mm_struct *); +-#define arch_randomize_brk arch_randomize_brk +- ++#define STACK_RND_MASK 0x7ff /* 8MB of VA */ + + #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 + struct linux_binprm; +diff --git a/arch/parisc/include/asm/processor.h b/arch/parisc/include/asm/processor.h +index c05d121cf5d0..982aca20f56f 100644 +--- a/arch/parisc/include/asm/processor.h ++++ b/arch/parisc/include/asm/processor.h +@@ -47,6 +47,8 @@ + + #ifndef __ASSEMBLY__ + ++struct rlimit; ++unsigned long mmap_upper_limit(struct rlimit *rlim_stack); + unsigned long calc_max_stack_size(unsigned long stack_max); + + /* +diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c +index ab896eff7a1d..98af719d5f85 100644 +--- a/arch/parisc/kernel/sys_parisc.c ++++ b/arch/parisc/kernel/sys_parisc.c +@@ -77,7 +77,7 @@ unsigned long calc_max_stack_size(unsigned long stack_max) + * indicating that "current" should be used instead of a passed-in + * value from the exec bprm as done with arch_pick_mmap_layout(). + */ +-static unsigned long mmap_upper_limit(struct rlimit *rlim_stack) ++unsigned long mmap_upper_limit(struct rlimit *rlim_stack) + { + unsigned long stack_base; + +diff --git a/mm/util.c b/mm/util.c +index aa01f6ea5a75..744b4d7e3fae 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -414,6 +414,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack) + + static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack) + { ++#ifdef CONFIG_STACK_GROWSUP ++ /* ++ * For an upwards growing stack the calculation is much simpler. ++ * Memory for the maximum stack size is reserved at the top of the ++ * task. mmap_base starts directly below the stack and grows ++ * downwards. ++ */ ++ return PAGE_ALIGN_DOWN(mmap_upper_limit(rlim_stack) - rnd); ++#else + unsigned long gap = rlim_stack->rlim_cur; + unsigned long pad = stack_guard_gap; + +@@ -431,6 +440,7 @@ static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack) + gap = MAX_GAP; + + return PAGE_ALIGN(STACK_TOP - gap - rnd); ++#endif + } + + void arch_pick_mmap_layout(struct mm_struct *mm, struct rlimit *rlim_stack) + +^ permalink raw reply related [flat|nested] 2+ messages in thread +* Re: [PATCH] parisc: Fix mmap_base calculation when stack grows upwards + 2023-11-13 10:12 [PATCH] parisc: Fix mmap_base calculation when stack grows upwards Helge Deller +@ 2023-11-19 14:30 ` Sam James + 0 siblings, 0 replies; 2+ messages in thread +From: Sam James @ 2023-11-19 14:30 UTC (permalink / raw) + To: Helge Deller; +Cc: Andrew Morton, linux-mm, linux-kernel, linux-parisc, matoro + + +Helge Deller writes: + +> Matoro reported various userspace crashes on the parisc platform with kernel +> 6.6 and bisected it to commit 3033cd430768 ("parisc: Use generic mmap top-down +> layout and brk randomization"). +> +> That commit switched parisc to use the common infrastructure to calculate +> mmap_base, but missed that the mmap_base() function takes care for +> architectures where the stack grows downwards only. +> +> Fix the mmap_base() calculation to include the stack-grows-upwards case +> and thus fix the userspace crashes on parisc. +> +> Reported-by: matoro +> Signed-off-by: Helge Deller +> Tested-by: matoro +> Fixes: 3033cd430768 ("parisc: Use generic mmap top-down layout and brk randomization") +> Cc: # v6.6+ + +Sorry to be impatient, but pinging this. HPPA is unusable on 6.6.x without this patch. + +> +> diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig +> index fd69dfa0cdab..a7c9c0e69e5a 100644 +> --- a/arch/parisc/Kconfig +> +++ b/arch/parisc/Kconfig +> @@ -140,11 +140,11 @@ config ARCH_MMAP_RND_COMPAT_BITS_MIN +> default 8 +> +> config ARCH_MMAP_RND_BITS_MAX +> - default 24 if 64BIT +> - default 17 +> + default 18 if 64BIT +> + default 13 +> +> config ARCH_MMAP_RND_COMPAT_BITS_MAX +> - default 17 +> + default 13 +> +> # unless you want to implement ACPI on PA-RISC ... ;-) +> config PM +> diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h +> index 140eaa97bf21..2d73d3c3cd37 100644 +> --- a/arch/parisc/include/asm/elf.h +> +++ b/arch/parisc/include/asm/elf.h +> @@ -349,15 +349,7 @@ struct pt_regs; /* forward declaration... */ +> +> #define ELF_HWCAP 0 +> +> -/* Masks for stack and mmap randomization */ +> -#define BRK_RND_MASK (is_32bit_task() ? 0x07ffUL : 0x3ffffUL) +> -#define MMAP_RND_MASK (is_32bit_task() ? 0x1fffUL : 0x3ffffUL) +> -#define STACK_RND_MASK MMAP_RND_MASK +> - +> -struct mm_struct; +> -extern unsigned long arch_randomize_brk(struct mm_struct *); +> -#define arch_randomize_brk arch_randomize_brk +> - +> +#define STACK_RND_MASK 0x7ff /* 8MB of VA */ +> +> #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1 +> struct linux_binprm; +> diff --git a/arch/parisc/include/asm/processor.h b/arch/parisc/include/asm/processor.h +> index c05d121cf5d0..982aca20f56f 100644 +> --- a/arch/parisc/include/asm/processor.h +> +++ b/arch/parisc/include/asm/processor.h +> @@ -47,6 +47,8 @@ +> +> #ifndef __ASSEMBLY__ +> +> +struct rlimit; +> +unsigned long mmap_upper_limit(struct rlimit *rlim_stack); +> unsigned long calc_max_stack_size(unsigned long stack_max); +> +> /* +> diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c +> index ab896eff7a1d..98af719d5f85 100644 +> --- a/arch/parisc/kernel/sys_parisc.c +> +++ b/arch/parisc/kernel/sys_parisc.c +> @@ -77,7 +77,7 @@ unsigned long calc_max_stack_size(unsigned long stack_max) +> * indicating that "current" should be used instead of a passed-in +> * value from the exec bprm as done with arch_pick_mmap_layout(). +> */ +> -static unsigned long mmap_upper_limit(struct rlimit *rlim_stack) +> +unsigned long mmap_upper_limit(struct rlimit *rlim_stack) +> { +> unsigned long stack_base; +> +> diff --git a/mm/util.c b/mm/util.c +> index aa01f6ea5a75..744b4d7e3fae 100644 +> --- a/mm/util.c +> +++ b/mm/util.c +> @@ -414,6 +414,15 @@ static int mmap_is_legacy(struct rlimit *rlim_stack) +> +> static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack) +> { +> +#ifdef CONFIG_STACK_GROWSUP +> + /* +> + * For an upwards growing stack the calculation is much simpler. +> + * Memory for the maximum stack size is reserved at the top of the +> + * task. mmap_base starts directly below the stack and grows +> + * downwards. +> + */ +> + return PAGE_ALIGN_DOWN(mmap_upper_limit(rlim_stack) - rnd); +> +#else +> unsigned long gap = rlim_stack->rlim_cur; +> unsigned long pad = stack_guard_gap; +> +> @@ -431,6 +440,7 @@ static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack) +> gap = MAX_GAP; +> +> return PAGE_ALIGN(STACK_TOP - gap - rnd); +> +#endif +> } +> +> void arch_pick_mmap_layout(struct mm_struct *mm, struct rlimit *rlim_stack)