From: Michal Hocko <mhocko@kernel.org> To: Linus Torvalds <torvalds@linux-foundation.org>, Andrew Morton <akpm@linux-foundation.org> Cc: Vlastimil Babka <vbabka@suse.cz>, Ben Hutchings <ben@decadent.org.uk>, Willy Tarreau <w@1wt.eu>, Oleg Nesterov <oleg@redhat.com>, Rik van Riel <riel@redhat.com>, LKML <linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>, Michal Hocko <mhocko@suse.com> Subject: [PATCH] mm: mm, mmap: do not blow on PROT_NONE MAP_FIXED holes in the stack Date: Wed, 5 Jul 2017 18:56:02 +0200 [thread overview] Message-ID: <20170705165602.15005-1-mhocko@kernel.org> (raw) From: Michal Hocko <mhocko@suse.com> "mm: enlarge stack guard gap" has introduced a regression in some rust and Java environments which are trying to implement their own stack guard page. They are punching a new MAP_FIXED mapping inside the existing stack Vma. This will confuse expand_{downwards,upwards} into thinking that the stack expansion would in fact get us too close to an existing non-stack vma which is a correct behavior wrt. safety. It is a real regression on the other hand. Let's work around the problem by considering PROT_NONE mapping as a part of the stack. This is a gros hack but overflowing to such a mapping would trap anyway an we only can hope that usespace knows what it is doing and handle it propely. Fixes: d4d2d35e6ef9 ("mm: larger stack guard gap, between vmas") Debugged-by: Vlastimil Babka <vbabka@suse.cz> Cc: stable Signed-off-by: Michal Hocko <mhocko@suse.com> --- Hi, the original thread [1] has grown quite large and also a bit confusing. At least the rust part should be fixed by this patch. 32b java will probably need something more on top of this. Btw. JNI environments rely on MAP_FIXED PROT_NONE as well they were just lucky to not hit the issue yet I guess. [1] http://lkml.kernel.org/r/1499126133.2707.20.camel@decadent.org.uk mm/mmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index f60a8bc2869c..2e996cbf4ff3 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2244,7 +2244,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) gap_addr = TASK_SIZE; next = vma->vm_next; - if (next && next->vm_start < gap_addr) { + if (next && next->vm_start < gap_addr && + (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { if (!(next->vm_flags & VM_GROWSUP)) return -ENOMEM; /* Check that both stack segments have the same anon_vma? */ @@ -2325,7 +2326,8 @@ int expand_downwards(struct vm_area_struct *vma, /* Enforce stack_guard_gap */ prev = vma->vm_prev; /* Check that both stack segments have the same anon_vma? */ - if (prev && !(prev->vm_flags & VM_GROWSDOWN)) { + if (prev && !(prev->vm_flags & VM_GROWSDOWN) && + (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { if (address - prev->vm_end < stack_guard_gap) return -ENOMEM; } -- 2.11.0
WARNING: multiple messages have this Message-ID (diff)
From: Michal Hocko <mhocko@kernel.org> To: Linus Torvalds <torvalds@linux-foundation.org>, Andrew Morton <akpm@linux-foundation.org> Cc: Vlastimil Babka <vbabka@suse.cz>, Ben Hutchings <ben@decadent.org.uk>, Willy Tarreau <w@1wt.eu>, Oleg Nesterov <oleg@redhat.com>, Rik van Riel <riel@redhat.com>, LKML <linux-kernel@vger.kernel.org>, linux-mm@kvack.org, Michal Hocko <mhocko@suse.com> Subject: [PATCH] mm: mm, mmap: do not blow on PROT_NONE MAP_FIXED holes in the stack Date: Wed, 5 Jul 2017 18:56:02 +0200 [thread overview] Message-ID: <20170705165602.15005-1-mhocko@kernel.org> (raw) From: Michal Hocko <mhocko@suse.com> "mm: enlarge stack guard gap" has introduced a regression in some rust and Java environments which are trying to implement their own stack guard page. They are punching a new MAP_FIXED mapping inside the existing stack Vma. This will confuse expand_{downwards,upwards} into thinking that the stack expansion would in fact get us too close to an existing non-stack vma which is a correct behavior wrt. safety. It is a real regression on the other hand. Let's work around the problem by considering PROT_NONE mapping as a part of the stack. This is a gros hack but overflowing to such a mapping would trap anyway an we only can hope that usespace knows what it is doing and handle it propely. Fixes: d4d2d35e6ef9 ("mm: larger stack guard gap, between vmas") Debugged-by: Vlastimil Babka <vbabka@suse.cz> Cc: stable Signed-off-by: Michal Hocko <mhocko@suse.com> --- Hi, the original thread [1] has grown quite large and also a bit confusing. At least the rust part should be fixed by this patch. 32b java will probably need something more on top of this. Btw. JNI environments rely on MAP_FIXED PROT_NONE as well they were just lucky to not hit the issue yet I guess. [1] http://lkml.kernel.org/r/1499126133.2707.20.camel@decadent.org.uk mm/mmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index f60a8bc2869c..2e996cbf4ff3 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2244,7 +2244,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) gap_addr = TASK_SIZE; next = vma->vm_next; - if (next && next->vm_start < gap_addr) { + if (next && next->vm_start < gap_addr && + (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { if (!(next->vm_flags & VM_GROWSUP)) return -ENOMEM; /* Check that both stack segments have the same anon_vma? */ @@ -2325,7 +2326,8 @@ int expand_downwards(struct vm_area_struct *vma, /* Enforce stack_guard_gap */ prev = vma->vm_prev; /* Check that both stack segments have the same anon_vma? */ - if (prev && !(prev->vm_flags & VM_GROWSDOWN)) { + if (prev && !(prev->vm_flags & VM_GROWSDOWN) && + (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) { if (address - prev->vm_end < stack_guard_gap) return -ENOMEM; } -- 2.11.0 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next reply other threads:[~2017-07-05 16:56 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-07-05 16:56 Michal Hocko [this message] 2017-07-05 16:56 ` [PATCH] mm: mm, mmap: do not blow on PROT_NONE MAP_FIXED holes in the stack Michal Hocko 2017-07-05 17:43 ` Linus Torvalds 2017-07-05 17:43 ` Linus Torvalds 2017-07-05 18:28 ` Michal Hocko 2017-07-05 18:28 ` Michal Hocko 2017-07-05 18:35 ` Linus Torvalds 2017-07-05 18:35 ` Linus Torvalds 2017-07-05 18:53 ` Michal Hocko 2017-07-05 18:53 ` Michal Hocko 2017-07-05 19:10 ` Michal Hocko 2017-07-05 19:10 ` Michal Hocko 2017-07-05 19:15 ` Linus Torvalds 2017-07-05 19:15 ` Linus Torvalds 2017-07-05 19:17 ` Willy Tarreau 2017-07-05 19:17 ` Willy Tarreau 2017-07-05 21:18 ` Andrew Morton 2017-07-05 21:18 ` Andrew Morton 2017-07-05 21:41 ` Linus Torvalds 2017-07-05 21:41 ` Linus Torvalds 2017-07-06 6:47 ` Michal Hocko 2017-07-06 6:47 ` Michal Hocko
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20170705165602.15005-1-mhocko@kernel.org \ --to=mhocko@kernel.org \ --cc=akpm@linux-foundation.org \ --cc=ben@decadent.org.uk \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=mhocko@suse.com \ --cc=oleg@redhat.com \ --cc=riel@redhat.com \ --cc=torvalds@linux-foundation.org \ --cc=vbabka@suse.cz \ --cc=w@1wt.eu \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.