[PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[Catalin Marinas]

Currently the arm64 kernel ignores the top address byte passed to brk(),
mmap() and mremap(). When the user is not aware of the 56-bit address
limit or relies on the kernel to return an error, untagging such
pointers has the potential to create address aliases in user-space.
Passing a tagged address to munmap(), madvise() is permitted since the
tagged pointer is expected to be inside an existing mapping.

The current behaviour breaks the existing glibc malloc() implementation
which relies on brk() with an address beyond 56-bit to be rejected by
the kernel.

Remove untagging in the above functions by partially reverting commit
ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
addition, update the arm64 tagged-address-abi.rst document accordingly.

Link: https://bugzilla.redhat.com/1797052
Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
Cc: <stable@vger.kernel.org> # 5.4.x-
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Reported-by: Victor Stinner <vstinner@redhat.com>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
---

Changes in v2:

- Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
  some older kernel may still have the old behaviour.

- Updated the commit log to make it clearer we broke the user ABI, also adding
  link to the Red Hat bugzilla entry.

v1 available here:

http://lkml.kernel.org/r/20200218122310.72710-1-catalin.marinas@arm.com

 Documentation/arm64/tagged-address-abi.rst | 11 +++++++++--
 mm/mmap.c                                  |  4 ----
 mm/mremap.c                                |  1 -
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst
index d4a85d535bf9..f6289116893c 100644
--- a/Documentation/arm64/tagged-address-abi.rst
+++ b/Documentation/arm64/tagged-address-abi.rst
@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending
 how the user addresses are used by the kernel:
 
 1. User addresses not accessed by the kernel but used for address space
-   management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use
-   of valid tagged pointers in this context is always allowed.
+   management (e.g. ``mprotect()``, ``madvise()``). The use of valid
+   tagged pointers in this context is allowed with the exception of
+   ``brk()``, ``mmap()`` and the ``new_address`` argument to
+   ``mremap()`` as these have the potential of aliasing with existing
+   user addresses.
+
+   NOTE: This behaviour changed in v5.6 and so some earlier kernels may
+   incorrectly accept valid tagged pointers for the ``brk()``,
+   ``mmap()`` and ``mremap()`` system calls.
 
 2. User addresses accessed by the kernel (e.g. ``write()``). This ABI
    relaxation is disabled by default and the application thread needs to
diff --git a/mm/mmap.c b/mm/mmap.c
index 6756b8bb0033..d681a20eb4ea 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
 	bool downgraded = false;
 	LIST_HEAD(uf);
 
-	brk = untagged_addr(brk);
-
 	if (down_write_killable(&mm->mmap_sem))
 		return -EINTR;
 
@@ -1557,8 +1555,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
 	struct file *file = NULL;
 	unsigned long retval;
 
-	addr = untagged_addr(addr);
-
 	if (!(flags & MAP_ANONYMOUS)) {
 		audit_mmap_fd(fd, flags);
 		file = fget(fd);
diff --git a/mm/mremap.c b/mm/mremap.c
index 122938dcec15..af363063ea23 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
 	LIST_HEAD(uf_unmap);
 
 	addr = untagged_addr(addr);
-	new_addr = untagged_addr(new_addr);
 
 	if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
 		return ret;

[PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[Catalin Marinas]

Currently the arm64 kernel ignores the top address byte passed to brk(),
mmap() and mremap(). When the user is not aware of the 56-bit address
limit or relies on the kernel to return an error, untagging such
pointers has the potential to create address aliases in user-space.
Passing a tagged address to munmap(), madvise() is permitted since the
tagged pointer is expected to be inside an existing mapping.

The current behaviour breaks the existing glibc malloc() implementation
which relies on brk() with an address beyond 56-bit to be rejected by
the kernel.

Remove untagging in the above functions by partially reverting commit
ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
addition, update the arm64 tagged-address-abi.rst document accordingly.

Link: https://bugzilla.redhat.com/1797052
Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
Cc: <stable@vger.kernel.org> # 5.4.x-
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Florian Weimer <fweimer@redhat.com>
Reported-by: Victor Stinner <vstinner@redhat.com>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
---

Changes in v2:

- Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
  some older kernel may still have the old behaviour.

- Updated the commit log to make it clearer we broke the user ABI, also adding
  link to the Red Hat bugzilla entry.

v1 available here:

http://lkml.kernel.org/r/20200218122310.72710-1-catalin.marinas@arm.com

 Documentation/arm64/tagged-address-abi.rst | 11 +++++++++--
 mm/mmap.c                                  |  4 ----
 mm/mremap.c                                |  1 -
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/Documentation/arm64/tagged-address-abi.rst b/Documentation/arm64/tagged-address-abi.rst
index d4a85d535bf9..f6289116893c 100644
--- a/Documentation/arm64/tagged-address-abi.rst
+++ b/Documentation/arm64/tagged-address-abi.rst
@@ -44,8 +44,15 @@ The AArch64 Tagged Address ABI has two stages of relaxation depending
 how the user addresses are used by the kernel:
 
 1. User addresses not accessed by the kernel but used for address space
-   management (e.g. ``mmap()``, ``mprotect()``, ``madvise()``). The use
-   of valid tagged pointers in this context is always allowed.
+   management (e.g. ``mprotect()``, ``madvise()``). The use of valid
+   tagged pointers in this context is allowed with the exception of
+   ``brk()``, ``mmap()`` and the ``new_address`` argument to
+   ``mremap()`` as these have the potential of aliasing with existing
+   user addresses.
+
+   NOTE: This behaviour changed in v5.6 and so some earlier kernels may
+   incorrectly accept valid tagged pointers for the ``brk()``,
+   ``mmap()`` and ``mremap()`` system calls.
 
 2. User addresses accessed by the kernel (e.g. ``write()``). This ABI
    relaxation is disabled by default and the application thread needs to
diff --git a/mm/mmap.c b/mm/mmap.c
index 6756b8bb0033..d681a20eb4ea 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -195,8 +195,6 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
 	bool downgraded = false;
 	LIST_HEAD(uf);
 
-	brk = untagged_addr(brk);
-
 	if (down_write_killable(&mm->mmap_sem))
 		return -EINTR;
 
@@ -1557,8 +1555,6 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
 	struct file *file = NULL;
 	unsigned long retval;
 
-	addr = untagged_addr(addr);
-
 	if (!(flags & MAP_ANONYMOUS)) {
 		audit_mmap_fd(fd, flags);
 		file = fget(fd);
diff --git a/mm/mremap.c b/mm/mremap.c
index 122938dcec15..af363063ea23 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -607,7 +607,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
 	LIST_HEAD(uf_unmap);
 
 	addr = untagged_addr(addr);
-	new_addr = untagged_addr(new_addr);
 
 	if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
 		return ret;

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[Will Deacon]

On Wed, Feb 19, 2020 at 12:31:56PM +0000, Catalin Marinas wrote:
> Currently the arm64 kernel ignores the top address byte passed to brk(),
> mmap() and mremap(). When the user is not aware of the 56-bit address
> limit or relies on the kernel to return an error, untagging such
> pointers has the potential to create address aliases in user-space.
> Passing a tagged address to munmap(), madvise() is permitted since the
> tagged pointer is expected to be inside an existing mapping.
> 
> The current behaviour breaks the existing glibc malloc() implementation
> which relies on brk() with an address beyond 56-bit to be rejected by
> the kernel.
> 
> Remove untagging in the above functions by partially reverting commit
> ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> addition, update the arm64 tagged-address-abi.rst document accordingly.
> 
> Link: https://bugzilla.redhat.com/1797052
> Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> Cc: <stable@vger.kernel.org> # 5.4.x-
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Florian Weimer <fweimer@redhat.com>
> Reported-by: Victor Stinner <vstinner@redhat.com>
> Acked-by: Will Deacon <will@kernel.org>
> Acked-by: Andrey Konovalov <andreyknvl@google.com>
> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> ---
> 
> Changes in v2:
> 
> - Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
>   some older kernel may still have the old behaviour.
> 
> - Updated the commit log to make it clearer we broke the user ABI, also adding
>   link to the Red Hat bugzilla entry.

Cheers, I'll queue this up as I have a couple of other arm64 fixes pending
now. (Andrew, please shout if you'd prefer to take it).

Will

Re: [PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[Will Deacon]

On Wed, Feb 19, 2020 at 12:31:56PM +0000, Catalin Marinas wrote:
> Currently the arm64 kernel ignores the top address byte passed to brk(),
> mmap() and mremap(). When the user is not aware of the 56-bit address
> limit or relies on the kernel to return an error, untagging such
> pointers has the potential to create address aliases in user-space.
> Passing a tagged address to munmap(), madvise() is permitted since the
> tagged pointer is expected to be inside an existing mapping.
> 
> The current behaviour breaks the existing glibc malloc() implementation
> which relies on brk() with an address beyond 56-bit to be rejected by
> the kernel.
> 
> Remove untagging in the above functions by partially reverting commit
> ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> addition, update the arm64 tagged-address-abi.rst document accordingly.
> 
> Link: https://bugzilla.redhat.com/1797052
> Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> Cc: <stable@vger.kernel.org> # 5.4.x-
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Florian Weimer <fweimer@redhat.com>
> Reported-by: Victor Stinner <vstinner@redhat.com>
> Acked-by: Will Deacon <will@kernel.org>
> Acked-by: Andrey Konovalov <andreyknvl@google.com>
> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> ---
> 
> Changes in v2:
> 
> - Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
>   some older kernel may still have the old behaviour.
> 
> - Updated the commit log to make it clearer we broke the user ABI, also adding
>   link to the Red Hat bugzilla entry.

Cheers, I'll queue this up as I have a couple of other arm64 fixes pending
now. (Andrew, please shout if you'd prefer to take it).

Will

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[Andrew Morton]

On Wed, 19 Feb 2020 13:46:03 +0000 Will Deacon <will@kernel.org> wrote:

> On Wed, Feb 19, 2020 at 12:31:56PM +0000, Catalin Marinas wrote:
> > Currently the arm64 kernel ignores the top address byte passed to brk(),
> > mmap() and mremap(). When the user is not aware of the 56-bit address
> > limit or relies on the kernel to return an error, untagging such
> > pointers has the potential to create address aliases in user-space.
> > Passing a tagged address to munmap(), madvise() is permitted since the
> > tagged pointer is expected to be inside an existing mapping.
> > 
> > The current behaviour breaks the existing glibc malloc() implementation
> > which relies on brk() with an address beyond 56-bit to be rejected by
> > the kernel.
> > 
> > Remove untagging in the above functions by partially reverting commit
> > ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> > addition, update the arm64 tagged-address-abi.rst document accordingly.
> > 
> > Link: https://bugzilla.redhat.com/1797052
> > Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> > Cc: <stable@vger.kernel.org> # 5.4.x-
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Florian Weimer <fweimer@redhat.com>
> > Reported-by: Victor Stinner <vstinner@redhat.com>
> > Acked-by: Will Deacon <will@kernel.org>
> > Acked-by: Andrey Konovalov <andreyknvl@google.com>
> > Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> > ---
> > 
> > Changes in v2:
> > 
> > - Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
> >   some older kernel may still have the old behaviour.
> > 
> > - Updated the commit log to make it clearer we broke the user ABI, also adding
> >   link to the Red Hat bugzilla entry.
> 
> Cheers, I'll queue this up as I have a couple of other arm64 fixes pending
> now. (Andrew, please shout if you'd prefer to take it).

Please go ahead.

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>

Re: [PATCH v2] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()

[Andrew Morton]

On Wed, 19 Feb 2020 13:46:03 +0000 Will Deacon <will@kernel.org> wrote:

> On Wed, Feb 19, 2020 at 12:31:56PM +0000, Catalin Marinas wrote:
> > Currently the arm64 kernel ignores the top address byte passed to brk(),
> > mmap() and mremap(). When the user is not aware of the 56-bit address
> > limit or relies on the kernel to return an error, untagging such
> > pointers has the potential to create address aliases in user-space.
> > Passing a tagged address to munmap(), madvise() is permitted since the
> > tagged pointer is expected to be inside an existing mapping.
> > 
> > The current behaviour breaks the existing glibc malloc() implementation
> > which relies on brk() with an address beyond 56-bit to be rejected by
> > the kernel.
> > 
> > Remove untagging in the above functions by partially reverting commit
> > ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> > addition, update the arm64 tagged-address-abi.rst document accordingly.
> > 
> > Link: https://bugzilla.redhat.com/1797052
> > Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> > Cc: <stable@vger.kernel.org> # 5.4.x-
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Florian Weimer <fweimer@redhat.com>
> > Reported-by: Victor Stinner <vstinner@redhat.com>
> > Acked-by: Will Deacon <will@kernel.org>
> > Acked-by: Andrey Konovalov <andreyknvl@google.com>
> > Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
> > ---
> > 
> > Changes in v2:
> > 
> > - Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
> >   some older kernel may still have the old behaviour.
> > 
> > - Updated the commit log to make it clearer we broke the user ABI, also adding
> >   link to the Red Hat bugzilla entry.
> 
> Cheers, I'll queue this up as I have a couple of other arm64 fixes pending
> now. (Andrew, please shout if you'd prefer to take it).

Please go ahead.

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel