[linux] 01/03: mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Nov 30 19:31:09 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch stretch
in repository linux.

commit 383f1a260a0f7c82314341a553fad69ea3722044
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Nov 30 00:49:57 2017 +0000

    mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
    
    Closes: #865416
---
 debian/changelog                                   |  2 +
 ...o-not-blow-on-prot_none-map_fixed-holes-i.patch | 58 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 61 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3ea9eb8..3c53c8e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -726,6 +726,8 @@ linux (4.9.65-1) UNRELEASED; urgency=medium
     - fs: convert two more BH_Uptodate_Lock related bitspinlocks
     - locking/rt-mutex: fix deadlock in device mapper / block-IO
     - md/raid5: do not disable interrupts
+  * mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
+    (Closes: #865416)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 01 Oct 2017 16:14:43 +0100
 
diff --git a/debian/patches/bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch b/debian/patches/bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch
new file mode 100644
index 0000000..facaaa0
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch
@@ -0,0 +1,58 @@
+From: Michal Hocko <mhocko at suse.com>
+Date: Mon, 10 Jul 2017 15:49:51 -0700
+Subject: mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
+Origin: https://git.kernel.org/linus/561b5e0709e4a248c67d024d4d94b6e31e3edf2f
+Bug-Debian: https://bugs.debian.org/865416
+
+Commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas") has
+introduced a regression in some rust and Java environments which are
+trying to implement their own stack guard page.  They are punching a new
+MAP_FIXED mapping inside the existing stack Vma.
+
+This will confuse expand_{downwards,upwards} into thinking that the
+stack expansion would in fact get us too close to an existing non-stack
+vma which is a correct behavior wrt safety.  It is a real regression on
+the other hand.
+
+Let's work around the problem by considering PROT_NONE mapping as a part
+of the stack.  This is a gros hack but overflowing to such a mapping
+would trap anyway an we only can hope that usespace knows what it is
+doing and handle it propely.
+
+Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
+Link: http://lkml.kernel.org/r/20170705182849.GA18027@dhcp22.suse.cz
+Signed-off-by: Michal Hocko <mhocko at suse.com>
+Debugged-by: Vlastimil Babka <vbabka at suse.cz>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Cc: Willy Tarreau <w at 1wt.eu>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: Rik van Riel <riel at redhat.com>
+Cc: Hugh Dickins <hughd at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/mmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2240,7 +2240,8 @@ int expand_upwards(struct vm_area_struct
+ 		gap_addr = TASK_SIZE;
+ 
+ 	next = vma->vm_next;
+-	if (next && next->vm_start < gap_addr) {
++	if (next && next->vm_start < gap_addr &&
++			(next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
+ 		if (!(next->vm_flags & VM_GROWSUP))
+ 			return -ENOMEM;
+ 		/* Check that both stack segments have the same anon_vma? */
+@@ -2324,7 +2325,8 @@ int expand_downwards(struct vm_area_stru
+ 	if (gap_addr > address)
+ 		return -ENOMEM;
+ 	prev = vma->vm_prev;
+-	if (prev && prev->vm_end > gap_addr) {
++	if (prev && prev->vm_end > gap_addr &&
++			(prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
+ 		if (!(prev->vm_flags & VM_GROWSDOWN))
+ 			return -ENOMEM;
+ 		/* Check that both stack segments have the same anon_vma? */
diff --git a/debian/patches/series b/debian/patches/series
index 5bb21c9..fd9d7f3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -98,6 +98,7 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
 bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch
 bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
+bugfix/all/mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-i.patch
 
 # Miscellaneous features
 features/all/netfilter-nft_ct-add-notrack-support.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list