On Wed, 19 Feb 2020 13:46:03 +0000 Will Deacon <will@xxxxxxxxxx> wrote:
> On Wed, Feb 19, 2020 at 12:31:56PM +0000, Catalin Marinas wrote:
> > Currently the arm64 kernel ignores the top address byte passed to brk(),
> > mmap() and mremap(). When the user is not aware of the 56-bit address
> > limit or relies on the kernel to return an error, untagging such
> > pointers has the potential to create address aliases in user-space.
> > Passing a tagged address to munmap(), madvise() is permitted since the
> > tagged pointer is expected to be inside an existing mapping.
> >
> > The current behaviour breaks the existing glibc malloc() implementation
> > which relies on brk() with an address beyond 56-bit to be rejected by
> > the kernel.
> >
> > Remove untagging in the above functions by partially reverting commit
> > ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> > addition, update the arm64 tagged-address-abi.rst document accordingly.
> >
> > Link: https://bugzilla.redhat.com/1797052
> > Fixes: ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk")
> > Cc: <stable@xxxxxxxxxxxxxxx> # 5.4.x-
> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> > Cc: Florian Weimer <fweimer@xxxxxxxxxx>
> > Reported-by: Victor Stinner <vstinner@xxxxxxxxxx>
> > Acked-by: Will Deacon <will@xxxxxxxxxx>
> > Acked-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> > Signed-off-by: Catalin Marinas <catalin.marinas@xxxxxxx>
> > ---
> >
> > Changes in v2:
> >
> > - Added note to tagged-address-abi.rst that this behaviour changed in v5.6 and
> > some older kernel may still have the old behaviour.
> >
> > - Updated the commit log to make it clearer we broke the user ABI, also adding
> > link to the Red Hat bugzilla entry.
>
> Cheers, I'll queue this up as I have a couple of other arm64 fixes pending
> now. (Andrew, please shout if you'd prefer to take it).
Please go ahead.
Reviewed-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
