[BUG] x86: 32-bit uprobes are broken

[BUG] x86: 32-bit uprobes are broken

[Oleg Nesterov]

Paulo reported that uprobing the 32-bit tasks is broken.

This script

	#!/usr/bin/bash

	echo 0 > /proc/sys/kernel/randomize_va_space

	echo 'void main(void) {}' > TEST.c

	# -fcf-protection to ensure that the 1st endbr32 insn can't be eulated
	gcc -m32 -fcf-protection=branch TEST.c -o test

	bpftrace -e 'uprobe:./test:main {}' -c ./test

"hangs", the probed ./test task enters the endless loop.

This patch

	--- a/kernel/events/uprobes.c
	+++ b/kernel/events/uprobes.c
	@@ -1710,8 +1710,11 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
	 
		if (!area->vaddr) {
			/* Try to map as high as possible, this is only a hint. */
	+		if (test_thread_flag(TIF_ADDR32))
	+			current_thread_info()->status |= TS_COMPAT;
			area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
							PAGE_SIZE, 0, 0);
	+		current_thread_info()->status &= ~TS_COMPAT;
			if (IS_ERR_VALUE(area->vaddr)) {
				ret = area->vaddr;
				goto fail;

or this one

	--- a/arch/x86/kernel/sys_x86_64.c
	+++ b/arch/x86/kernel/sys_x86_64.c
	@@ -205,6 +205,8 @@ arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr0,
			info.low_limit = PAGE_SIZE;
	 
		info.high_limit = get_mmap_base(0);
	+	if (test_thread_flag(TIF_ADDR32))
	+		info.high_limit = current->mm->mmap_compat_base;
		if (!(filp && is_file_hugepages(filp))) {
			info.start_gap = stack_guard_placement(vm_flags);
			info.align_offset = pgoff << PAGE_SHIFT;

"fixes" the problem.

-----------------------------------------------------------------------------------------
The problem is that with randomize_va_space == 0 get_unmapped_area(TASK_SIZE - PAGE_SIZE)
called by xol_add_vma() can't just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this
addr is used by the stack vma.

arch_get_unmapped_area/arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into
account and in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
get_area() happily returns the "high" address and then get_unmapped_area() returns
ENOMEM after the

	if (addr > TASK_SIZE - len)
		return -ENOMEM;

check; TASK_SIZE checks TIF_ADDR32.

handle_swbp() doesn't report this failure (probably it should) and silently restarts
the probed insn. Endless loop.

-----------------------------------------------------------------------------------------
I am considering the patch which adds something like

	// x86 version will use the TS_COMPAT hack
	unsigned long __weak arch_uprobe_area(void)
	{
		return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
	}

but perhaps there is a better solution? perhaps it makes more sense to change
arch/x86/kernel/sys_x86_64.c? What is the point of ignoring TIF_ADDR32 if the
high adress will be nacked by the "if (addr > TASK_SIZE - len)" check anyway?

Oleg.

Re: [BUG] x86: 32-bit uprobes are broken

[Peter Zijlstra]

On Wed, Jan 07, 2026 at 03:32:53PM +0100, Oleg Nesterov wrote:
> Paulo reported that uprobing the 32-bit tasks is broken.
> 
> This script
> 
> 	#!/usr/bin/bash
> 
> 	echo 0 > /proc/sys/kernel/randomize_va_space
> 
> 	echo 'void main(void) {}' > TEST.c
> 
> 	# -fcf-protection to ensure that the 1st endbr32 insn can't be eulated
> 	gcc -m32 -fcf-protection=branch TEST.c -o test
> 
> 	bpftrace -e 'uprobe:./test:main {}' -c ./test
> 
> "hangs", the probed ./test task enters the endless loop.
> 
> This patch
> 
> 	--- a/kernel/events/uprobes.c
> 	+++ b/kernel/events/uprobes.c
> 	@@ -1710,8 +1710,11 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
> 	 
> 		if (!area->vaddr) {
> 			/* Try to map as high as possible, this is only a hint. */
> 	+		if (test_thread_flag(TIF_ADDR32))
> 	+			current_thread_info()->status |= TS_COMPAT;
> 			area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
> 							PAGE_SIZE, 0, 0);
> 	+		current_thread_info()->status &= ~TS_COMPAT;
> 			if (IS_ERR_VALUE(area->vaddr)) {
> 				ret = area->vaddr;
> 				goto fail;

Urgh. Also I'm a little bit confused; set_personality_ia32(), which is
what sets TIF_ADDR32 (afaict) would also set TS_COMPAT, no?

> or this one
> 
> 	--- a/arch/x86/kernel/sys_x86_64.c
> 	+++ b/arch/x86/kernel/sys_x86_64.c
> 	@@ -205,6 +205,8 @@ arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr0,
> 			info.low_limit = PAGE_SIZE;
> 	 
> 		info.high_limit = get_mmap_base(0);
> 	+	if (test_thread_flag(TIF_ADDR32))
> 	+		info.high_limit = current->mm->mmap_compat_base;
> 		if (!(filp && is_file_hugepages(filp))) {
> 			info.start_gap = stack_guard_placement(vm_flags);
> 			info.align_offset = pgoff << PAGE_SHIFT;

This one would be broken if there is ever a case where
get_unmapped_area() is called for mm != current->mm.

Ah, but get_mmap_base() seems to already rely on that. What a mess :/

Why can't get_mmap_base() rely on TIF_ADDR32 rather than TS_COMPAT? What
funny games are being played here? Mixed mode mm where some threads are
32bit and others are not?

> "fixes" the problem.
> 
> -----------------------------------------------------------------------------------------
> The problem is that with randomize_va_space == 0 get_unmapped_area(TASK_SIZE - PAGE_SIZE)
> called by xol_add_vma() can't just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this
> addr is used by the stack vma.
> 
> arch_get_unmapped_area/arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into
> account and in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
> get_area() happily returns the "high" address and then get_unmapped_area() returns
> ENOMEM after the
> 
> 	if (addr > TASK_SIZE - len)
> 		return -ENOMEM;
> 
> check; TASK_SIZE checks TIF_ADDR32.
> 
> handle_swbp() doesn't report this failure (probably it should) and silently restarts
> the probed insn. Endless loop.
> 
> -----------------------------------------------------------------------------------------
> I am considering the patch which adds something like
> 
> 	// x86 version will use the TS_COMPAT hack
> 	unsigned long __weak arch_uprobe_area(void)
> 	{
> 		return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
> 	}
> 
> but perhaps there is a better solution? perhaps it makes more sense to change
> arch/x86/kernel/sys_x86_64.c? What is the point of ignoring TIF_ADDR32 if the
> high adress will be nacked by the "if (addr > TASK_SIZE - len)" check anyway?

To me it seems a bit weird that get_unmapped_area() is so disconnected
from mm_struct.

Re: [BUG] x86: 32-bit uprobes are broken

[Oleg Nesterov]

On 01/07, Peter Zijlstra wrote:
>
> On Wed, Jan 07, 2026 at 03:32:53PM +0100, Oleg Nesterov wrote:
> > This patch
> >
> > 	--- a/kernel/events/uprobes.c
> > 	+++ b/kernel/events/uprobes.c
> > 	@@ -1710,8 +1710,11 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
> >
> > 		if (!area->vaddr) {
> > 			/* Try to map as high as possible, this is only a hint. */
> > 	+		if (test_thread_flag(TIF_ADDR32))
> > 	+			current_thread_info()->status |= TS_COMPAT;
> > 			area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
> > 							PAGE_SIZE, 0, 0);
> > 	+		current_thread_info()->status &= ~TS_COMPAT;
> > 			if (IS_ERR_VALUE(area->vaddr)) {
> > 				ret = area->vaddr;
> > 				goto fail;
>
> Urgh. Also I'm a little bit confused; set_personality_ia32(), which is
> what sets TIF_ADDR32 (afaict) would also set TS_COMPAT, no?

Yep. But TS_COMPAT is per syscall, not per task. It is cleared in
arch_exit_to_user_mode_prepare(), in this case after sys_execve() syscall.

Oleg.

Re: [BUG] x86: 32-bit uprobes are broken

[Oleg Nesterov]

On 01/07, Peter Zijlstra wrote:
>
> On Wed, Jan 07, 2026 at 03:32:53PM +0100, Oleg Nesterov wrote:
>
> > or this one
> >
> > 	--- a/arch/x86/kernel/sys_x86_64.c
> > 	+++ b/arch/x86/kernel/sys_x86_64.c
> > 	@@ -205,6 +205,8 @@ arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr0,
> > 			info.low_limit = PAGE_SIZE;
> >
> > 		info.high_limit = get_mmap_base(0);
> > 	+	if (test_thread_flag(TIF_ADDR32))
> > 	+		info.high_limit = current->mm->mmap_compat_base;
> > 		if (!(filp && is_file_hugepages(filp))) {
> > 			info.start_gap = stack_guard_placement(vm_flags);
> > 			info.align_offset = pgoff << PAGE_SHIFT;
>
> This one would be broken if there is ever a case where
> get_unmapped_area() is called for mm != current->mm.
>
> Ah, but get_mmap_base() seems to already rely on that. What a mess :/

Yes, mm_get_unmapped_area_vmflags() paths assume mm == current->mm

> Why can't get_mmap_base() rely on TIF_ADDR32 rather than TS_COMPAT? What
> funny games are being played here? Mixed mode mm where some threads are
> 32bit and others are not?

Exactly. I don't understand this. And again, __get_unmapped_area() will use
TIF_ADDR32 in the "if (addr > TASK_SIZE - len)" check and return ENOMEM
anyway. I don't see the point in using in_32bit_syscall().

And. I just noticed another problem. What if CONFIG_X86_X32_ABI=y ?
In this case ->orig_ax = -1 and this makes in_x32_syscall() and thus
in_32bit_syscall() true.

OK, we need a simple fix for stable, I'll make a patch based on TS_COMPAT
hack for now.

Oleg.

[PATCH] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[Oleg Nesterov]

This script

	#!/usr/bin/bash

	echo 0 > /proc/sys/kernel/randomize_va_space

	echo 'void main(void) {}' > TEST.c

	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
	gcc -m32 -fcf-protection=branch TEST.c -o test

	bpftrace -e 'uprobe:./test:main {}' -c ./test

"hangs", the probed ./test task enters an endless loop.

The problem is that with randomize_va_space == 0
get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
by the stack vma.

arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
vm_unmapped_area() happily returns the high address > TASK_SIZE and then
get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
check.

handle_swbp() doesn't report this failure (probably it should) and silently
restarts the probed insn. Endless loop.

I think that the right fix should change the x86 get_unmapped_area() paths
to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
because ->orig_ax = -1.

But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
the probed task is 32-bit to make in_ia32_syscall() true.

Cc: stable@vger.kernel.org
Reported-by: Paulo Andrade <pandrade@redhat.com>
Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++
 include/linux/uprobes.h   |  1 +
 kernel/events/uprobes.c   | 10 +++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 7be8e361ca55..2dbd2e0691f7 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -1823,3 +1823,27 @@ bool is_uprobe_at_func_entry(struct pt_regs *regs)
 
 	return false;
 }
+
+#ifdef CONFIG_IA32_EMULATION
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+	struct thread_info *ti = current_thread_info();
+	unsigned long vaddr;
+
+	/*
+	 * HACK: we are not in a syscall, but x86 get_unmapped_area() paths
+	 * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate
+	 * vm_unmapped_area_info.high_limit.
+	 *
+	 * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case,
+	 * but in this case in_32bit_syscall() -> in_x32_syscall() always
+	 * (falsely) returns true because ->orig_ax == -1.
+	 */
+	if (test_thread_flag(TIF_ADDR32))
+		ti->status |= TS_COMPAT;
+	vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+	ti->status &= ~TS_COMPAT;
+
+	return vaddr;
+}
+#endif
diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
index ee3d36eda45d..f548fea2adec 100644
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -242,6 +242,7 @@ extern void arch_uprobe_clear_state(struct mm_struct *mm);
 extern void arch_uprobe_init_state(struct mm_struct *mm);
 extern void handle_syscall_uprobe(struct pt_regs *regs, unsigned long bp_vaddr);
 extern void arch_uprobe_optimize(struct arch_uprobe *auprobe, unsigned long vaddr);
+extern unsigned long arch_uprobe_get_xol_area(void);
 #else /* !CONFIG_UPROBES */
 struct uprobes_state {
 };
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index f11ceb8be8c4..4e45236064dc 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1694,6 +1694,12 @@ static const struct vm_special_mapping xol_mapping = {
 	.mremap = xol_mremap,
 };
 
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+	/* Try to map as high as possible, this is only a hint. */
+	return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+}
+
 /* Slot allocation for XOL */
 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 {
@@ -1709,9 +1715,7 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 	}
 
 	if (!area->vaddr) {
-		/* Try to map as high as possible, this is only a hint. */
-		area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
-						PAGE_SIZE, 0, 0);
+		area->vaddr = arch_uprobe_get_xol_area();
 		if (IS_ERR_VALUE(area->vaddr)) {
 			ret = area->vaddr;
 			goto fail;
-- 
2.52.0

Re: [PATCH] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[Peter Zijlstra]

On Sun, Jan 11, 2026 at 04:00:37PM +0100, Oleg Nesterov wrote:
> This script
> 
> 	#!/usr/bin/bash
> 
> 	echo 0 > /proc/sys/kernel/randomize_va_space
> 
> 	echo 'void main(void) {}' > TEST.c
> 
> 	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
> 	gcc -m32 -fcf-protection=branch TEST.c -o test
> 
> 	bpftrace -e 'uprobe:./test:main {}' -c ./test
> 
> "hangs", the probed ./test task enters an endless loop.
> 
> The problem is that with randomize_va_space == 0
> get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
> just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
> by the stack vma.
> 
> arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
> in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
> vm_unmapped_area() happily returns the high address > TASK_SIZE and then
> get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
> check.
> 
> handle_swbp() doesn't report this failure (probably it should) and silently
> restarts the probed insn. Endless loop.
> 
> I think that the right fix should change the x86 get_unmapped_area() paths
> to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
> CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
> because ->orig_ax = -1.
> 
> But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
> the probed task is 32-bit to make in_ia32_syscall() true.
> 
> Cc: stable@vger.kernel.org
> Reported-by: Paulo Andrade <pandrade@redhat.com>
> Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>

Does this want a Fixes tag? Or has this been busted like forever?

Re: [PATCH] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[Oleg Nesterov]

On 01/12, Peter Zijlstra wrote:
>
> On Sun, Jan 11, 2026 at 04:00:37PM +0100, Oleg Nesterov wrote:
> >
> > I think that the right fix should change the x86 get_unmapped_area() paths
> > to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
> > CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
> > because ->orig_ax = -1.
> >
> > But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
> > the probed task is 32-bit to make in_ia32_syscall() true.
> >
> > Cc: stable@vger.kernel.org
> > Reported-by: Paulo Andrade <pandrade@redhat.com>
> > Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
> > Signed-off-by: Oleg Nesterov <oleg@redhat.com>
>
> Does this want a Fixes tag? Or has this been busted like forever?

All I can say is that this problem is old enough.

I'll try to look into git history tomorrow, not sure I will find the right
commit to blame...

At first glance v3.10 (rhel-7) is fine, arch_get_unmapped_area_topdown() sets
.high_limit = mm->mmap_base and ->mmap_base is initialized by mmap_base()
which returns PAGE_ALIGN(TASK_SIZE - gap - rnd).

But v4.18 (rhel-8) is broken, arch/x86/kernel/sys_x86_64.c uses
in_compat_syscall().

Oleg.

Re: [PATCH] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[Oleg Nesterov]

On 01/12, Oleg Nesterov wrote:
>
> On 01/12, Peter Zijlstra wrote:
> >
> > On Sun, Jan 11, 2026 at 04:00:37PM +0100, Oleg Nesterov wrote:
> > >
> > > I think that the right fix should change the x86 get_unmapped_area() paths
> > > to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
> > > CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
> > > because ->orig_ax = -1.
> > >
> > > But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
> > > the probed task is 32-bit to make in_ia32_syscall() true.
> > >
> > > Cc: stable@vger.kernel.org
> > > Reported-by: Paulo Andrade <pandrade@redhat.com>
> > > Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
> > > Signed-off-by: Oleg Nesterov <oleg@redhat.com>
> >
> > Does this want a Fixes tag? Or has this been busted like forever?
>
> All I can say is that this problem is old enough.
>
> I'll try to look into git history tomorrow, not sure I will find the right
> commit to blame...
>
> At first glance v3.10 (rhel-7) is fine, arch_get_unmapped_area_topdown() sets
> .high_limit = mm->mmap_base and ->mmap_base is initialized by mmap_base()
> which returns PAGE_ALIGN(TASK_SIZE - gap - rnd).
>
> But v4.18 (rhel-8) is broken, arch/x86/kernel/sys_x86_64.c uses
> in_compat_syscall().

OK, I think we can blame the commit 1b028f784e8c
("86/mm: Introduce mmap_compat_base() for 32-bit mmap()")

Starting from this commit get_unmapped_area() assumes that it can
only be called from a syscall.

I think we need to revisit this logic, but can you take this
simple/backportable fix^Whack for -stable?

Oleg.
---

commit 1b028f784e8c341e762c264f70dc0ca1418c8b7a
Author: Dmitry Safonov <0x7f454c46@gmail.com>
Date:   Mon Mar 6 17:17:19 2017 +0300

    x86/mm: Introduce mmap_compat_base() for 32-bit mmap()

    mmap() uses a base address, from which it starts to look for a free space
    for allocation.

    The base address is stored in mm->mmap_base, which is calculated during
    exec(). The address depends on task's size, set rlimit for stack, ASLR
    randomization. The base depends on the task size and the number of random
    bits which are different for 64-bit and 32bit applications.

    Due to the fact, that the base address is fixed, its mmap() from a compat
    (32bit) syscall issued by a 64bit task will return a address which is based
    on the 64bit base address and does not fit into the 32bit address space
    (4GB). The returned pointer is truncated to 32bit, which results in an
    invalid address.

    To solve store a seperate compat address base plus a compat legacy address
    base in mm_struct. These bases are calculated at exec() time and can be
    used later to address the 32bit compat mmap() issued by 64 bit
    applications.

    As a consequence of this change 32-bit applications issuing a 64-bit
    syscall (after doing a long jump) will get a 64-bit mapping now. Before
    this change 32-bit applications always got a 32bit mapping.

    [ tglx: Massaged changelog and added a comment ]

    Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
    Cc: 0x7f454c46@gmail.com
    Cc: linux-mm@kvack.org
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Cyrill Gorcunov <gorcunov@openvz.org>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Link: http://lkml.kernel.org/r/20170306141721.9188-4-dsafonov@virtuozzo.com
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

diff --git a/arch/Kconfig b/arch/Kconfig
index cd211a14a88f..c4d6833aacd9 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -700,6 +700,13 @@ config ARCH_MMAP_RND_COMPAT_BITS
 	  This value can be changed after boot using the
 	  /proc/sys/vm/mmap_rnd_compat_bits tunable
 
+config HAVE_ARCH_COMPAT_MMAP_BASES
+	bool
+	help
+	  This allows 64bit applications to invoke 32-bit mmap() syscall
+	  and vice-versa 32-bit applications to call 64-bit mmap().
+	  Required for applications doing different bitness syscalls.
+
 config HAVE_COPY_THREAD_TLS
 	bool
 	help
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index cc98d5a294ee..2bab9d093b51 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -106,6 +106,7 @@ config X86
 	select HAVE_ARCH_KMEMCHECK
 	select HAVE_ARCH_MMAP_RND_BITS		if MMU
 	select HAVE_ARCH_MMAP_RND_COMPAT_BITS	if MMU && COMPAT
+	select HAVE_ARCH_COMPAT_MMAP_BASES	if MMU && COMPAT
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_ARCH_TRANSPARENT_HUGEPAGE
diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
index b908141cf0c4..ac5be5ba8527 100644
--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -303,6 +303,9 @@ static inline int mmap_is_ia32(void)
 		test_thread_flag(TIF_ADDR32));
 }
 
+extern unsigned long tasksize_32bit(void);
+extern unsigned long tasksize_64bit(void);
+
 #ifdef CONFIG_X86_32
 
 #define __STACK_RND_MASK(is32bit) (0x7ff)
diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index 50215a4b9347..c54817baabc7 100644
--- a/arch/x86/kernel/sys_x86_64.c
+++ b/arch/x86/kernel/sys_x86_64.c
@@ -17,6 +17,8 @@
 #include <linux/uaccess.h>
 #include <linux/elf.h>
 
+#include <asm/elf.h>
+#include <asm/compat.h>
 #include <asm/ia32.h>
 #include <asm/syscalls.h>
 
@@ -98,6 +100,18 @@ SYSCALL_DEFINE6(mmap, unsigned long, addr, unsigned long, len,
 	return error;
 }
 
+static unsigned long get_mmap_base(int is_legacy)
+{
+	struct mm_struct *mm = current->mm;
+
+#ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
+	if (in_compat_syscall())
+		return is_legacy ? mm->mmap_compat_legacy_base
+				 : mm->mmap_compat_base;
+#endif
+	return is_legacy ? mm->mmap_legacy_base : mm->mmap_base;
+}
+
 static void find_start_end(unsigned long flags, unsigned long *begin,
 			   unsigned long *end)
 {
@@ -114,10 +128,11 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
 		if (current->flags & PF_RANDOMIZE) {
 			*begin = randomize_page(*begin, 0x02000000);
 		}
-	} else {
-		*begin = current->mm->mmap_legacy_base;
-		*end = TASK_SIZE;
+		return;
 	}
+
+	*begin	= get_mmap_base(1);
+	*end	= in_compat_syscall() ? tasksize_32bit() : tasksize_64bit();
 }
 
 unsigned long
@@ -191,7 +206,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
 	info.flags = VM_UNMAPPED_AREA_TOPDOWN;
 	info.length = len;
 	info.low_limit = PAGE_SIZE;
-	info.high_limit = mm->mmap_base;
+	info.high_limit = get_mmap_base(0);
 	info.align_mask = 0;
 	info.align_offset = pgoff << PAGE_SHIFT;
 	if (filp) {
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 1e9cb945dca1..529ab79800af 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -36,11 +36,16 @@ struct va_alignment __read_mostly va_align = {
 	.flags = -1,
 };
 
-static inline unsigned long tasksize_32bit(void)
+unsigned long tasksize_32bit(void)
 {
 	return IA32_PAGE_OFFSET;
 }
 
+unsigned long tasksize_64bit(void)
+{
+	return TASK_SIZE_MAX;
+}
+
 static unsigned long stack_maxrandom_size(unsigned long task_size)
 {
 	unsigned long max = 0;
@@ -81,6 +86,8 @@ static unsigned long arch_rnd(unsigned int rndbits)
 
 unsigned long arch_mmap_rnd(void)
 {
+	if (!(current->flags & PF_RANDOMIZE))
+		return 0;
 	return arch_rnd(mmap_is_ia32() ? mmap32_rnd_bits : mmap64_rnd_bits);
 }
 
@@ -114,22 +121,36 @@ static unsigned long mmap_legacy_base(unsigned long rnd,
  * This function, called very early during the creation of a new
  * process VM image, sets up which VM layout function to use:
  */
-void arch_pick_mmap_layout(struct mm_struct *mm)
+static void arch_pick_mmap_base(unsigned long *base, unsigned long *legacy_base,
+		unsigned long random_factor, unsigned long task_size)
 {
-	unsigned long random_factor = 0UL;
-
-	if (current->flags & PF_RANDOMIZE)
-		random_factor = arch_mmap_rnd();
-
-	mm->mmap_legacy_base = mmap_legacy_base(random_factor, TASK_SIZE);
+	*legacy_base = mmap_legacy_base(random_factor, task_size);
+	if (mmap_is_legacy())
+		*base = *legacy_base;
+	else
+		*base = mmap_base(random_factor, task_size);
+}
 
-	if (mmap_is_legacy()) {
-		mm->mmap_base = mm->mmap_legacy_base;
+void arch_pick_mmap_layout(struct mm_struct *mm)
+{
+	if (mmap_is_legacy())
 		mm->get_unmapped_area = arch_get_unmapped_area;
-	} else {
-		mm->mmap_base = mmap_base(random_factor, TASK_SIZE);
+	else
 		mm->get_unmapped_area = arch_get_unmapped_area_topdown;
-	}
+
+	arch_pick_mmap_base(&mm->mmap_base, &mm->mmap_legacy_base,
+			arch_rnd(mmap64_rnd_bits), tasksize_64bit());
+
+#ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
+	/*
+	 * The mmap syscall mapping base decision depends solely on the
+	 * syscall type (64-bit or compat). This applies for 64bit
+	 * applications and 32bit applications. The 64bit syscall uses
+	 * mmap_base, the compat syscall uses mmap_compat_base.
+	 */
+	arch_pick_mmap_base(&mm->mmap_compat_base, &mm->mmap_compat_legacy_base,
+			arch_rnd(mmap32_rnd_bits), tasksize_32bit());
+#endif
 }
 
 const char *arch_vma_name(struct vm_area_struct *vma)
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index f60f45fe226f..45cdb27791a3 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -367,6 +367,11 @@ struct mm_struct {
 #endif
 	unsigned long mmap_base;		/* base of mmap area */
 	unsigned long mmap_legacy_base;         /* base of mmap area in bottom-up allocations */
+#ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
+	/* Base adresses for compatible mmap() */
+	unsigned long mmap_compat_base;
+	unsigned long mmap_compat_legacy_base;
+#endif
 	unsigned long task_size;		/* size of task vm space */
 	unsigned long highest_vm_end;		/* highest vma end address */
 	pgd_t * pgd;

[tip: perf/core] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[tip-bot2 for Oleg Nesterov]

The following commit has been merged into the perf/core branch of tip:

Commit-ID:     69044a0cbfdcc6e788c8a1f8e050d108038461d6
Gitweb:        https://git.kernel.org/tip/69044a0cbfdcc6e788c8a1f8e050d108038461d6
Author:        Oleg Nesterov <oleg@redhat.com>
AuthorDate:    Sun, 11 Jan 2026 16:00:37 +01:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Thu, 15 Jan 2026 10:04:28 +01:00

x86/uprobes: Fix XOL allocation failure for 32-bit tasks

This script

	#!/usr/bin/bash

	echo 0 > /proc/sys/kernel/randomize_va_space

	echo 'void main(void) {}' > TEST.c

	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
	gcc -m32 -fcf-protection=branch TEST.c -o test

	bpftrace -e 'uprobe:./test:main {}' -c ./test

"hangs", the probed ./test task enters an endless loop.

The problem is that with randomize_va_space == 0
get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
by the stack vma.

arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
vm_unmapped_area() happily returns the high address > TASK_SIZE and then
get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
check.

handle_swbp() doesn't report this failure (probably it should) and silently
restarts the probed insn. Endless loop.

I think that the right fix should change the x86 get_unmapped_area() paths
to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
because ->orig_ax = -1.

But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
the probed task is 32-bit to make in_ia32_syscall() true.

Fixes: 1b028f784e8c ("86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Reported-by: Paulo Andrade <pandrade@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com
---
 arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++
 include/linux/uprobes.h   |  1 +
 kernel/events/uprobes.c   | 10 +++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 7be8e36..2dbd2e0 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -1823,3 +1823,27 @@ bool is_uprobe_at_func_entry(struct pt_regs *regs)
 
 	return false;
 }
+
+#ifdef CONFIG_IA32_EMULATION
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+	struct thread_info *ti = current_thread_info();
+	unsigned long vaddr;
+
+	/*
+	 * HACK: we are not in a syscall, but x86 get_unmapped_area() paths
+	 * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate
+	 * vm_unmapped_area_info.high_limit.
+	 *
+	 * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case,
+	 * but in this case in_32bit_syscall() -> in_x32_syscall() always
+	 * (falsely) returns true because ->orig_ax == -1.
+	 */
+	if (test_thread_flag(TIF_ADDR32))
+		ti->status |= TS_COMPAT;
+	vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+	ti->status &= ~TS_COMPAT;
+
+	return vaddr;
+}
+#endif
diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
index ee3d36e..f548fea 100644
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -242,6 +242,7 @@ extern void arch_uprobe_clear_state(struct mm_struct *mm);
 extern void arch_uprobe_init_state(struct mm_struct *mm);
 extern void handle_syscall_uprobe(struct pt_regs *regs, unsigned long bp_vaddr);
 extern void arch_uprobe_optimize(struct arch_uprobe *auprobe, unsigned long vaddr);
+extern unsigned long arch_uprobe_get_xol_area(void);
 #else /* !CONFIG_UPROBES */
 struct uprobes_state {
 };
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index a7d7d83..dfbce02 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1694,6 +1694,12 @@ static const struct vm_special_mapping xol_mapping = {
 	.mremap = xol_mremap,
 };
 
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+	/* Try to map as high as possible, this is only a hint. */
+	return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+}
+
 /* Slot allocation for XOL */
 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 {
@@ -1709,9 +1715,7 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 	}
 
 	if (!area->vaddr) {
-		/* Try to map as high as possible, this is only a hint. */
-		area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
-						PAGE_SIZE, 0, 0);
+		area->vaddr = arch_uprobe_get_xol_area();
 		if (IS_ERR_VALUE(area->vaddr)) {
 			ret = area->vaddr;
 			goto fail;

Re: [tip: perf/core] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[Oleg Nesterov]

On 01/15, tip-bot2 for Oleg Nesterov wrote:
>
> The following commit has been merged into the perf/core branch of tip:

Damn!

thanks Peter, but...

> --- a/arch/x86/kernel/uprobes.c
> +++ b/arch/x86/kernel/uprobes.c
> @@ -1823,3 +1823,27 @@ bool is_uprobe_at_func_entry(struct pt_regs *regs)
>
>  	return false;
>  }
> +
> +#ifdef CONFIG_IA32_EMULATION
> +unsigned long __weak arch_uprobe_get_xol_area(void)

Oh, but x86 version should not be __weak. Copy-and-paste error, sorry :/

What do you want me to do now,

	- send V2 ?

	- send another s/__weak// patch on top of this hack?

	- or perhaps you can fix this yourself?

Oleg.

Re: [tip: perf/core] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[Peter Zijlstra]

On Fri, Jan 16, 2026 at 11:00:23AM +0100, Oleg Nesterov wrote:
> On 01/15, tip-bot2 for Oleg Nesterov wrote:
> >
> > The following commit has been merged into the perf/core branch of tip:
> 
> Damn!
> 
> thanks Peter, but...
> 
> > --- a/arch/x86/kernel/uprobes.c
> > +++ b/arch/x86/kernel/uprobes.c
> > @@ -1823,3 +1823,27 @@ bool is_uprobe_at_func_entry(struct pt_regs *regs)
> >
> >  	return false;
> >  }
> > +
> > +#ifdef CONFIG_IA32_EMULATION
> > +unsigned long __weak arch_uprobe_get_xol_area(void)
> 
> Oh, but x86 version should not be __weak. Copy-and-paste error, sorry :/
> 
> What do you want me to do now,
> 
> 	- send V2 ?
> 
> 	- send another s/__weak// patch on top of this hack?
> 
> 	- or perhaps you can fix this yourself?

I'll have to rebase anyway, might as well fix it directly.

Thanks!

[tip: perf/core] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[tip-bot2 for Oleg Nesterov]

The following commit has been merged into the perf/core branch of tip:

Commit-ID:     40bb50531482258bf410d84fa4ecb944e02b887b
Gitweb:        https://git.kernel.org/tip/40bb50531482258bf410d84fa4ecb944e02b887b
Author:        Oleg Nesterov <oleg@redhat.com>
AuthorDate:    Sun, 11 Jan 2026 16:00:37 +01:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Fri, 16 Jan 2026 11:46:25 +01:00

x86/uprobes: Fix XOL allocation failure for 32-bit tasks

This script

	#!/usr/bin/bash

	echo 0 > /proc/sys/kernel/randomize_va_space

	echo 'void main(void) {}' > TEST.c

	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
	gcc -m32 -fcf-protection=branch TEST.c -o test

	bpftrace -e 'uprobe:./test:main {}' -c ./test

"hangs", the probed ./test task enters an endless loop.

The problem is that with randomize_va_space == 0
get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
by the stack vma.

arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
vm_unmapped_area() happily returns the high address > TASK_SIZE and then
get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
check.

handle_swbp() doesn't report this failure (probably it should) and silently
restarts the probed insn. Endless loop.

I think that the right fix should change the x86 get_unmapped_area() paths
to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
because ->orig_ax = -1.

But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
the probed task is 32-bit to make in_ia32_syscall() true.

Fixes: 1b028f784e8c ("86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Reported-by: Paulo Andrade <pandrade@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com
---
 arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++
 include/linux/uprobes.h   |  1 +
 kernel/events/uprobes.c   | 10 +++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 7be8e36..619dddf 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -1823,3 +1823,27 @@ bool is_uprobe_at_func_entry(struct pt_regs *regs)
 
 	return false;
 }
+
+#ifdef CONFIG_IA32_EMULATION
+unsigned long arch_uprobe_get_xol_area(void)
+{
+	struct thread_info *ti = current_thread_info();
+	unsigned long vaddr;
+
+	/*
+	 * HACK: we are not in a syscall, but x86 get_unmapped_area() paths
+	 * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate
+	 * vm_unmapped_area_info.high_limit.
+	 *
+	 * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case,
+	 * but in this case in_32bit_syscall() -> in_x32_syscall() always
+	 * (falsely) returns true because ->orig_ax == -1.
+	 */
+	if (test_thread_flag(TIF_ADDR32))
+		ti->status |= TS_COMPAT;
+	vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+	ti->status &= ~TS_COMPAT;
+
+	return vaddr;
+}
+#endif
diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
index ee3d36e..f548fea 100644
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -242,6 +242,7 @@ extern void arch_uprobe_clear_state(struct mm_struct *mm);
 extern void arch_uprobe_init_state(struct mm_struct *mm);
 extern void handle_syscall_uprobe(struct pt_regs *regs, unsigned long bp_vaddr);
 extern void arch_uprobe_optimize(struct arch_uprobe *auprobe, unsigned long vaddr);
+extern unsigned long arch_uprobe_get_xol_area(void);
 #else /* !CONFIG_UPROBES */
 struct uprobes_state {
 };
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index a7d7d83..dfbce02 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1694,6 +1694,12 @@ static const struct vm_special_mapping xol_mapping = {
 	.mremap = xol_mremap,
 };
 
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+	/* Try to map as high as possible, this is only a hint. */
+	return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+}
+
 /* Slot allocation for XOL */
 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 {
@@ -1709,9 +1715,7 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 	}
 
 	if (!area->vaddr) {
-		/* Try to map as high as possible, this is only a hint. */
-		area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
-						PAGE_SIZE, 0, 0);
+		area->vaddr = arch_uprobe_get_xol_area();
 		if (IS_ERR_VALUE(area->vaddr)) {
 			ret = area->vaddr;
 			goto fail;

[tip: perf/core] x86/uprobes: Fix XOL allocation failure for 32-bit tasks

[tip-bot2 for Oleg Nesterov]

The following commit has been merged into the perf/core branch of tip:

Commit-ID:     d55c571e4333fac71826e8db3b9753fadfbead6a
Gitweb:        https://git.kernel.org/tip/d55c571e4333fac71826e8db3b9753fadfbead6a
Author:        Oleg Nesterov <oleg@redhat.com>
AuthorDate:    Sun, 11 Jan 2026 16:00:37 +01:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Fri, 16 Jan 2026 16:23:54 +01:00

x86/uprobes: Fix XOL allocation failure for 32-bit tasks

This script

	#!/usr/bin/bash

	echo 0 > /proc/sys/kernel/randomize_va_space

	echo 'void main(void) {}' > TEST.c

	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
	gcc -m32 -fcf-protection=branch TEST.c -o test

	bpftrace -e 'uprobe:./test:main {}' -c ./test

"hangs", the probed ./test task enters an endless loop.

The problem is that with randomize_va_space == 0
get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
by the stack vma.

arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
vm_unmapped_area() happily returns the high address > TASK_SIZE and then
get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
check.

handle_swbp() doesn't report this failure (probably it should) and silently
restarts the probed insn. Endless loop.

I think that the right fix should change the x86 get_unmapped_area() paths
to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
because ->orig_ax = -1.

But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
the probed task is 32-bit to make in_ia32_syscall() true.

Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Reported-by: Paulo Andrade <pandrade@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com
---
 arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++
 include/linux/uprobes.h   |  1 +
 kernel/events/uprobes.c   | 10 +++++++---
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 7be8e36..619dddf 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -1823,3 +1823,27 @@ bool is_uprobe_at_func_entry(struct pt_regs *regs)
 
 	return false;
 }
+
+#ifdef CONFIG_IA32_EMULATION
+unsigned long arch_uprobe_get_xol_area(void)
+{
+	struct thread_info *ti = current_thread_info();
+	unsigned long vaddr;
+
+	/*
+	 * HACK: we are not in a syscall, but x86 get_unmapped_area() paths
+	 * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate
+	 * vm_unmapped_area_info.high_limit.
+	 *
+	 * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case,
+	 * but in this case in_32bit_syscall() -> in_x32_syscall() always
+	 * (falsely) returns true because ->orig_ax == -1.
+	 */
+	if (test_thread_flag(TIF_ADDR32))
+		ti->status |= TS_COMPAT;
+	vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+	ti->status &= ~TS_COMPAT;
+
+	return vaddr;
+}
+#endif
diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
index ee3d36e..f548fea 100644
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -242,6 +242,7 @@ extern void arch_uprobe_clear_state(struct mm_struct *mm);
 extern void arch_uprobe_init_state(struct mm_struct *mm);
 extern void handle_syscall_uprobe(struct pt_regs *regs, unsigned long bp_vaddr);
 extern void arch_uprobe_optimize(struct arch_uprobe *auprobe, unsigned long vaddr);
+extern unsigned long arch_uprobe_get_xol_area(void);
 #else /* !CONFIG_UPROBES */
 struct uprobes_state {
 };
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index a7d7d83..dfbce02 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1694,6 +1694,12 @@ static const struct vm_special_mapping xol_mapping = {
 	.mremap = xol_mremap,
 };
 
+unsigned long __weak arch_uprobe_get_xol_area(void)
+{
+	/* Try to map as high as possible, this is only a hint. */
+	return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0);
+}
+
 /* Slot allocation for XOL */
 static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 {
@@ -1709,9 +1715,7 @@ static int xol_add_vma(struct mm_struct *mm, struct xol_area *area)
 	}
 
 	if (!area->vaddr) {
-		/* Try to map as high as possible, this is only a hint. */
-		area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE,
-						PAGE_SIZE, 0, 0);
+		area->vaddr = arch_uprobe_get_xol_area();
 		if (IS_ERR_VALUE(area->vaddr)) {
 			ret = area->vaddr;
 			goto fail;