From: Willy Tarreau <w@1wt.eu>
To: Michal Hocko <mhocko@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Ben Hutchings <ben@decadent.org.uk>,
Hugh Dickins <hughd@google.com>, Oleg Nesterov <oleg@redhat.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Rik van Riel <riel@redhat.com>,
Larry Woodman <lwoodman@redhat.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
Tony Luck <tony.luck@intel.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Diller <deller@gmx.de>,
James Hogan <james.hogan@imgtec.com>,
Laura Abbott <labbott@redhat.com>, Greg KH <greg@kroah.com>,
"security@kernel.org" <security@kernel.org>,
linux-distros@vs.openwall.org,
Qualys Security Advisory <qsa@qualys.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: larger stack guard gap, between vmas
Date: Tue, 4 Jul 2017 11:47:28 +0200 [thread overview]
Message-ID: <20170704094728.GB22013@1wt.eu> (raw)
In-Reply-To: <20170704093538.GF14722@dhcp22.suse.cz>
On Tue, Jul 04, 2017 at 11:35:38AM +0200, Michal Hocko wrote:
> On Tue 04-07-17 10:41:22, Michal Hocko wrote:
> > On Mon 03-07-17 17:05:27, Linus Torvalds wrote:
> > > On Mon, Jul 3, 2017 at 4:55 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> > > >
> > > > Firstly, some Rust programs are crashing on ppc64el with 64 KiB pages.
> > > > Apparently Rust maps its own guard page at the lower limit of the stack
> > > > (determined using pthread_getattr_np() and pthread_attr_getstack()). I
> > > > don't think this ever actually worked for the main thread stack, but it
> > > > now also blocks expansion as the default stack size of 8 MiB is smaller
> > > > than the stack gap of 16 MiB. Would it make sense to skip over
> > > > PROT_NONE mappings when checking whether it's safe to expand?
> >
> > This is what my workaround for the older patch was doing, actually. We
> > have deployed that as a follow up fix on our older code bases. And this
> > has fixed verious issues with Java which was doing the similar thing.
>
> Here is a forward port (on top of the current Linus tree) of my earlier
> patch. I have dropped a note about java stack trace because this would
> most likely be not the case with the Hugh's patch. The problem is the
> same in principle though. Note I didn't get to test this properly yet
> but it should be pretty much obvious.
> ---
> >From d9f6faccf2c286ed81fbc860c9b0b7fe23ef0836 Mon Sep 17 00:00:00 2001
> From: Michal Hocko <mhocko@suse.com>
> Date: Tue, 4 Jul 2017 11:27:39 +0200
> Subject: [PATCH] mm: mm, mmap: do not blow on PROT_NONE MAP_FIXED holes in the
> stack
>
> "mm: enlarge stack guard gap" has introduced a regression in some rust
> and Java environments which are trying to implement their own stack
> guard page. They are punching a new MAP_FIXED mapping inside the
> existing stack Vma.
>
> This will confuse expand_{downwards,upwards} into thinking that the stack
> expansion would in fact get us too close to an existing non-stack vma
> which is a correct behavior wrt. safety. It is a real regression on
> the other hand. Let's work around the problem by considering PROT_NONE
> mapping as a part of the stack. This is a gros hack but overflowing to
> such a mapping would trap anyway an we only can hope that usespace
> knows what it is doing and handle it propely.
>
> Fixes: d4d2d35e6ef9 ("mm: larger stack guard gap, between vmas")
> Debugged-by: Vlastimil Babka <vbabka@suse.cz>
> Signed-off-by: Michal Hocko <mhocko@suse.com>
> ---
> mm/mmap.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index f60a8bc2869c..2e996cbf4ff3 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -2244,7 +2244,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
> gap_addr = TASK_SIZE;
>
> next = vma->vm_next;
> - if (next && next->vm_start < gap_addr) {
> + if (next && next->vm_start < gap_addr &&
> + (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
> if (!(next->vm_flags & VM_GROWSUP))
> return -ENOMEM;
> /* Check that both stack segments have the same anon_vma? */
> @@ -2325,7 +2326,8 @@ int expand_downwards(struct vm_area_struct *vma,
> /* Enforce stack_guard_gap */
> prev = vma->vm_prev;
> /* Check that both stack segments have the same anon_vma? */
> - if (prev && !(prev->vm_flags & VM_GROWSDOWN)) {
> + if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
> + (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
> if (address - prev->vm_end < stack_guard_gap)
> return -ENOMEM;
> }
But wouldn't this completely disable the check in case such a guard page
is installed, and possibly continue to allow the collision when the stack
allocation is large enough to skip this guard page ? Shouldn't we instead
"skip" such a vma and look for the next one ?
I was thinking about something more like :
prev = vma->vm_prev;
+ /* Don't consider a possible user-space stack guard page */
+ if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
+ !(prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC)))
+ prev = prev->vm_prev;
+
/* Check that both stack segments have the same anon_vma? */
Willy
next prev parent reply other threads:[~2017-07-04 9:48 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LSU.2.11.1706190355140.2626@eggly.anvils>
2017-06-22 12:30 ` [PATCH] mm: larger stack guard gap, between vmas Ben Hutchings
2017-06-22 12:46 ` Willy Tarreau
2017-06-22 12:58 ` Ben Hutchings
2017-06-22 13:10 ` Willy Tarreau
2017-06-22 13:28 ` Willy Tarreau
2017-06-22 13:15 ` [vs-plain] " Levente Polyak
2017-06-22 13:59 ` Willy Tarreau
2017-06-22 14:14 ` Ben Hutchings
2017-06-22 14:34 ` Willy Tarreau
2017-06-23 3:10 ` Andy Lutomirski
2017-06-23 4:42 ` Linus Torvalds
2017-06-22 21:23 ` Helge Deller
2017-06-23 4:35 ` Hugh Dickins
2017-06-24 9:11 ` Hugh Dickins
2017-06-24 18:29 ` Ben Hutchings
[not found] ` <CA+55aFx6j4na3BVRC2aQuf-kNp1jzGahN8To_SFpNu+H=gopJA@mail.gmail.com>
[not found] ` <20170619142358.GA32654@1wt.eu>
[not found] ` <1498009101.2655.6.camel@decadent.org.uk>
[not found] ` <20170621092419.GA22051@dhcp22.suse.cz>
[not found] ` <1498042057.2655.8.camel@decadent.org.uk>
2017-07-03 23:55 ` Ben Hutchings
2017-07-04 0:05 ` Linus Torvalds
2017-07-04 8:41 ` Michal Hocko
2017-07-04 9:35 ` Michal Hocko
2017-07-04 9:47 ` Willy Tarreau [this message]
2017-07-04 10:42 ` Michal Hocko
2017-07-04 11:36 ` Ben Hutchings
2017-07-04 12:00 ` Michal Hocko
2017-07-04 12:11 ` Michal Hocko
2017-07-04 12:21 ` Ben Hutchings
2017-07-04 12:33 ` Michal Hocko
2017-07-04 14:19 ` Ximin Luo
2017-07-04 14:48 ` Michal Hocko
2017-07-04 15:51 ` Willy Tarreau
2017-07-04 17:22 ` Michal Hocko
2017-07-04 18:37 ` Linus Torvalds
2017-07-04 18:39 ` Willy Tarreau
2017-07-04 18:47 ` Linus Torvalds
2017-07-04 19:03 ` Willy Tarreau
2017-07-04 16:18 ` Linus Torvalds
2017-07-04 16:27 ` John Haxby
2017-07-04 17:02 ` Willy Tarreau
2017-07-05 12:26 ` Ben Hutchings
2017-07-04 17:11 ` Willy Tarreau
2017-07-05 12:25 ` Ben Hutchings
2017-07-04 23:01 ` Ben Hutchings
2017-07-04 23:31 ` Linus Torvalds
2017-07-05 6:36 ` Michal Hocko
2017-07-05 8:14 ` Willy Tarreau
2017-07-05 8:24 ` Michal Hocko
2017-07-05 9:15 ` Willy Tarreau
2017-07-05 12:21 ` Ben Hutchings
2017-07-05 13:52 ` Willy Tarreau
2017-07-05 14:19 ` Michal Hocko
2017-07-05 16:06 ` Linus Torvalds
2017-07-06 7:34 ` Michal Hocko
2017-07-05 12:19 ` Ben Hutchings
2017-07-05 14:23 ` Michal Hocko
2017-07-05 15:25 ` Ben Hutchings
2017-07-05 15:59 ` Michal Hocko
2017-07-05 16:58 ` Ben Hutchings
2017-07-05 17:05 ` Michal Hocko
2017-07-05 17:24 ` Ben Hutchings
2017-07-05 17:15 ` Linus Torvalds
2017-07-05 23:35 ` Ben Hutchings
2017-07-05 23:51 ` Linus Torvalds
2017-07-06 8:24 ` Willy Tarreau
2017-07-06 10:11 ` Willy Tarreau
2017-07-10 2:40 ` [lkp-robot] [mm] a99d848d3b: kernel_BUG_at_mm/mmap.c kernel test robot
2017-07-05 16:15 ` [PATCH] mm: larger stack guard gap, between vmas Andy Lutomirski
2017-07-05 16:20 ` Linus Torvalds
2017-07-05 17:23 ` Andy Lutomirski
2017-07-05 19:32 ` Ben Hutchings
2017-07-05 20:40 ` Willy Tarreau
2017-07-05 20:53 ` Andy Lutomirski
2017-07-05 23:50 ` Ben Hutchings
2017-07-06 0:23 ` Andy Lutomirski
2017-07-05 23:50 ` Kees Cook
2017-07-05 23:55 ` Linus Torvalds
2017-07-06 0:31 ` Andy Lutomirski
2017-07-06 0:47 ` Linus Torvalds
2017-07-06 0:19 ` Andy Lutomirski
2017-07-06 2:45 ` Kees Cook
2017-07-06 5:23 ` Willy Tarreau
2017-07-06 5:33 ` Kevin Easton
2017-07-05 16:17 ` Linus Torvalds
2017-07-05 18:59 ` Willy Tarreau
2017-07-05 19:17 ` Linus Torvalds
2017-07-05 19:18 ` Willy Tarreau
2017-07-05 19:21 ` Linus Torvalds
2017-07-05 1:16 ` [vs-plain] " kseifried
2017-07-05 14:11 ` Solar Designer
2017-07-04 10:46 ` Michal Hocko
2017-07-04 10:51 ` Michal Hocko
2017-07-04 0:27 ` Andy Lutomirski
2017-07-04 12:26 ` [vs-plain] " John Haxby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170704094728.GB22013@1wt.eu \
--to=w@1wt.eu \
--cc=Jason@zx2c4.com \
--cc=ben@decadent.org.uk \
--cc=deller@gmx.de \
--cc=greg@kroah.com \
--cc=hughd@google.com \
--cc=james.hogan@imgtec.com \
--cc=jejb@parisc-linux.org \
--cc=kirill@shutemov.name \
--cc=labbott@redhat.com \
--cc=linux-distros@vs.openwall.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lwoodman@redhat.com \
--cc=mhocko@kernel.org \
--cc=oleg@redhat.com \
--cc=qsa@qualys.com \
--cc=riel@redhat.com \
--cc=security@kernel.org \
--cc=tony.luck@intel.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox