archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 07:04:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/include
History
Oleg Nesterov d55c571e43 x86/uprobes: Fix XOL allocation failure for 32-bit tasks 
This script

	#!/usr/bin/bash

	echo 0 > /proc/sys/kernel/randomize_va_space

	echo 'void main(void) {}' > TEST.c

	# -fcf-protection to ensure that the 1st endbr32 insn can't be emulated
	gcc -m32 -fcf-protection=branch TEST.c -o test

	bpftrace -e 'uprobe:./test:main {}' -c ./test

"hangs", the probed ./test task enters an endless loop.

The problem is that with randomize_va_space == 0
get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not
just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used
by the stack vma.

arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and
in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE.
vm_unmapped_area() happily returns the high address > TASK_SIZE and then
get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)"
check.

handle_swbp() doesn't report this failure (probably it should) and silently
restarts the probed insn. Endless loop.

I think that the right fix should change the x86 get_unmapped_area() paths
to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if
CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case
because ->orig_ax = -1.

But we need a simple fix for -stable, so this patch just sets TS_COMPAT if
the probed task is 32-bit to make in_ia32_syscall() true.

Fixes: 1b028f784e ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()")
Reported-by: Paulo Andrade <pandrade@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com
2026-01-16 16:23:54 +01:00
..
acpi Revert "ACPI: processor: idle: Optimize ACPI idle driver registration" 2025-11-25 16:08:06 +01:00
asm-generic perf: Use EXPORT_SYMBOL_FOR_KVM() for the mediated APIs 2025-12-19 08:54:59 +01:00
clocksource
crypto This update includes the following changes: 2025-12-03 11:28:38 -08:00
cxl
drm Cross-subsystem Changes: 2025-12-05 10:16:25 +10:00
dt-bindings This pull request is entirely SoC clk drivers, not for lack of trying to modify 2025-12-08 09:38:52 +09:00
hyperv mshv: Add definitions for MSHV sleep state configuration 2025-12-05 23:24:57 +00:00
keys
kunit
kvm KVM: arm64: GICv2: Handle deactivation via GICV_DIR traps 2025-11-24 14:29:14 -08:00
linux x86/uprobes: Fix XOL allocation failure for 32-bit tasks 2026-01-16 16:23:54 +01:00
math-emu
media
memory
misc
net - fix a bug with O_APPEND in cached mode causing data to be written multiple times on server 2025-12-07 08:29:09 -08:00
pcmcia
ras Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
rdma
rv rv: Fix compilation if !CONFIG_RV_REACTORS 2025-12-02 12:33:37 -05:00
scsi
soc This pull request is entirely SoC clk drivers, not for lack of trying to modify 2025-12-08 09:38:52 +09:00
sound soundwire updates for 6.19 2025-12-13 16:26:55 +12:00
target
trace We have a patch that adds an initial set of tracepoints to the MDS 2025-12-14 15:24:10 +12:00
uapi perf/x86/intel: Add support for PEBS memory auxiliary info field in DMR 2026-01-15 10:04:26 +01:00
ufs
vdso
video
xen
Kbuild