| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240925210615.2572360-6-arnd@kernel.org>
Date: Wed, 25 Sep 2024 21:06:15 +0000
From: Arnd Bergmann <arnd@...nel.org>
To: linux-mm@...ck.org
Cc: Arnd Bergmann <arnd@...db.de>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Alexandre Torgue <alexandre.torgue@...s.st.com>,
Andreas Larsson <andreas@...sler.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Ard Biesheuvel <ardb@...nel.org>,
Christian Brauner <brauner@...nel.org>,
Christoph Hellwig <hch@....de>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Damien Le Moal <dlemoal@...nel.org>,
David Hildenbrand <david@...hat.com>,
Greg Ungerer <gerg@...ux-m68k.org>,
Helge Deller <deller@....de>,
Kees Cook <kees@...nel.org>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Matt Turner <mattst88@...il.com>,
Max Filippov <jcmvbkbc@...il.com>,
Michael Ellerman <mpe@...erman.id.au>,
Michal Hocko <mhocko@...e.com>,
Nicholas Piggin <npiggin@...il.com>,
Richard Henderson <richard.henderson@...aro.org>,
Thomas Bogendoerfer <tsbogend@...ha.franken.de>,
Vladimir Murzin <vladimir.murzin@....com>,
Vlastimil Babka <vbabka@...e.cz>,
linux-stm32@...md-mailman.stormreply.com,
linux-kernel@...r.kernel.org,
linux-mips@...r.kernel.org,
linux-parisc@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org,
linux-arch@...r.kernel.org
Subject: [PATCH 5/5] [RFC] mm: Remove MAP_UNINITIALIZED support
From: Arnd Bergmann <arnd@...db.de>
MAP_UNINITIALIZED was added back in 2009 for NOMMU kernels, specifically
for blackfin, which is long gone. MAP_HUGE_SHIFT/MAP_HUGE_MASK were
added in 2012 for architectures supporting hugepages, which at the time
did not overlap with the ones supporting NOMMU.
Adding the macro under an #ifdef was obviously a mistake, which
Christoph Hellwig tried to address by making it unconditionally defined
to 0x4000000 as part of the series to support RISC-V NOMMU kernels. At
this point linux/mman.h contained two conflicting definitions for bit 26,
though the two are still mutually exclusive at runtime in all supported
configurations.
According to the commit 854e9ed09ded ("mm: support madvise(MADV_FREE)")
description, it was previously used internally by facebook, which
would have resulted in MAP_HUGE_1MB turning into MAP_HUGE_2MB
with MAP_UNINITIALIZED enabled, and every other page size implying
MAP_UNINITIALIZED. I assume there are no remaining out of tree users
on MMU-enabled kernels today.
I do not see any sensible way to redefine the macros for the ABI in
a way avoids breaking something. The only ideas so far are:
- do nothing, try to document the bug, hope for the best
- remove the kernel implementation and redefine MAP_UNINITIALIZED to
zero in the header to silently turn it off for everyone. There are
few NOMMU users left, and the ones that do use NOMMU usually turn
off MMAP_ALLOW_UNINITIALIZED, as it still has the potential to cause
bugs and even security issues on systems with a memory protection
unit.
- remove both the implementation and the macro to force a build
failure for anyone trying to use the feature. This way we can
see who complains and whether we need to put it back in some
form or change the userspace sources to no longer pass the flag.
Implement the third option here for the sake of discussion.
Link: https://git.uclibc.org/uClibc/commit/libc/stdlib/malloc/malloc.c?id=00673f93826bf1f
Link: https://lore.kernel.org/lkml/20190610221621.10938-4-hch@lst.de/
Link: https://lore.kernel.org/lkml/1352157848-29473-1-git-send-email-andi@firstfloor.org/
Link: https://lore.kernel.org/lkml/1448865583-2446-2-git-send-email-minchan@kernel.org/
Cc: Christoph Hellwig <hch@....de>
Cc: Damien Le Moal <dlemoal@...nel.org>
Cc: Alexandre Torgue <alexandre.torgue@...s.st.com>
Cc: linux-stm32@...md-mailman.stormreply.com
Cc: Greg Ungerer <gerg@...ux-m68k.org>
Cc: Vladimir Murzin <vladimir.murzin@....com>
Cc: Max Filippov <jcmvbkbc@...il.com>
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
Documentation/admin-guide/mm/nommu-mmap.rst | 10 ++--------
arch/alpha/include/uapi/asm/mman.h | 2 --
arch/mips/include/uapi/asm/mman.h | 2 --
arch/parisc/include/uapi/asm/mman.h | 2 --
arch/powerpc/include/uapi/asm/mman.h | 5 -----
arch/sh/configs/rsk7264_defconfig | 1 -
arch/sparc/include/uapi/asm/mman.h | 3 ---
arch/xtensa/include/uapi/asm/mman.h | 3 ---
fs/binfmt_elf_fdpic.c | 3 +--
include/linux/mman.h | 4 ----
include/uapi/asm-generic/mman.h | 4 ----
mm/Kconfig | 22 ---------------------
mm/nommu.c | 4 +---
13 files changed, 4 insertions(+), 61 deletions(-)
diff --git a/Documentation/admin-guide/mm/nommu-mmap.rst b/Documentation/admin-guide/mm/nommu-mmap.rst
index 530fed08de2c..9434c2fa99ae 100644
--- a/Documentation/admin-guide/mm/nommu-mmap.rst
+++ b/Documentation/admin-guide/mm/nommu-mmap.rst
@@ -135,14 +135,8 @@ Further notes on no-MMU MMAP
significant delays during a userspace malloc() as the C library does an
anonymous mapping and the kernel then does a memset for the entire map.
- However, for memory that isn't required to be precleared - such as that
- returned by malloc() - mmap() can take a MAP_UNINITIALIZED flag to
- indicate to the kernel that it shouldn't bother clearing the memory before
- returning it. Note that CONFIG_MMAP_ALLOW_UNINITIALIZED must be enabled
- to permit this, otherwise the flag will be ignored.
-
- uClibc uses this to speed up malloc(), and the ELF-FDPIC binfmt uses this
- to allocate the brk and stack region.
+ Previously, Linux also supported a MAP_UNINITIALIZED flag to allocate
+ memory without clearing it, this is no longer support.
(#) A list of all the private copy and anonymous mappings on the system is
visible through /proc/maps in no-MMU mode.
diff --git a/arch/alpha/include/uapi/asm/mman.h b/arch/alpha/include/uapi/asm/mman.h
index fc8b74aa3f89..1099b17a4003 100644
--- a/arch/alpha/include/uapi/asm/mman.h
+++ b/arch/alpha/include/uapi/asm/mman.h
@@ -21,8 +21,6 @@
/* MAP_SYNC not supported */
#define MAP_FIXED_NOREPLACE 0x200000/* MAP_FIXED which doesn't unmap underlying mapping */
-/* MAP_UNINITIALIZED not supported */
-
/*
* Flags for mlockall
*/
diff --git a/arch/mips/include/uapi/asm/mman.h b/arch/mips/include/uapi/asm/mman.h
index 6deb62db90de..9463c9071268 100644
--- a/arch/mips/include/uapi/asm/mman.h
+++ b/arch/mips/include/uapi/asm/mman.h
@@ -31,8 +31,6 @@
/* MAP_SYNC not supported */
#define MAP_FIXED_NOREPLACE 0x100000 /* MAP_FIXED which doesn't unmap underlying mapping */
-/* MAP_UNINITIALIZED not supported */
-
/*
* Flags for mlockall
*/
diff --git a/arch/parisc/include/uapi/asm/mman.h b/arch/parisc/include/uapi/asm/mman.h
index 3732950a5cd8..8d7f3a8912b3 100644
--- a/arch/parisc/include/uapi/asm/mman.h
+++ b/arch/parisc/include/uapi/asm/mman.h
@@ -20,8 +20,6 @@
/* MAP_SYNC not supported */
#define MAP_FIXED_NOREPLACE 0x100000 /* MAP_FIXED which doesn't unmap underlying mapping */
-/* MAP_UNINITIALIZED not supported */
-
/*
* Flags for mlockall
*/
diff --git a/arch/powerpc/include/uapi/asm/mman.h b/arch/powerpc/include/uapi/asm/mman.h
index d57b347c37fe..48c734b4d201 100644
--- a/arch/powerpc/include/uapi/asm/mman.h
+++ b/arch/powerpc/include/uapi/asm/mman.h
@@ -33,11 +33,6 @@
#define MAP_SYNC 0x080000 /* perform synchronous page faults for the mapping */
#define MAP_FIXED_NOREPLACE 0x100000 /* MAP_FIXED which doesn't unmap underlying mapping */
-#define MAP_UNINITIALIZED 0x4000000 /* For anonymous mmap, memory could be
- * uninitialized */
-
-
-
#define MCL_CURRENT 0x2000 /* lock all currently mapped pages */
#define MCL_FUTURE 0x4000 /* lock all additions to address space */
#define MCL_ONFAULT 0x8000 /* lock all pages that are faulted in */
diff --git a/arch/sh/configs/rsk7264_defconfig b/arch/sh/configs/rsk7264_defconfig
index e4ef259425c4..86421e2fec10 100644
--- a/arch/sh/configs/rsk7264_defconfig
+++ b/arch/sh/configs/rsk7264_defconfig
@@ -12,7 +12,6 @@ CONFIG_KALLSYMS_ALL=y
CONFIG_EXPERT=y
CONFIG_PERF_COUNTERS=y
# CONFIG_VM_EVENT_COUNTERS is not set
-CONFIG_MMAP_ALLOW_UNINITIALIZED=y
CONFIG_PROFILING=y
# CONFIG_BLK_DEV_BSG is not set
CONFIG_PARTITION_ADVANCED=y
diff --git a/arch/sparc/include/uapi/asm/mman.h b/arch/sparc/include/uapi/asm/mman.h
index afb86698cdb1..e05ac492f9a8 100644
--- a/arch/sparc/include/uapi/asm/mman.h
+++ b/arch/sparc/include/uapi/asm/mman.h
@@ -30,9 +30,6 @@
#define MAP_SYNC 0x080000 /* perform synchronous page faults for the mapping */
#define MAP_FIXED_NOREPLACE 0x100000 /* MAP_FIXED which doesn't unmap underlying mapping */
-#define MAP_UNINITIALIZED 0x4000000 /* For anonymous mmap, memory could be
- * uninitialized */
-
#define MCL_CURRENT 0x2000 /* lock all currently mapped pages */
#define MCL_FUTURE 0x4000 /* lock all additions to address space */
#define MCL_ONFAULT 0x8000 /* lock all pages that are faulted in */
diff --git a/arch/xtensa/include/uapi/asm/mman.h b/arch/xtensa/include/uapi/asm/mman.h
index e713b8dc8587..6fdf9f3e587a 100644
--- a/arch/xtensa/include/uapi/asm/mman.h
+++ b/arch/xtensa/include/uapi/asm/mman.h
@@ -36,9 +36,6 @@
/* MAP_SYNC not supported */
#define MAP_FIXED_NOREPLACE 0x100000 /* MAP_FIXED which doesn't unmap underlying mapping */
-#define MAP_UNINITIALIZED 0x4000000 /* For anonymous mmap, memory could be
- * uninitialized */
-
/*
* Flags for mlockall
*/
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 4fe5bb9f1b1f..82ba92d28ddf 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -418,8 +418,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm)
current->mm->start_brk = vm_mmap(NULL, 0, stack_size, stack_prot,
MAP_PRIVATE | MAP_ANONYMOUS |
- MAP_UNINITIALIZED | MAP_GROWSDOWN,
- 0);
+ MAP_GROWSDOWN, 0);
if (IS_ERR_VALUE(current->mm->start_brk)) {
retval = current->mm->start_brk;
diff --git a/include/linux/mman.h b/include/linux/mman.h
index bcb201ab7a41..f606b2264cc0 100644
--- a/include/linux/mman.h
+++ b/include/linux/mman.h
@@ -24,9 +24,6 @@
#ifndef MAP_HUGE_1GB
#define MAP_HUGE_1GB 0
#endif
-#ifndef MAP_UNINITIALIZED
-#define MAP_UNINITIALIZED 0
-#endif
#ifndef MAP_SYNC
#define MAP_SYNC 0
#endif
@@ -44,7 +41,6 @@
| MAP_ANONYMOUS \
| MAP_DENYWRITE \
| MAP_EXECUTABLE \
- | MAP_UNINITIALIZED \
| MAP_GROWSDOWN \
| MAP_LOCKED \
| MAP_NORESERVE \
diff --git a/include/uapi/asm-generic/mman.h b/include/uapi/asm-generic/mman.h
index f26f9b4c03e1..541be26ad947 100644
--- a/include/uapi/asm-generic/mman.h
+++ b/include/uapi/asm-generic/mman.h
@@ -27,10 +27,6 @@
#define MAP_SYNC 0x080000 /* perform synchronous page faults for the mapping */
#define MAP_FIXED_NOREPLACE 0x100000 /* MAP_FIXED which doesn't unmap underlying mapping */
-#define MAP_UNINITIALIZED 0x4000000 /* For anonymous mmap, memory could be
- * uninitialized */
-
-
/*
* Bits [26:31] are reserved, see asm-generic/hugetlb_encode.h
* for MAP_HUGETLB usage
diff --git a/mm/Kconfig b/mm/Kconfig
index 09aebca1cae3..7326820ba200 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -381,28 +381,6 @@ config COMPAT_BRK
On non-ancient distros (post-2000 ones) N is usually a safe choice.
-config MMAP_ALLOW_UNINITIALIZED
- bool "Allow mmapped anonymous memory to be uninitialized"
- depends on EXPERT && !MMU
- default n
- help
- Normally, and according to the Linux spec, anonymous memory obtained
- from mmap() has its contents cleared before it is passed to
- userspace. Enabling this config option allows you to request that
- mmap() skip that if it is given an MAP_UNINITIALIZED flag, thus
- providing a huge performance boost. If this option is not enabled,
- then the flag will be ignored.
-
- This is taken advantage of by uClibc's malloc(), and also by
- ELF-FDPIC binfmt's brk and stack allocator.
-
- Because of the obvious security issues, this option should only be
- enabled on embedded devices where you control what is run in
- userspace. Since that isn't generally a problem on no-MMU systems,
- it is normally safe to say Y here.
-
- See Documentation/admin-guide/mm/nommu-mmap.rst for more information.
-
config SELECT_MEMORY_MODEL
def_bool y
depends on ARCH_SELECT_MEMORY_MODEL
diff --git a/mm/nommu.c b/mm/nommu.c
index 385b0c15add8..793fa7303065 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1172,9 +1172,7 @@ unsigned long do_mmap(struct file *file,
add_nommu_region(region);
/* clear anonymous mappings that don't ask for uninitialized data */
- if (!vma->vm_file &&
- (!IS_ENABLED(CONFIG_MMAP_ALLOW_UNINITIALIZED) ||
- !(flags & MAP_UNINITIALIZED)))
+ if (!vma->vm_file)
memset((void *)region->vm_start, 0,
region->vm_end - region->vm_start);
--
2.39.2
Powered by blists - more mailing lists