--- /dev/null
+From 6a9af90a3bcde217a1c053e135f5f43e5d5fafbd Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Jul 2017 15:52:40 -0700
+Subject: arm: move ELF_ET_DYN_BASE to 4MB
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 6a9af90a3bcde217a1c053e135f5f43e5d5fafbd upstream.
+
+Now that explicitly executed loaders are loaded in the mmap region, we
+have more freedom to decide where we position PIE binaries in the
+address space to avoid possible collisions with mmap or stack regions.
+
+4MB is chosen here mainly to have parity with x86, where this is the
+traditional minimum load location, likely to avoid historically
+requiring a 4MB page table entry when only a portion of the first 4MB
+would be used (since the NULL address is avoided).
+
+For ARM the position could be 0x8000, the standard ET_EXEC load address,
+but that is needlessly close to the NULL address, and anyone running PIE
+on 32-bit ARM will have an MMU, so the tight mapping is not needed.
+
+Link: http://lkml.kernel.org/r/1498154792-49952-2-git-send-email-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Pratyush Anand <panand@redhat.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
+Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Qualys Security Advisory <qsa@qualys.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/elf.h | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/include/asm/elf.h
++++ b/arch/arm/include/asm/elf.h
+@@ -112,12 +112,8 @@ int dump_task_regs(struct task_struct *t
+ #define CORE_DUMP_USE_REGSET
+ #define ELF_EXEC_PAGESIZE 4096
+
+-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical
+- use of this is to invoke "./ld.so someprog" to test out a new version of
+- the loader. We need to make sure that it is out of the way of the program
+- that it will "exec", and that there is sufficient room for the brk. */
+-
+-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
++/* This is the base location for PIE (ET_DYN with INTERP) loads. */
++#define ELF_ET_DYN_BASE 0x400000UL
+
+ /* When the program starts, a1 contains a pointer to a function to be
+ registered with atexit, as per the SVR4 ABI. A value of 0 means we
--- /dev/null
+From 02445990a96e60a67526510d8b00f7e3d14101c3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Jul 2017 15:52:44 -0700
+Subject: arm64: move ELF_ET_DYN_BASE to 4GB / 4MB
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 02445990a96e60a67526510d8b00f7e3d14101c3 upstream.
+
+Now that explicitly executed loaders are loaded in the mmap region, we
+have more freedom to decide where we position PIE binaries in the
+address space to avoid possible collisions with mmap or stack regions.
+
+For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
+address space for 32-bit pointers. On 32-bit use 4MB, to match ARM.
+This could be 0x8000, the standard ET_EXEC load address, but that is
+needlessly close to the NULL address, and anyone running arm compat PIE
+will have an MMU, so the tight mapping is not needed.
+
+Link: http://lkml.kernel.org/r/1498251600-132458-4-git-send-email-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/include/asm/elf.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -113,12 +113,11 @@
+ #define ELF_EXEC_PAGESIZE PAGE_SIZE
+
+ /*
+- * This is the location that an ET_DYN program is loaded if exec'ed. Typical
+- * use of this is to invoke "./ld.so someprog" to test out a new version of
+- * the loader. We need to make sure that it is out of the way of the program
+- * that it will "exec", and that there is sufficient room for the brk.
++ * This is the base location for PIE (ET_DYN with INTERP) loads. On
++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * space open for things that want to use the area for 32-bit pointers.
+ */
+-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3)
++#define ELF_ET_DYN_BASE 0x100000000UL
+
+ #ifndef __ASSEMBLY__
+
+@@ -173,7 +172,8 @@ extern int arch_setup_additional_pages(s
+
+ #ifdef CONFIG_COMPAT
+
+-#define COMPAT_ELF_ET_DYN_BASE (2 * TASK_SIZE_32 / 3)
++/* PIE load location for compat arm. Must match ARM ELF_ET_DYN_BASE. */
++#define COMPAT_ELF_ET_DYN_BASE 0x000400000UL
+
+ /* AArch32 registers. */
+ #define COMPAT_ELF_NGREG 18
--- /dev/null
+From eab09532d40090698b05a07c1c87f39fdbc5fab5 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Jul 2017 15:52:37 -0700
+Subject: binfmt_elf: use ELF_ET_DYN_BASE only for PIE
+
+From: Kees Cook <keescook@chromium.org>
+
+commit eab09532d40090698b05a07c1c87f39fdbc5fab5 upstream.
+
+The ELF_ET_DYN_BASE position was originally intended to keep loaders
+away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
+/bin/cat" might cause the subsequent load of /bin/cat into where the
+loader had been loaded.)
+
+With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
+ELF_ET_DYN_BASE continued to be used since the kernel was only looking
+at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
+top 1/3rd of the TASK_SIZE, a substantial portion of the address space
+is unused.
+
+For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
+loaded above the mmap region. This means they can be made to collide
+(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
+pathological stack regions.
+
+Lowering ELF_ET_DYN_BASE solves both by moving programs below the mmap
+region in all cases, and will now additionally avoid programs falling
+back to the mmap region by enforcing MAP_FIXED for program loads (i.e.
+if it would have collided with the stack, now it will fail to load
+instead of falling back to the mmap region).
+
+To allow for a lower ELF_ET_DYN_BASE, loaders (ET_DYN without INTERP)
+are loaded into the mmap region, leaving space available for either an
+ET_EXEC binary with a fixed location or PIE being loaded into mmap by
+the loader. Only PIE programs are loaded offset from ELF_ET_DYN_BASE,
+which means architectures can now safely lower their values without risk
+of loaders colliding with their subsequently loaded programs.
+
+For 64-bit, ELF_ET_DYN_BASE is best set to 4GB to allow runtimes to use
+the entire 32-bit address space for 32-bit pointers.
+
+Thanks to PaX Team, Daniel Micay, and Rik van Riel for inspiration and
+suggestions on how to implement this solution.
+
+Fixes: d1fd836dcf00 ("mm: split ET_DYN ASLR from mmap ASLR")
+Link: http://lkml.kernel.org/r/20170621173201.GA114489@beast
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Rik van Riel <riel@redhat.com>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Cc: Qualys Security Advisory <qsa@qualys.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Pratyush Anand <panand@redhat.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/elf.h | 13 +++++----
+ fs/binfmt_elf.c | 59 ++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 58 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/include/asm/elf.h
++++ b/arch/x86/include/asm/elf.h
+@@ -245,12 +245,13 @@ extern int force_personality32;
+ #define CORE_DUMP_USE_REGSET
+ #define ELF_EXEC_PAGESIZE 4096
+
+-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical
+- use of this is to invoke "./ld.so someprog" to test out a new version of
+- the loader. We need to make sure that it is out of the way of the program
+- that it will "exec", and that there is sufficient room for the brk. */
+-
+-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
++/*
++ * This is the base location for PIE (ET_DYN with INTERP) loads. On
++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * space open for things that want to use the area for 32-bit pointers.
++ */
++#define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \
++ 0x100000000UL)
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. This could be done in user space,
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -927,17 +927,60 @@ static int load_elf_binary(struct linux_
+ elf_flags = MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE;
+
+ vaddr = elf_ppnt->p_vaddr;
++ /*
++ * If we are loading ET_EXEC or we have already performed
++ * the ET_DYN load_addr calculations, proceed normally.
++ */
+ if (loc->elf_ex.e_type == ET_EXEC || load_addr_set) {
+ elf_flags |= MAP_FIXED;
+ } else if (loc->elf_ex.e_type == ET_DYN) {
+- /* Try and get dynamic programs out of the way of the
+- * default mmap base, as well as whatever program they
+- * might try to exec. This is because the brk will
+- * follow the loader, and is not movable. */
+- load_bias = ELF_ET_DYN_BASE - vaddr;
+- if (current->flags & PF_RANDOMIZE)
+- load_bias += arch_mmap_rnd();
+- load_bias = ELF_PAGESTART(load_bias);
++ /*
++ * This logic is run once for the first LOAD Program
++ * Header for ET_DYN binaries to calculate the
++ * randomization (load_bias) for all the LOAD
++ * Program Headers, and to calculate the entire
++ * size of the ELF mapping (total_size). (Note that
++ * load_addr_set is set to true later once the
++ * initial mapping is performed.)
++ *
++ * There are effectively two types of ET_DYN
++ * binaries: programs (i.e. PIE: ET_DYN with INTERP)
++ * and loaders (ET_DYN without INTERP, since they
++ * _are_ the ELF interpreter). The loaders must
++ * be loaded away from programs since the program
++ * may otherwise collide with the loader (especially
++ * for ET_EXEC which does not have a randomized
++ * position). For example to handle invocations of
++ * "./ld.so someprog" to test out a new version of
++ * the loader, the subsequent program that the
++ * loader loads must avoid the loader itself, so
++ * they cannot share the same load range. Sufficient
++ * room for the brk must be allocated with the
++ * loader as well, since brk must be available with
++ * the loader.
++ *
++ * Therefore, programs are loaded offset from
++ * ELF_ET_DYN_BASE and loaders are loaded into the
++ * independently randomized mmap region (0 load_bias
++ * without MAP_FIXED).
++ */
++ if (elf_interpreter) {
++ load_bias = ELF_ET_DYN_BASE;
++ if (current->flags & PF_RANDOMIZE)
++ load_bias += arch_mmap_rnd();
++ elf_flags |= MAP_FIXED;
++ } else
++ load_bias = 0;
++
++ /*
++ * Since load_bias is used for all subsequent loading
++ * calculations, we must lower it by the first vaddr
++ * so that the remaining calculations based on the
++ * ELF vaddrs will be correctly offset. The result
++ * is then page aligned.
++ */
++ load_bias = ELF_PAGESTART(load_bias - vaddr);
++
+ total_size = total_mapping_size(elf_phdata,
+ loc->elf_ex.e_phnum);
+ if (!total_size) {
--- /dev/null
+From 8d81ae05d0176da1c54aeaed697fa34be5c5575e Mon Sep 17 00:00:00 2001
+From: Cyril Bur <cyrilbur@gmail.com>
+Date: Mon, 10 Jul 2017 15:52:21 -0700
+Subject: checkpatch: silence perl 5.26.0 unescaped left brace warnings
+
+From: Cyril Bur <cyrilbur@gmail.com>
+
+commit 8d81ae05d0176da1c54aeaed697fa34be5c5575e upstream.
+
+As of perl 5, version 26, subversion 0 (v5.26.0) some new warnings have
+occurred when running checkpatch.
+
+Unescaped left brace in regex is deprecated here (and will be fatal in
+Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){
+<-- HERE \s*/ at scripts/checkpatch.pl line 3544.
+
+Unescaped left brace in regex is deprecated here (and will be fatal in
+Perl 5.30), passed through in regex; marked by <-- HERE in m/^(.\s*){
+<-- HERE \s*/ at scripts/checkpatch.pl line 3885.
+
+Unescaped left brace in regex is deprecated here (and will be fatal in
+Perl 5.30), passed through in regex; marked by <-- HERE in
+m/^(\+.*(?:do|\))){ <-- HERE / at scripts/checkpatch.pl line 4374.
+
+It seems perfectly reasonable to do as the warning suggests and simply
+escape the left brace in these three locations.
+
+Link: http://lkml.kernel.org/r/20170607060135.17384-1-cyrilbur@gmail.com
+Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
+Acked-by: Joe Perches <joe@perches.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/checkpatch.pl | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/scripts/checkpatch.pl
++++ b/scripts/checkpatch.pl
+@@ -3541,7 +3541,7 @@ sub process {
+ $fixedline =~ s/\s*=\s*$/ = {/;
+ fix_insert_line($fixlinenr, $fixedline);
+ $fixedline = $line;
+- $fixedline =~ s/^(.\s*){\s*/$1/;
++ $fixedline =~ s/^(.\s*)\{\s*/$1/;
+ fix_insert_line($fixlinenr, $fixedline);
+ }
+ }
+@@ -3882,7 +3882,7 @@ sub process {
+ my $fixedline = rtrim($prevrawline) . " {";
+ fix_insert_line($fixlinenr, $fixedline);
+ $fixedline = $rawline;
+- $fixedline =~ s/^(.\s*){\s*/$1\t/;
++ $fixedline =~ s/^(.\s*)\{\s*/$1\t/;
+ if ($fixedline !~ /^\+\s*$/) {
+ fix_insert_line($fixlinenr, $fixedline);
+ }
+@@ -4371,7 +4371,7 @@ sub process {
+ if (ERROR("SPACING",
+ "space required before the open brace '{'\n" . $herecurr) &&
+ $fix) {
+- $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\))){/$1 {/;
++ $fixed[$fixlinenr] =~ s/^(\+.*(?:do|\)))\{/$1 {/;
+ }
+ }
+
+++ /dev/null
-From b49defe83659cefbb1763d541e779da32594ab10 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 30 Jun 2017 13:25:45 +0200
-Subject: kvm: avoid unused variable warning for UP builds
-
-From: Paolo Bonzini <pbonzini@redhat.com>
-
-commit b49defe83659cefbb1763d541e779da32594ab10 upstream.
-
-The uniprocessor version of smp_call_function_many does not evaluate
-all of its argument, and the compiler emits a warning about "wait"
-being unused. This breaks the build on architectures for which
-"-Werror" is enabled by default.
-
-Work around it by moving the invocation of smp_call_function_many to
-its own inline function.
-
-Reported-by: Paul Mackerras <paulus@ozlabs.org>
-Fixes: 7a97cec26b94c909f4cbad2dc3186af3e457a522
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- virt/kvm/kvm_main.c | 24 +++++++++++++++---------
- 1 file changed, 15 insertions(+), 9 deletions(-)
-
---- a/virt/kvm/kvm_main.c
-+++ b/virt/kvm/kvm_main.c
-@@ -187,12 +187,23 @@ static void ack_flush(void *_completed)
- {
- }
-
-+static inline bool kvm_kick_many_cpus(const struct cpumask *cpus, bool wait)
-+{
-+ if (unlikely(!cpus))
-+ cpus = cpu_online_mask;
-+
-+ if (cpumask_empty(cpus))
-+ return false;
-+
-+ smp_call_function_many(cpus, ack_flush, NULL, wait);
-+ return true;
-+}
-+
- bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req)
- {
- int i, cpu, me;
- cpumask_var_t cpus;
-- bool called = true;
-- bool wait = req & KVM_REQUEST_WAIT;
-+ bool called;
- struct kvm_vcpu *vcpu;
-
- zalloc_cpumask_var(&cpus, GFP_ATOMIC);
-@@ -207,14 +218,9 @@ bool kvm_make_all_cpus_request(struct kv
-
- if (cpus != NULL && cpu != -1 && cpu != me &&
- kvm_request_needs_ipi(vcpu, req))
-- cpumask_set_cpu(cpu, cpus);
-+ __cpumask_set_cpu(cpu, cpus);
- }
-- if (unlikely(cpus == NULL))
-- smp_call_function_many(cpu_online_mask, ack_flush, NULL, wait);
-- else if (!cpumask_empty(cpus))
-- smp_call_function_many(cpus, ack_flush, NULL, wait);
-- else
-- called = false;
-+ called = kvm_kick_many_cpus(cpus, !!(req & KVM_REQUEST_WAIT));
- put_cpu();
- free_cpumask_var(cpus);
- return called;
--- /dev/null
+From 47ebb09d54856500c5a5e14824781902b3bb738e Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Jul 2017 15:52:47 -0700
+Subject: powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 47ebb09d54856500c5a5e14824781902b3bb738e upstream.
+
+Now that explicitly executed loaders are loaded in the mmap region, we
+have more freedom to decide where we position PIE binaries in the
+address space to avoid possible collisions with mmap or stack regions.
+
+For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
+address space for 32-bit pointers. On 32-bit use 4MB, which is the
+traditional x86 minimum load location, likely to avoid historically
+requiring a 4MB page table entry when only a portion of the first 4MB
+would be used (since the NULL address is avoided).
+
+Link: http://lkml.kernel.org/r/1498154792-49952-4-git-send-email-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Pratyush Anand <panand@redhat.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/elf.h | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/elf.h
++++ b/arch/powerpc/include/asm/elf.h
+@@ -23,12 +23,13 @@
+ #define CORE_DUMP_USE_REGSET
+ #define ELF_EXEC_PAGESIZE PAGE_SIZE
+
+-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical
+- use of this is to invoke "./ld.so someprog" to test out a new version of
+- the loader. We need to make sure that it is out of the way of the program
+- that it will "exec", and that there is sufficient room for the brk. */
+-
+-#define ELF_ET_DYN_BASE 0x20000000
++/*
++ * This is the base location for PIE (ET_DYN with INTERP) loads. On
++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * space open for things that want to use the area for 32-bit pointers.
++ */
++#define ELF_ET_DYN_BASE (is_32bit_task() ? 0x000400000UL : \
++ 0x100000000UL)
+
+ #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0)
+
--- /dev/null
+From a73dc5370e153ac63718d850bddf0c9aa9d871e6 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 10 Jul 2017 15:52:51 -0700
+Subject: s390: reduce ELF_ET_DYN_BASE
+
+From: Kees Cook <keescook@chromium.org>
+
+commit a73dc5370e153ac63718d850bddf0c9aa9d871e6 upstream.
+
+Now that explicitly executed loaders are loaded in the mmap region, we
+have more freedom to decide where we position PIE binaries in the
+address space to avoid possible collisions with mmap or stack regions.
+
+For 64-bit, align to 4GB to allow runtimes to use the entire 32-bit
+address space for 32-bit pointers. On 32-bit use 4MB, which is the
+traditional x86 minimum load location, likely to avoid historically
+requiring a 4MB page table entry when only a portion of the first 4MB
+would be used (since the NULL address is avoided). For s390 the
+position could be 0x10000, but that is needlessly close to the NULL
+address.
+
+Link: http://lkml.kernel.org/r/1498154792-49952-5-git-send-email-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Pratyush Anand <panand@redhat.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/elf.h | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/arch/s390/include/asm/elf.h
++++ b/arch/s390/include/asm/elf.h
+@@ -161,14 +161,13 @@ extern unsigned int vdso_enabled;
+ #define CORE_DUMP_USE_REGSET
+ #define ELF_EXEC_PAGESIZE 4096
+
+-/* This is the location that an ET_DYN program is loaded if exec'ed. Typical
+- use of this is to invoke "./ld.so someprog" to test out a new version of
+- the loader. We need to make sure that it is out of the way of the program
+- that it will "exec", and that there is sufficient room for the brk. 64-bit
+- tasks are aligned to 4GB. */
+-#define ELF_ET_DYN_BASE (is_compat_task() ? \
+- (STACK_TOP / 3 * 2) : \
+- (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1))
++/*
++ * This is the base location for PIE (ET_DYN with INTERP) loads. On
++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address
++ * space open for things that want to use the area for 32-bit pointers.
++ */
++#define ELF_ET_DYN_BASE (is_compat_task() ? 0x000400000UL : \
++ 0x100000000UL)
+
+ /* This yields a mask that user programs can use to figure out what
+ instruction set this CPU supports. */
kvm-arm64-fix-phy-counter-access-failure-in-guest.patch
kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch
kvm-vfio-decouple-only-when-we-match-a-group.patch
-kvm-avoid-unused-variable-warning-for-up-builds.patch
irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch
parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch
parisc-use-compat_sys_keyctl.patch
kernel-extable.c-mark-core_kernel_text-notrace.patch
mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch
fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch
+checkpatch-silence-perl-5.26.0-unescaped-left-brace-warnings.patch
+binfmt_elf-use-elf_et_dyn_base-only-for-pie.patch
+arm-move-elf_et_dyn_base-to-4mb.patch
+arm64-move-elf_et_dyn_base-to-4gb-4mb.patch
+powerpc-move-elf_et_dyn_base-to-4gb-4mb.patch
+s390-reduce-elf_et_dyn_base.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
