On 08/10, Denys Vlasenko wrote: > > Currently, to support 32-bit binaries with PLT in BSS kernel maps *entire > brk area* with executable rights for all binaries, even --secure-plt ones. > > Stop doing that.
Can't really review this patch, but at least the change in mm/mmap.c looks technically correct to me... One nit below, feel free to ignore. > @@ -2668,7 +2668,7 @@ static int do_brk(unsigned long addr, unsigned long > request) > if (!len) > return 0; > > - flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; > + flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags; OK. But note that we have mlock_future_check(mm->def_flags); a few lines below and after this change this _looks_ wrong because VM_LOCKED can come from the new "flags" argument passed to do_brk(). Nobody does this right now, still this looks wrong/confusing. I'd suggest to add another change - mlock_future_check(mm->def_flags); + mlock_future_check(flags); or add a sanity check at the start to deny VM_LOCKED and perhaps something else... The same for vm_brk_flags() which after your change does do_brk_flags(flags); populate = (mm->def_flags & VM_LOCKED); again, this is just a nit, I do not think it will be ever called with VM_LOCKED in "flags". Oleg.