Thread (28 messages) 28 messages, 10 authors, 2026-03-03

Re: [PATCH v4 1/3] randomize_kstack: Maintain kstack_offset per task

From: Ryan Roberts <ryan.roberts@arm.com>
Date: 2026-01-19 16:51:39
Also in: linux-arm-kernel, linux-hardening, linux-riscv, linux-s390, lkml, loongarch, stable 

Thanks for the review!

On 19/01/2026 16:10, Dave Hansen wrote:
On 1/19/26 05:01, Ryan Roberts wrote:
...
quoted
Cc: stable@vger.kernel.org
Since this doesn't fix any known functional issues, if it were me, I'd
leave stable@ alone. It isn't clear that this is stable material.
I listed 2 issues in the commit log; I agree that issue 1 falls into the
category of "don't really care", but issue 2 means that kstack randomization is
currently trivial to defeat. That's the reason I thought it would valuable in
stable.

But if you're saying don't bother and others agree, then this whole patch can be
dropped; this is just intended to be the backportable fix. Patch 3 reimplements
this entirely for upstream.

I'll wait and see if others have opinions if that's ok?

quoted
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1591,6 +1591,10 @@ struct task_struct {
 	unsigned long			prev_lowest_stack;
 #endif
 
+#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET
+	u32				kstack_offset;
+#endif
+
 #ifdef CONFIG_X86_MCE
 	void __user			*mce_vaddr;
Nit: This seems to be throwing a u32 potentially in between a couple of
void*/ulong sized objects.
Yeah, I spent a bit of time with pahole but eventually concluded that it was
difficult to find somewhere to nestle it that would work reliably cross arch.
Eventually I just decided to group it with other stack meta data.

It probably doesn't matter with struct randomization and it's really
hard to get right among the web of task_struct #ifdefs. But, it would be
nice to at _least_ nestle this next to another int-sized thing.

Does it really even need to be 32 bits? x86 has this comment:

quoted
        /*
         * This value will get limited by KSTACK_OFFSET_MAX(), which is 10
         * bits. The actual entropy will be further reduced by the compiler
         * when applying stack alignment constraints (see cc_stack_align4/8 in
         * arch/x86/Makefile), which will remove the 3 (x86_64) or 2 (ia32)
         * low bits from any entropy chosen here.
         *
         * Therefore, final stack offset entropy will be 7 (x86_64) or
         * 8 (ia32) bits.
         */
For more recent kernels it's 6 bits shifted by 4 for 64-bit kernels or 8 bits
shifted by 2 for 32-bit kernels regardless of arch. So could probably make it
work with 8 bits of storage. Although I was deliberately trying to keep the
change simple, since it was intended for backporting. Patch 3 rips it out.

Overall I'd prefer to leave it all as is. But if people don't think we should
backport, then let's just drop the whole patch.

Thanks,
Ryan



  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help