From: Bingwu Zhang <xtex@astrafall.org>

Increase default mmap randomization bits from 12 to 18 on 64-bit
platforms for better strength.

The original default, 12, means that ASLR offset has only (1 << 12) =
4096 possibilities. On average, it can be brute-forced in 2048 attempts.
If a service is configured to restart automatically or can be started
easily (e.g. execve a suid program), then trying for 4k times can be
done in one day even when each attempt takes 20s.
Increasing it to 18 makes brute-force much more difficult and leaves
more time for operators to find out attacks.

On 64-bit platforms, virtual address space is cheap, so the
randomization bits can be increased safely without disturbing userland
much and security comes first instead of availability.

Fixes: fa96b57c1490 ("LoongArch: Add build infrastructure")
Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
---
 arch/loongarch/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/loongarch/Kconfig b/arch/loongarch/Kconfig
index 92068ff38685..b47c4e4ecbb7 100644
--- a/arch/loongarch/Kconfig
+++ b/arch/loongarch/Kconfig
@@ -740,9 +740,11 @@ config MMU
 	default y
 
 config ARCH_MMAP_RND_BITS_MIN
+	default 18 if 64BIT
 	default 12
 
 config ARCH_MMAP_RND_BITS_MAX
+	default 32 if 64BIT
 	default 18
 
 config ARCH_SUPPORTS_UPROBES

base-commit: be762d8b6dd7efacb61937d20f8475db8f207655
-- 
2.52.0

Hi, Bingwu,

On Sun, Mar 29, 2026 at 6:59 AM Bingwu Zhang <xtex@envs.net> wrote:
>
> From: Bingwu Zhang <xtex@astrafall.org>
>
> Increase default mmap randomization bits from 12 to 18 on 64-bit
> platforms for better strength.
>
> The original default, 12, means that ASLR offset has only (1 << 12) =
> 4096 possibilities. On average, it can be brute-forced in 2048 attempts.
> If a service is configured to restart automatically or can be started
> easily (e.g. execve a suid program), then trying for 4k times can be
> done in one day even when each attempt takes 20s.
> Increasing it to 18 makes brute-force much more difficult and leaves
> more time for operators to find out attacks.
>
> On 64-bit platforms, virtual address space is cheap, so the
> randomization bits can be increased safely without disturbing userland
> much and security comes first instead of availability.
Don't change ARCH_MMAP_RND_BITS_MIN because it may compact
performance, and you cannot blindly increase ARCH_MMAP_RND_BITS_MAX
because it should no more than "VA_BITS - PAGE_SHIFT - 3" (see
arch/riscv/Kconfig and arch/csky/Kconfig). For LoongArch, VA_BITS can
be 39 (half of VA40), PAGE_SHIFT can be 16 (64KB page), so
ARCH_MMAP_RND_BITS_MAX can only increase up to 20 (39 - 16 - 3 =20).

These are done in:
https://github.com/chenhuacai/linux/commit/ff35475dcfbd4c6e9c275aaef3c92da710894058

Huacai

> Fixes: fa96b57c1490 ("LoongArch: Add build infrastructure")
> Signed-off-by: Bingwu Zhang <xtex@astrafall.org>
> ---
>  arch/loongarch/Kconfig | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/arch/loongarch/Kconfig b/arch/loongarch/Kconfig
> index 92068ff38685..b47c4e4ecbb7 100644
> --- a/arch/loongarch/Kconfig
> +++ b/arch/loongarch/Kconfig
> @@ -740,9 +740,11 @@ config MMU
>         default y
>
>  config ARCH_MMAP_RND_BITS_MIN
> +       default 18 if 64BIT
>         default 12
>
>  config ARCH_MMAP_RND_BITS_MAX
> +       default 32 if 64BIT
>         default 18
>
>  config ARCH_SUPPORTS_UPROBES
>
> base-commit: be762d8b6dd7efacb61937d20f8475db8f207655
> --
> 2.52.0
>
>