[PATCH] x86/stacktrace: Fix infinite loop in arch_stack_walk_user()

[PATCH] x86/stacktrace: Fix infinite loop in arch_stack_walk_user()

[Eiichi Tsukata]

Current arch_stack_walk_user() checks `if (fp == frame.next_fp)`
to prevent infinite loop by self reference but it's not enogh for
circular reference.

Once we find a lack of return address, there is no need to continue
loop, so let's break out.

Fixes: 02b67518e2b1 ("tracing: add support for userspace stacktraces in tracing/iter_ctrl")
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
---
 arch/x86/kernel/stacktrace.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 2abf27d7df6b..b1a1f4b4c943 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -129,11 +129,8 @@ void arch_stack_walk_user(stack_trace_consume_fn consume_entry, void *cookie,
 			break;
 		if ((unsigned long)fp < regs->sp)
 			break;
-		if (frame.ret_addr) {
-			if (!consume_entry(cookie, frame.ret_addr, false))
-				return;
-		}
-		if (fp == frame.next_fp)
+		if (!frame.ret_addr ||
+		    !consume_entry(cookie, frame.ret_addr, false))
 			break;
 		fp = frame.next_fp;
 	}
-- 
2.21.0

Re: [PATCH] x86/stacktrace: Fix infinite loop in arch_stack_walk_user()

[Linus Torvalds]

On Wed, Jul 10, 2019 at 7:35 PM Eiichi Tsukata <devel@etsukata.com> wrote:
>
> Once we find a lack of return address, there is no need to continue
> loop, so let's break out.

Looks good to me, feel free to add

  Acked-by: Linus Torvalds <torvalds@linux-foundation.org>

and I'll assume this comes through the x86 -tip tree..

         Linus

[tip:x86/urgent] x86/stacktrace: Prevent infinite loop in arch_stack_walk_user()

[tip-bot for Eiichi Tsukata]

Commit-ID:  cbf5b73d162b22e044fe0b7d51dcaa33be065253
Gitweb:     https://git.kernel.org/tip/cbf5b73d162b22e044fe0b7d51dcaa33be065253
Author:     Eiichi Tsukata <devel@etsukata.com>
AuthorDate: Thu, 11 Jul 2019 11:35:01 +0900
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 11 Jul 2019 08:22:03 +0200

x86/stacktrace: Prevent infinite loop in arch_stack_walk_user()

arch_stack_walk_user() checks `if (fp == frame.next_fp)` to prevent a
infinite loop by self reference but it's not enogh for circular reference.

Once a lack of return address is found, there is no point to continue the
loop, so break out.

Fixes: 02b67518e2b1 ("tracing: add support for userspace stacktraces in tracing/iter_ctrl")
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lkml.kernel.org/r/20190711023501.963-1-devel@etsukata.com

---
 arch/x86/kernel/stacktrace.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 2abf27d7df6b..4f36d3241faf 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -129,11 +129,9 @@ void arch_stack_walk_user(stack_trace_consume_fn consume_entry, void *cookie,
 			break;
 		if ((unsigned long)fp < regs->sp)
 			break;
-		if (frame.ret_addr) {
-			if (!consume_entry(cookie, frame.ret_addr, false))
-				return;
-		}
-		if (fp == frame.next_fp)
+		if (!frame.ret_addr)
+			break;
+		if (!consume_entry(cookie, frame.ret_addr, false))
 			break;
 		fp = frame.next_fp;
 	}