From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>,
Richard Weinberger <richard@nod.at>,
Sasha Levin <sashal@kernel.org>,
linux-um@lists.infradead.org
Subject: [PATCH AUTOSEL 5.10 20/31] um: allocate a guard page to helper threads
Date: Wed, 30 Dec 2020 08:03:02 -0500 [thread overview]
Message-ID: <20201230130314.3636961-20-sashal@kernel.org> (raw)
In-Reply-To: <20201230130314.3636961-1-sashal@kernel.org>
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit ef4459a6da0955b533ebfc97a7d756ac090f50c9 ]
We've been running into stack overflows in helper threads
corrupting memory (e.g. because somebody put printf() or
os_info() there), so to avoid those causing hard-to-debug
issues later on, allocate a guard page for helper thread
stacks and mark it read-only.
Unfortunately, the crash dump at that point is useless as
the stack tracer will try to backtrace the *kernel* thread,
not the helper thread, but at least we don't survive to a
random issue caused by corruption.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/drivers/ubd_kern.c | 2 +-
arch/um/include/shared/kern_util.h | 2 +-
arch/um/kernel/process.c | 11 +++++++----
arch/um/os-Linux/helper.c | 4 ++--
4 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c
index b12c1b0d3e1d0..e337702c30c78 100644
--- a/arch/um/drivers/ubd_kern.c
+++ b/arch/um/drivers/ubd_kern.c
@@ -1195,7 +1195,7 @@ static int __init ubd_driver_init(void){
/* Letting ubd=sync be like using ubd#s= instead of ubd#= is
* enough. So use anyway the io thread. */
}
- stack = alloc_stack(0, 0);
+ stack = alloc_stack(0);
io_pid = start_io_thread(stack + PAGE_SIZE - sizeof(void *),
&thread_fd);
if(io_pid < 0){
diff --git a/arch/um/include/shared/kern_util.h b/arch/um/include/shared/kern_util.h
index ccafb62e8ccec..c3ccbc2bbd2ce 100644
--- a/arch/um/include/shared/kern_util.h
+++ b/arch/um/include/shared/kern_util.h
@@ -19,7 +19,7 @@ extern int kmalloc_ok;
#define UML_ROUND_UP(addr) \
((((unsigned long) addr) + PAGE_SIZE - 1) & PAGE_MASK)
-extern unsigned long alloc_stack(int order, int atomic);
+extern unsigned long alloc_stack(int atomic);
extern void free_stack(unsigned long stack, int order);
struct pt_regs;
diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
index 9505a7e87396a..bb352dc446870 100644
--- a/arch/um/kernel/process.c
+++ b/arch/um/kernel/process.c
@@ -32,6 +32,7 @@
#include <os.h>
#include <skas.h>
#include <linux/time-internal.h>
+#include <asm/set_memory.h>
/*
* This is a per-cpu array. A processor only modifies its entry and it only
@@ -62,16 +63,18 @@ void free_stack(unsigned long stack, int order)
free_pages(stack, order);
}
-unsigned long alloc_stack(int order, int atomic)
+unsigned long alloc_stack(int atomic)
{
- unsigned long page;
+ unsigned long addr;
gfp_t flags = GFP_KERNEL;
if (atomic)
flags = GFP_ATOMIC;
- page = __get_free_pages(flags, order);
+ addr = __get_free_pages(flags, 1);
- return page;
+ set_memory_ro(addr, 1);
+
+ return addr + PAGE_SIZE;
}
static inline void set_current(struct task_struct *task)
diff --git a/arch/um/os-Linux/helper.c b/arch/um/os-Linux/helper.c
index 9fa6e4187d4fb..feb48d796e005 100644
--- a/arch/um/os-Linux/helper.c
+++ b/arch/um/os-Linux/helper.c
@@ -45,7 +45,7 @@ int run_helper(void (*pre_exec)(void *), void *pre_data, char **argv)
unsigned long stack, sp;
int pid, fds[2], ret, n;
- stack = alloc_stack(0, __cant_sleep());
+ stack = alloc_stack(__cant_sleep());
if (stack == 0)
return -ENOMEM;
@@ -116,7 +116,7 @@ int run_helper_thread(int (*proc)(void *), void *arg, unsigned int flags,
unsigned long stack, sp;
int pid, status, err;
- stack = alloc_stack(0, __cant_sleep());
+ stack = alloc_stack(__cant_sleep());
if (stack == 0)
return -ENOMEM;
--
2.27.0
next prev parent reply other threads:[~2020-12-30 13:09 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 13:02 [PATCH AUTOSEL 5.10 01/31] ARM: 9014/2: Replace string mem* functions for KASan Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 02/31] rtc: sun6i: Fix memleak in sun6i_rtc_clk_init Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 03/31] module: set MODULE_STATE_GOING state when a module fails to load Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 04/31] quota: Don't overflow quota file offsets Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 05/31] rtc: pl031: fix resource leak in pl031_probe Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 06/31] powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 07/31] i3c master: fix missing destroy_workqueue() on error in i3c_master_register Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 08/31] reiserfs: add check for an invalid ih_entry_count Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 09/31] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 10/31] f2fs: Handle casefolding with Encryption Sasha Levin
2020-12-30 18:01 ` [f2fs-dev] " Eric Biggers
2021-01-04 14:20 ` Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 11/31] f2fs: avoid race condition for shrinker count Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 12/31] f2fs: fix race of pending_pages in decompression Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 13/31] module: delay kobject uevent until after module init call Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 14/31] powerpc/64: irq replay remove decrementer overflow check Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 15/31] f2fs: fix shift-out-of-bounds in sanity_check_raw_super() Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 16/31] fs/namespace.c: WARN if mnt_count has become negative Sasha Levin
2020-12-30 13:02 ` [PATCH AUTOSEL 5.10 17/31] watchdog: rti-wdt: fix reference leak in rti_wdt_probe Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 18/31] um: random: Register random as hwrng-core device Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 19/31] um: ubd: Submit all data segments atomically Sasha Levin
2020-12-30 13:03 ` Sasha Levin [this message]
2020-12-30 14:48 ` [PATCH AUTOSEL 5.10 20/31] um: allocate a guard page to helper threads Johannes Berg
2021-01-04 14:21 ` Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 21/31] NFSv4.2: Don't error when exiting early on a READ_PLUS buffer overflow Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 22/31] ceph: fix inode refcount leak when ceph_fill_inode on non-I_NEW inode fails Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 23/31] drm/amd/display: updated wm table for Renoir Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 24/31] tick/sched: Remove bogus boot "safety" check Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 25/31] s390: always clear kernel stack backchain before calling functions Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 26/31] io_uring: remove racy overflow list fast checks Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 27/31] ext4: check for invalid block size early when mounting a file system Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 28/31] ALSA: pcm: Clear the full allocated memory at hw_params Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 29/31] dm verity: skip verity work if I/O error when system is shutting down Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 30/31] ext4: avoid s_mb_prefetch to be zero in individual scenarios Sasha Levin
2020-12-30 13:03 ` [PATCH AUTOSEL 5.10 31/31] device-dax: Fix range release Sasha Levin
2020-12-30 14:18 ` [PATCH AUTOSEL 5.10 01/31] ARM: 9014/2: Replace string mem* functions for KASan Ahmad Fatoum
2021-01-04 14:29 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201230130314.3636961-20-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).