linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Eiichi Tsukata <devel@etsukata.com>
To: rostedt@goodmis.org, edwintorok@gmail.com, tglx@linutronix.de,
	mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org,
	linux-kernel@vger.kernel.org
Cc: Eiichi Tsukata <devel@etsukata.com>
Subject: [PATCH] x86/stacktrace: Do not access user space memory unnecessarily
Date: Tue,  2 Jul 2019 14:31:51 +0900	[thread overview]
Message-ID: <20190702053151.26922-1-devel@etsukata.com> (raw)

Put the boundary check before it accesses user space to prevent unnecessary
access which might crash the machine.

Especially, ftrace preemptirq/irq_disable event with user stack trace
option can trigger SEGV in pid 1 which leads to panic.

Reproducer:

  CONFIG_PREEMPTIRQ_TRACEPOINTS=y
  # echo 1 > events/preemptirq/enable
  # echo userstacktrace > trace_options

Output:

  Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
  CPU: 1 PID: 1 Comm: systemd Not tainted 5.2.0-rc7+ #10
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
  Call Trace:
   dump_stack+0x67/0x90
   panic+0x100/0x2c6
   do_exit.cold+0x4e/0x101
   do_group_exit+0x3a/0xa0
   get_signal+0x14a/0x8e0
   do_signal+0x36/0x650
   exit_to_usermode_loop+0x92/0xb0
   prepare_exit_to_usermode+0x6f/0xb0
   retint_user+0x8/0x18
  RIP: 0033:0x55be7ad1c89f
  Code: Bad RIP value.
  RSP: 002b:00007ffe329a4b00 EFLAGS: 00010202
  RAX: 0000000000000768 RBX: 00007ffe329a4ba0 RCX: 00007ff0063aa469
  RDX: 00007ff0066761de RSI: 00007ffe329a4b20 RDI: 0000000000000768
  RBP: 000000000000000b R08: 0000000000000000 R09: 00007ffe329a4e2f
  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000768
  R13: 0000000000000000 R14: 0000000000000004 R15: 000055be7b3d3560
  Kernel Offset: 0x2a000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Fixes: 02b67518e2b1 ("tracing: add support for userspace stacktraces in tracing/iter_ctrl")
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
---
 arch/x86/kernel/stacktrace.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 2abf27d7df6b..6d0c608ffe34 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -123,12 +123,12 @@ void arch_stack_walk_user(stack_trace_consume_fn consume_entry, void *cookie,
 	while (1) {
 		struct stack_frame_user frame;
 
+		if ((unsigned long)fp < regs->sp)
+			break;
 		frame.next_fp = NULL;
 		frame.ret_addr = 0;
 		if (!copy_stack_frame(fp, &frame))
 			break;
-		if ((unsigned long)fp < regs->sp)
-			break;
 		if (frame.ret_addr) {
 			if (!consume_entry(cookie, frame.ret_addr, false))
 				return;
-- 
2.21.0

next             reply	other threads:[~2019-07-02  5:32 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-02  5:31 Eiichi Tsukata [this message]
2019-07-02  7:28 ` [PATCH] x86/stacktrace: Do not access user space memory unnecessarily Peter Zijlstra
2019-07-02 14:14   ` Thomas Gleixner
2019-07-02 15:33     ` Steven Rostedt
2019-07-02 17:39       ` Steven Rostedt
2019-07-02 17:47         ` Steven Rostedt
2019-07-02 20:18         ` Peter Zijlstra
2019-07-02 20:33           ` Steven Rostedt
2019-07-02 22:02           ` Peter Zijlstra
2019-07-19 20:28         ` Sean Christopherson
2019-07-19 22:23           ` Thomas Gleixner
2019-07-19 23:01             ` Thomas Gleixner
2019-07-20  8:44               ` Thomas Gleixner
2019-07-20  8:56             ` [PATCH] x86/entry/64: Prevent clobbering of saved CR2 value Thomas Gleixner
2019-07-20 11:20               ` Peter Zijlstra
2019-07-20 12:34               ` [tip:x86/urgent] " tip-bot for Thomas Gleixner

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:2abf27d7df6 dfblob:6d0c608ffe3
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190702053151.26922-1-devel@etsukata.com \
    --to=devel@etsukata.com \
    --cc=bp@alien8.de \
    --cc=edwintorok@gmail.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=rostedt@goodmis.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).