The ARM user backtrace code can get into an infinite loop if it
runs into an invalid stack frame which points back to itself.
This situation has been observed in practice. Fix it by capping
the number of entries in the backtrace. This is also what other
architectures do in their backtrace code.
Signed-off-by: Sonny Rao <[email protected]>
---
arch/arm/kernel/perf_event.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
index 69cfee0..1e61d60 100644
--- a/arch/arm/kernel/perf_event.c
+++ b/arch/arm/kernel/perf_event.c
@@ -746,7 +746,8 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
tail = (struct frame_tail __user *)regs->ARM_fp - 1;
- while (tail && !((unsigned long)tail & 0x3))
+ while ((entry->nr < PERF_MAX_STACK_DEPTH) &&
+ tail && !((unsigned long)tail & 0x3))
tail = user_backtrace(tail, entry);
}
--
1.7.3.1
Hi,
On Fri, Apr 15, 2011 at 08:27:25PM -0700, Sonny Rao wrote:
> The ARM user backtrace code can get into an infinite loop if it
> runs into an invalid stack frame which points back to itself.
> This situation has been observed in practice. Fix it by capping
> the number of entries in the backtrace. This is also what other
> architectures do in their backtrace code.
Tested on my v6k board and looks good.
> Signed-off-by: Sonny Rao <[email protected]>
Acked-by: Jamie Iles <[email protected]>
Jamie
Hi Sonny,
On Sat, 2011-04-16 at 04:27 +0100, Sonny Rao wrote:
> The ARM user backtrace code can get into an infinite loop if it
> runs into an invalid stack frame which points back to itself.
> This situation has been observed in practice. Fix it by capping
> the number of entries in the backtrace. This is also what other
> architectures do in their backtrace code.
>
> Signed-off-by: Sonny Rao <[email protected]>
> ---
> arch/arm/kernel/perf_event.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
> index 69cfee0..1e61d60 100644
> --- a/arch/arm/kernel/perf_event.c
> +++ b/arch/arm/kernel/perf_event.c
> @@ -746,7 +746,8 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
>
> tail = (struct frame_tail __user *)regs->ARM_fp - 1;
>
> - while (tail && !((unsigned long)tail & 0x3))
> + while ((entry->nr < PERF_MAX_STACK_DEPTH) &&
> + tail && !((unsigned long)tail & 0x3))
> tail = user_backtrace(tail, entry);
> }
Ok. Please can you put this into Russell's patch system?
Will
On Fri, Apr 15, 2011 at 8:27 PM, Sonny Rao <[email protected]> wrote:
>
> The ARM user backtrace code can get into an infinite loop if it
> runs into an invalid stack frame which points back to itself.
> This situation has been observed in practice. ?Fix it by capping
> the number of entries in the backtrace. ?This is also what other
> architectures do in their backtrace code.
>
> Signed-off-by: Sonny Rao <[email protected]>
Acked-by: Olof Johansson <[email protected]>
-Olof
On Mon, Apr 18, 2011 at 10:42 AM, Will Deacon <[email protected]> wrote:
> Hi Sonny,
>
> On Sat, 2011-04-16 at 04:27 +0100, Sonny Rao wrote:
>> The ARM user backtrace code can get into an infinite loop if it
>> runs into an invalid stack frame which points back to itself.
>> This situation has been observed in practice. ?Fix it by capping
>> the number of entries in the backtrace. ?This is also what other
>> architectures do in their backtrace code.
>>
>> Signed-off-by: Sonny Rao <[email protected]>
>> ---
>> ?arch/arm/kernel/perf_event.c | ? ?3 ++-
>> ?1 files changed, 2 insertions(+), 1 deletions(-)
>>
>> diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
>> index 69cfee0..1e61d60 100644
>> --- a/arch/arm/kernel/perf_event.c
>> +++ b/arch/arm/kernel/perf_event.c
>> @@ -746,7 +746,8 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
>>
>> ? ? ? ? tail = (struct frame_tail __user *)regs->ARM_fp - 1;
>>
>> - ? ? ? while (tail && !((unsigned long)tail & 0x3))
>> + ? ? ? while ((entry->nr < PERF_MAX_STACK_DEPTH) &&
>> + ? ? ? ? ? ? ?tail && !((unsigned long)tail & 0x3))
>> ? ? ? ? ? ? ? ? tail = user_backtrace(tail, entry);
>> ?}
>
> Ok. Please can you put this into Russell's patch system?
>
> Will
>
Ok, sent it to [email protected]
hope that'll be sufficient