Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2104570ybg; Thu, 24 Oct 2019 04:55:45 -0700 (PDT) X-Google-Smtp-Source: APXvYqxGKZ2Rs9nWQIFX/4kl9Xnsj+ot0zNAdMi3yDYFvsQXTV5F/fIcOv2yCp903wmerBSK+YY2 X-Received: by 2002:a17:906:4ec2:: with SMTP id i2mr21637021ejv.330.1571918144947; Thu, 24 Oct 2019 04:55:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571918144; cv=none; d=google.com; s=arc-20160816; b=daa/qDLKyv8YfJy2br+udwlISIcPDUz1TxUuWDj4fSLLHrXbiI6rAyiDaGmnBWb2S7 GrA7v0hq/XVxsD0NHdlvBxH0h9mt3Ax4TcniFf/TCbtyouv+YknzEeLilS62XA1vcwIH nypN7KYcYXWBOXh5yq9pIPEez3EyHlc9dgMBcxy5FQomNJDx6iuH3i4EBz87IsRlJFGr tDitfE8mCpObtl86fCdkRGJ92ZxCX5lt6FbkOV8vXoMauKR/8sMolktwMW2Gbyv1YRW/ 0xRmsVRgahxX1XnzHhaGdc+xe9cHnnhZ0AQ7kNk0vl3qrXN1iWpZ8fyfR2jZvjCFXi9m ZrZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=8uVHfxQxfqAfNB3hVs18CcYtm1/kpz+ETM5oABGqWeE=; b=s44ArwSULdaDak8WOJLVNNIgf4ut8e/0lGOZErY4Eh3AYR9x95DcYD8268u/z4W6Fj 9pDm/IikRpaUp8XR1PBmhYKj6OlRy/w2MQkWq2RGZlt0ptbnCBhlBu8uhP5Gh4l7Mms7 lAUkz6Jecacw3r6uiqXOaqHBArJ7mOXGBH2zTNJxa37TcZuTisRlvW3L5HnnVv0dyNcW HhSG8r7dIO84W3VGPUcmp5qmUK/JOdIz1yCAAxrx8qJOwn0HR661G3h4Cnmj8oBTk+V3 nNWLNgDQbG6Yfml9vMvYFu3gq3Tm8pJNc/h47Ru28pup/5/+PbMWJ5IH8nLsrgYv2GcJ H6IQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x22si7768820ejv.335.2019.10.24.04.55.20; Thu, 24 Oct 2019 04:55:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387881AbfJWSGA (ORCPT + 99 others); Wed, 23 Oct 2019 14:06:00 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:50500 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727309AbfJWSGA (ORCPT ); Wed, 23 Oct 2019 14:06:00 -0400 Received: from p5b06da22.dip0.t-ipconnect.de ([91.6.218.34] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iNL1A-0006gN-7Y; Wed, 23 Oct 2019 20:05:56 +0200 Date: Wed, 23 Oct 2019 20:05:49 +0200 (CEST) From: Thomas Gleixner To: Cyrill Gorcunov cc: LKML , Ingo Molnar , Peter Zijlstra , linux-mm@kvack.org, Catalin Marinas , x86@kernel.org, Josh Poimboeuf Subject: [PATCH] x86/dumpstack/64: Don't evaluate exception stacks before setup In-Reply-To: <20191023135943.GK12121@uranus.lan> Message-ID: References: <20191019114421.GK9698@uranus.lan> <20191022142325.GD12121@uranus.lan> <20191022145619.GE12121@uranus.lan> <20191023135943.GK12121@uranus.lan> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Cyrill reported the following crash: BUG: unable to handle page fault for address: 0000000000001ff0 #PF: supervisor read access in kernel mode RIP: 0010:get_stack_info+0xb3/0x148 It turns out that if the stack tracer is invoked before the exception stack mappings are initialized in_exception_stack() can erroneously classify an invalid address as an address inside of an exception stack: begin = this_cpu_read(cea_exception_stacks); <- 0 end = begin + sizeof(exception stacks); i.e. any address between 0 and end will be considered as exception stack address and the subsequent code will then try to derefence the resulting stack frame at a non mapped address. end = begin + (unsigned long)ep->size; ==> end = 0x2000 regs = (struct pt_regs *)end - 1; ==> regs = 0x2000 - sizeof(struct pt_regs *) = 0x1ff0 info->next_sp = (unsigned long *)regs->sp; ==> Crashes due to accessing 0x1ff0 Prevent this by checking the validity of the cea_exception_stack base address and bailing out if it is zero. Fixes: afcd21dad88b ("x86/dumpstack/64: Use cpu_entry_area instead of orig_ist") Reported-by: Cyrill Gorcunov Signed-off-by: Thomas Gleixner Tested-by: Cyrill Gorcunov Cc: stable@vger.kernel.org --- arch/x86/kernel/dumpstack_64.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -94,6 +94,13 @@ static bool in_exception_stack(unsigned BUILD_BUG_ON(N_EXCEPTION_STACKS != 6); begin = (unsigned long)__this_cpu_read(cea_exception_stacks); + /* + * Handle the case where stack trace is collected _before_ + * cea_exception_stacks had been initialized. + */ + if (!begin) + return false; + end = begin + sizeof(struct cea_exception_stacks); /* Bail if @stack is outside the exception stack area. */ if (stk < begin || stk >= end)