From 45051a2ed3bd4aac5ed50c391bab2061285ce406 Mon Sep 17 00:00:00 2001 From: Peter Zijlstra Date: Tue, 14 Jun 2022 16:23:20 +0800 Subject: [PATCH] x86: Pin task-stack in __get_wchan() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mainline inclusion from mainline-v5.16-rc2 commit 0dc636b3b757a6b747a156de613275f9d74a4a66 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BLBZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0dc636b3b757a6b747a156de613275f9d74a4a66 -------------------------------- When commit 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE") moved from stacktrace to native unwind_*() usage, the try_get_task_stack() got lost, leading to use-after-free issues for dying tasks. Signed-off-by: Peter Zijlstra (Intel) Fixes: 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE") Link: https://bugzilla.kernel.org/show_bug.cgi?id=215031 Link: https://lore.kernel.org/stable/YZV02RCRVHIa144u@fedora64.linuxtx.org/ Reported-by: Justin Forbes Reported-by: Holger Hoffstätte Cc: Qi Zheng Cc: Kees Cook Cc: Thomas Gleixner Signed-off-by: Linus Torvalds Signed-off-by: Lin Yujun Reviewed-by: Zhang Jianhua Signed-off-by: Zheng Zengkai --- arch/x86/kernel/process.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index 7e41ac5033ad..ca588a3ac01b 100755 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -925,6 +925,9 @@ unsigned long get_wchan(struct task_struct *p) if (p == current || p->state == TASK_RUNNING) return 0; + if (!try_get_task_stack(p)) + return 0; + for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state); unwind_next_frame(&state)) { addr = unwind_get_return_address(&state); @@ -934,6 +937,8 @@ unsigned long get_wchan(struct task_struct *p) continue; break; } + + put_task_stack(p); return addr; } -- GitLab