Commit 0dc636b3 authored Nov 19, 2021 by Peter Zijlstra Committed by Linus Torvalds Nov 19, 2021

x86: Pin task-stack in __get_wchan()



When commit 5d1ceb39 ("x86: Fix __get_wchan() for !STACKTRACE")
moved from stacktrace to native unwind_*() usage, the
try_get_task_stack() got lost, leading to use-after-free issues for
dying tasks.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Fixes: 5d1ceb39 ("x86: Fix __get_wchan() for !STACKTRACE")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215031
Link: https://lore.kernel.org/stable/YZV02RCRVHIa144u@fedora64.linuxtx.org/


Reported-by: Justin Forbes <jmforbes@linuxtx.org>
Reported-by: Holger Hoffstätte <holger@applied-asynchrony.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 4c388a8e

arch/x86/kernel/process.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -964,6 +964,9 @@ unsigned long __get_wchan(struct task_struct *p)
		struct unwind_state state;
		unsigned long addr = 0;

		if (!try_get_task_stack(p))
		return 0;

		for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state);
		unwind_next_frame(&state)) {
		addr = unwind_get_return_address(&state);
		@@ -974,6 +977,8 @@ unsigned long __get_wchan(struct task_struct *p)
		break;
		}

		put_task_stack(p);

		return addr;
		}