From: Peter Zijlstra <peterz@infradead.org> mainline inclusion from mainline-v5.16-rc2 commit 0dc636b3b757a6b747a156de613275f9d74a4a66 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BLBZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When commit 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE") moved from stacktrace to native unwind_*() usage, the try_get_task_stack() got lost, leading to use-after-free issues for dying tasks. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Fixes: 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE") Link: https://bugzilla.kernel.org/show_bug.cgi?id=215031 Link: https://lore.kernel.org/stable/YZV02RCRVHIa144u@fedora64.linuxtx.org/ Reported-by: Justin Forbes <jmforbes@linuxtx.org> Reported-by: Holger Hoffstätte <holger@applied-asynchrony.com> Cc: Qi Zheng <zhengqi.arch@bytedance.com> Cc: Kees Cook <keescook@chromium.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Lin Yujun <linyujun809@huawei.com> Reviewed-by: Zhang Jianhua <chris.zjh@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> --- arch/x86/kernel/process.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index 5bdb9a329f59..ca588a3ac01b 100755 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -925,6 +925,9 @@ unsigned long get_wchan(struct task_struct *p) if (p == current || p->state == TASK_RUNNING) return 0; + if (!try_get_task_stack(p)) + return 0; + for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state); unwind_next_frame(&state)) { addr = unwind_get_return_address(&state); @@ -935,6 +938,8 @@ unsigned long get_wchan(struct task_struct *p) break; } + put_task_stack(p); + return addr; } -- 2.20.1