From: Peter Zijlstra peterz@infradead.org
mainline inclusion from mainline-v5.16-rc2 commit 0dc636b3b757a6b747a156de613275f9d74a4a66 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BLBZ CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
When commit 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE") moved from stacktrace to native unwind_*() usage, the try_get_task_stack() got lost, leading to use-after-free issues for dying tasks.
Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Fixes: 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE") Link: https://bugzilla.kernel.org/show_bug.cgi?id=215031 Link: https://lore.kernel.org/stable/YZV02RCRVHIa144u@fedora64.linuxtx.org/ Reported-by: Justin Forbes jmforbes@linuxtx.org Reported-by: Holger Hoffstätte holger@applied-asynchrony.com Cc: Qi Zheng zhengqi.arch@bytedance.com Cc: Kees Cook keescook@chromium.org Cc: Thomas Gleixner tglx@linutronix.de Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Lin Yujun linyujun809@huawei.com Reviewed-by: Zhang Jianhua chris.zjh@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- arch/x86/kernel/process.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index 5bdb9a329f59..ca588a3ac01b 100755 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -925,6 +925,9 @@ unsigned long get_wchan(struct task_struct *p) if (p == current || p->state == TASK_RUNNING) return 0;
+ if (!try_get_task_stack(p)) + return 0; + for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state); unwind_next_frame(&state)) { addr = unwind_get_return_address(&state); @@ -935,6 +938,8 @@ unsigned long get_wchan(struct task_struct *p) break; }
+ put_task_stack(p); + return addr; }