[1/4] ARM: backtrace-clang: check for NULL lr

Message ID	20200730205112.2099429-2-ndesaulniers@google.com
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Date: Thu, 30 Jul 2020 13:51:09 -0700 In-Reply-To: <20200730205112.2099429-1-ndesaulniers@google.com> Message-Id: <20200730205112.2099429-2-ndesaulniers@google.com> Mime-Version: 1.0 References: <20200730205112.2099429-1-ndesaulniers@google.com> Subject: [PATCH 1/4] ARM: backtrace-clang: check for NULL lr From: Nick Desaulniers <ndesaulniers@google.com> To: Nathan Huckleberry <nhuck15@gmail.com>, Russell King <linux@armlinux.org.uk> Cc: Andrew Morton <akpm@linux-foundation.org>, Chunyan Zhang <zhang.lyra@gmail.com>, clang-built-linux@googlegroups.com, Dmitry Safonov <0x7f454c46@gmail.com>, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, Lvqiang Huang <lvqiang.huang@unisoc.com>, Matthias Brugger <matthias.bgg@gmail.com>, Nick Desaulniers <ndesaulniers@google.com>, Miles Chen <miles.chen@mediatek.com>, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	[1/4] ARM: backtrace-clang: check for NULL lr \| expand [1/4] ARM: backtrace-clang: check for NULL lr [2/4] ARM: backtrace-clang: add fixup for lr dereference

Message ID

20200730205112.2099429-2-ndesaulniers@google.com

State

New

Headers

Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org
	designates 23.128.96.18 as permitted sender)
	client-ip=23.128.96.18; 
Date: Thu, 30 Jul 2020 13:51:09 -0700
In-Reply-To: <20200730205112.2099429-1-ndesaulniers@google.com>
Message-Id: <20200730205112.2099429-2-ndesaulniers@google.com>
Mime-Version: 1.0
References: <20200730205112.2099429-1-ndesaulniers@google.com>
Subject: [PATCH 1/4] ARM: backtrace-clang: check for NULL lr
From: Nick Desaulniers <ndesaulniers@google.com>
To: Nathan Huckleberry <nhuck15@gmail.com>,
	Russell King <linux@armlinux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Chunyan Zhang <zhang.lyra@gmail.com>, clang-built-linux@googlegroups.com,
	Dmitry Safonov <0x7f454c46@gmail.com>,
	linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	Lvqiang Huang <lvqiang.huang@unisoc.com>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Miles Chen <miles.chen@mediatek.com>, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

[1/4] ARM: backtrace-clang: check for NULL lr | expand

Commit Message

Nick Desaulniers July 30, 2020, 8:51 p.m. UTC

If the link register was zeroed out, do not attempt to use it for
address calculations for which there are currently no fixup handlers,
which can lead to a panic during unwind. Since panicking triggers
another unwind, this can lead to an infinite loop.  If this occurs
during start_kernel(), this can prevent a kernel from booting.

commit 59b6359dd92d ("ARM: 8702/1: head-common.S: Clear lr before jumping to start_kernel()")
intentionally zeros out the link register in __mmap_switched which tail
calls into start kernel. Test for this condition so that we can stop
unwinding when initiated within start_kernel() correctly.

Cc: stable@vger.kernel.org
Fixes: commit 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang")
Reported-by: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

---
 arch/arm/lib/backtrace-clang.S | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.28.0.163.g6104cc2f0b6-goog

Comments

Nathan Huckleberry Aug. 7, 2020, 6:07 p.m. UTC | #1

On Thu, Jul 30, 2020 at 3:51 PM Nick Desaulniers
<ndesaulniers@google.com> wrote:
>

> If the link register was zeroed out, do not attempt to use it for

> address calculations for which there are currently no fixup handlers,

> which can lead to a panic during unwind. Since panicking triggers

> another unwind, this can lead to an infinite loop.  If this occurs

> during start_kernel(), this can prevent a kernel from booting.

>

> commit 59b6359dd92d ("ARM: 8702/1: head-common.S: Clear lr before jumping to start_kernel()")

> intentionally zeros out the link register in __mmap_switched which tail

> calls into start kernel. Test for this condition so that we can stop

> unwinding when initiated within start_kernel() correctly.

>

> Cc: stable@vger.kernel.org

> Fixes: commit 6dc5fd93b2f1 ("ARM: 8900/1: UNWINDER_FRAME_POINTER implementation for Clang")

> Reported-by: Miles Chen <miles.chen@mediatek.com>

> Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>

> ---

>  arch/arm/lib/backtrace-clang.S | 2 ++

>  1 file changed, 2 insertions(+)

>

> diff --git a/arch/arm/lib/backtrace-clang.S b/arch/arm/lib/backtrace-clang.S

> index 6174c45f53a5..5388ac664c12 100644

> --- a/arch/arm/lib/backtrace-clang.S

> +++ b/arch/arm/lib/backtrace-clang.S

> @@ -144,6 +144,8 @@ for_each_frame:     tst     frame, mask             @ Check for address exceptions

>   */

>  1003:          ldr     sv_lr, [sv_fp, #4]      @ get saved lr from next frame

>

> +               tst     sv_lr, #0               @ If there's no previous lr,

> +               beq     finished_setup          @ we're done.

>                 ldr     r0, [sv_lr, #-4]        @ get call instruction

>                 ldr     r3, .Lopcode+4

>                 and     r2, r3, r0              @ is this a bl call

> --

> 2.28.0.163.g6104cc2f0b6-goog

>


Reviewed-by: Nathan Huckleberry <nhuck15@gmail.com>

diff --git a/arch/arm/lib/backtrace-clang.S b/arch/arm/lib/backtrace-clang.S
index 6174c45f53a5..5388ac664c12 100644
--- a/arch/arm/lib/backtrace-clang.S
+++ b/arch/arm/lib/backtrace-clang.S
@@ -144,6 +144,8 @@  for_each_frame:	tst	frame, mask		@ Check for address exceptions
  */
 1003:		ldr	sv_lr, [sv_fp, #4]	@ get saved lr from next frame
 
+		tst	sv_lr, #0		@ If there's no previous lr,
+		beq	finished_setup		@ we're done.
 		ldr	r0, [sv_lr, #-4]	@ get call instruction
 		ldr	r3, .Lopcode+4
 		and	r2, r3, r0		@ is this a bl call

[1/4] ARM: backtrace-clang: check for NULL lr

Commit Message

Comments

Patch