RE: [PATCH 1/1] x86: dumpstack: take stack reference before accessing it

[Maninder Singh]

ping!  Any inputs to this, if it is an actual issue or not ?

> --------- Original Message ---------
> Sender : Maninder Singh <maninder1.s@xxxxxxxxxxx>
> Date   : 2026-03-11 10:51 (GMT+5:30)
> Title  : [PATCH 1/1] x86: dumpstack: take stack reference before accessing it
> 
> 
> with THREAD_INFO_IN_TASK, stack of task can be
> freed earlier than task (even if task's reference is taken),
> and it needs separate reference with try_get_task_stack()
> before using the stack.
> 
> Added a dummy code to save task_struct to reproduce the race in kernel:
> 
> $ sleep 10 &
> $ take reference of sleep in kernel code in parallel
> 
>        rcu_read_lock();
>        for_each_process(p) {
>                if (!strcmp(p->comm, "sleep")) {
>                        check_task = p;
>                        get_task_struct(check_task);
>                }
>        }
>        rcu_read_unlock();
> 
> // in mean time here sleep binary will be exited,
> now call show_stack for it.
> 
>        show_stack(check_task,  NULL, KERN_EMERG);
> 
> //OOPs here
> 
> [   49.887151] BUG: unable to handle page fault for address: ffffb57400213de8
> ...
> [   49.889329] CPU: 0 UID: 0 PID: 68 Comm: cat Not tainted 7.0.0-rc2-next-20260302-00003-gb7e059f3a5ae-dirty #49 PREEMPT(lazy)
> [   49.889789] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> [   49.890204] RIP: 0010:__unwind_start+0x118/0x1c0
> ....
> [   49.893485] Call Trace:
> [   49.893700]  <TASK>
> [   49.893810]  __show_trace_log_lvl+0x31f/0x360
> [   49.893988]  ? mas_store_prealloc+0x99/0x2c0
> [   49.894169]  meminfo_proc_show+0xdd/0x9a0
> [   49.894312]  ? seq_open+0x3b/0x60
> [   49.894435]  ? __pfx_meminfo_proc_show+0x10/0x10
> [   49.894568]  ? file_ra_state_init+0x10/0x30
> [   49.894731]  ? __pte_offset_map+0x16/0xd0
> [   49.894871]  ? seq_read_iter+0x38e/0x4b0
> [   49.895004]  seq_read_iter+0x109/0x4b0
> [   49.895125]  copy_splice_read+0x18f/0x330
> [   49.895272]  splice_direct_to_actor+0xb4/0x250
> 
> Thus taking reference of task's stack before accessing it in
> show_stack() similar to get_wchan() and stack_trace_save_tsk().
> 
> Fixes: 68f24b08ee89 ("sched/core: Free the stack early if CONFIG_THREAD_INFO_IN_TASK")
> Signed-off-by: Maninder Singh <maninder1.s@xxxxxxxxxxx>
> ---
> original discussion for sending this patch for comment: https://lkml.org/lkml/2026/3/5/299
> 
>  arch/x86/kernel/dumpstack.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
> index b10684dedc58..3d44db836cd3 100644
> --- a/arch/x86/kernel/dumpstack.c
> +++ b/arch/x86/kernel/dumpstack.c
> @@ -190,6 +190,9 @@ static void __show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
>          int graph_idx = 0;
>          bool partial = false;
>  
> +        if (!try_get_task_stack(task))
> +                return;
> +
>          printk("%sCall Trace:\n", log_lvl);
>  
>          unwind_start(&state, task, regs, stack);
> @@ -301,6 +304,8 @@ static void __show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
>                  if (stack_name)
>                          printk("%s </%s>\n", log_lvl, stack_name);
>          }
> +
> +        put_task_stack(task);
>  }
>  
>  static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
> -- 
> 2.34.1