RE: [PATCH] ARM: check __ex_table in do_bad()

[黄吕强 (Lvqiang Huang)]

Hi Russell,
Thanks a lot for the reply!

UN means TASK_INTERRUPTIBLE. 

Task A found the Task B was in TASK_INTERRUPTIBLE. 
But just during try to get the backtrace of Task B, the Task B changed to TASK_RUNNING

Task B push and pop to it stack during executing, so the stack context of task B changed a lot. 
But Task A calculated and pop a value as sv_fp of Task B. 
1002:		ldr	sv_fp, [frame, #-12]	@ get saved fp

But, the task B had been TASK_RUNNING, sv_fp Task A get can be any value chaned by the executing of Task B. 
It can be an accessible user-space address of Task A's address space. 

If we enable the CONFIG_ARM_UNWIND, the crash is gone. 

-----Original Message-----
From: Russell King - ARM Linux admin [mailto:linux@xxxxxxxxxxxxxxx] 
Sent: Thursday, November 07, 2019 5:24 PM
To: 黄吕强 (Lvqiang Huang)
Cc: ebiederm@xxxxxxxxxxxx; dave.hansen@xxxxxxxxxxxxxxx; anshuman.khandual@xxxxxxx; akpm@xxxxxxxxxxxxxxxxxxxx; f.fainelli@xxxxxxxxx; will@xxxxxxxxxx; tglx@xxxxxxxxxxxxx; linux-arm-kernel@xxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: [PATCH] ARM: check __ex_table in do_bad()

On Thu, Nov 07, 2019 at 03:45:13PM +0800, Lvqiang wrote:
> 
> We got many crashs in for_each_frame+0x18 arch/arm/lib/backtrace.S
>     1003: ldr r2, [sv_pc, #-4]
> 
> The backtrace is
>     dump_backtrace
>     show_stack
>     sched_show_task
>     show_state_filter
>     sysrq_handle_showstate_blocked
>     __handle_sysrq
>     write_sysrq_trigger
>     proc_reg_write
>     __vfs_write
>     vfs_write
>     sys_write
> 
> Related Kernel config
>     CONFIG_CPU_SW_DOMAIN_PAN=y
>     # CONFIG_ARM_UNWIND is not set
>     CONFIG_FRAME_POINTER=y
> 
> The task A was dumping the stack of an UN task B. However, the task B

What is "an UN task B"?

> scheduled to run on another CPU, which cause it stack content changed.
> Then, task A may hit a page domain fault and die().
>     [520.661314] Unhandled fault: page domain fault (0x01b) at 
> 0x32848c02

So, the backtrace code is trying to access userspace.  It isn't supposed to be accessing userspace - there are no guarantees that userspace will be using frame pointers.  That is the bug.

--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line in suburbia: sync at 12.1Mbps down 622kbps up According to speedtest.net: 11.9Mbps down 500kbps up


============================================================================
This email (including its attachments) is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you are not the intended recipient, please do not read, copy, use or disclose any part of this e-mail to others. Please notify the sender immediately and permanently delete this e-mail and any attachments if you received it in error. Internet communications cannot be guaranteed to be timely, secure, error-free or virus-free. The sender does not accept liability for any errors or omissions. 
本邮件及其附件具有保密性质，受法律保护不得泄露，仅发送给本邮件所指特定收件人。严禁非经授权使用、宣传、发布或复制本邮件或其内容。若非该特定收件人，请勿阅读、复制、 使用或披露本邮件的任何内容。若误收本邮件，请从系统中永久性删除本邮件及所有附件，并以回复邮件的方式即刻告知发件人。无法保证互联网通信及时、安全、无误或防毒。发件人对任何错漏均不承担责任。