[PATCH 1/1] x86: dumpstack: take stack reference before accessing it

[Maninder Singh]

with THREAD_INFO_IN_TASK, stack of task can be
freed earlier than task (even if task's reference is taken),
and it needs separate reference with try_get_task_stack()
before using the stack.

Added a dummy code to save task_struct to reproduce the race in kernel:

$ sleep 10 &
$ take reference of sleep in kernel code in parallel

       rcu_read_lock();
       for_each_process(p) {
               if (!strcmp(p->comm, "sleep")) {
                       check_task = p;
                       get_task_struct(check_task);
               }
       }
       rcu_read_unlock();

// in mean time here sleep binary will be exited,
now call show_stack for it.

       show_stack(check_task,  NULL, KERN_EMERG);

//OOPs here

[   49.887151] BUG: unable to handle page fault for address: ffffb57400213de8
...
[   49.889329] CPU: 0 UID: 0 PID: 68 Comm: cat Not tainted 7.0.0-rc2-next-20260302-00003-gb7e059f3a5ae-dirty #49 PREEMPT(lazy)
[   49.889789] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[   49.890204] RIP: 0010:__unwind_start+0x118/0x1c0
....
[   49.893485] Call Trace:
[   49.893700]  <TASK>
[   49.893810]  __show_trace_log_lvl+0x31f/0x360
[   49.893988]  ? mas_store_prealloc+0x99/0x2c0
[   49.894169]  meminfo_proc_show+0xdd/0x9a0
[   49.894312]  ? seq_open+0x3b/0x60
[   49.894435]  ? __pfx_meminfo_proc_show+0x10/0x10
[   49.894568]  ? file_ra_state_init+0x10/0x30
[   49.894731]  ? __pte_offset_map+0x16/0xd0
[   49.894871]  ? seq_read_iter+0x38e/0x4b0
[   49.895004]  seq_read_iter+0x109/0x4b0
[   49.895125]  copy_splice_read+0x18f/0x330
[   49.895272]  splice_direct_to_actor+0xb4/0x250

Thus taking reference of task's stack before accessing it in
show_stack() similar to get_wchan() and stack_trace_save_tsk().

Fixes: 68f24b08ee89 ("sched/core: Free the stack early if CONFIG_THREAD_INFO_IN_TASK")
Signed-off-by: Maninder Singh <maninder1.s@xxxxxxxxxxx>
---
original discussion for sending this patch for comment: https://lkml.org/lkml/2026/3/5/299

 arch/x86/kernel/dumpstack.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index b10684dedc58..3d44db836cd3 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -190,6 +190,9 @@ static void __show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
 	int graph_idx = 0;
 	bool partial = false;
 
+	if (!try_get_task_stack(task))
+		return;
+
 	printk("%sCall Trace:\n", log_lvl);
 
 	unwind_start(&state, task, regs, stack);
@@ -301,6 +304,8 @@ static void __show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
 		if (stack_name)
 			printk("%s </%s>\n", log_lvl, stack_name);
 	}
+
+	put_task_stack(task);
 }
 
 static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
-- 
2.34.1