From: Greg Kroah-Hartman Date: Sat, 12 Oct 2019 09:09:07 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.197~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82a1c68c02947d202fd77fa0ed17f5a5f69299e4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: panic-ensure-preemption-is-disabled-during-panic.patch --- diff --git a/queue-4.14/panic-ensure-preemption-is-disabled-during-panic.patch b/queue-4.14/panic-ensure-preemption-is-disabled-during-panic.patch new file mode 100644 index 00000000000..15e6f76f600 --- /dev/null +++ b/queue-4.14/panic-ensure-preemption-is-disabled-during-panic.patch @@ -0,0 +1,82 @@ +From 20bb759a66be52cf4a9ddd17fddaf509e11490cd Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Sun, 6 Oct 2019 17:58:00 -0700 +Subject: panic: ensure preemption is disabled during panic() + +From: Will Deacon + +commit 20bb759a66be52cf4a9ddd17fddaf509e11490cd upstream. + +Calling 'panic()' on a kernel with CONFIG_PREEMPT=y can leave the +calling CPU in an infinite loop, but with interrupts and preemption +enabled. From this state, userspace can continue to be scheduled, +despite the system being "dead" as far as the kernel is concerned. + +This is easily reproducible on arm64 when booting with "nosmp" on the +command line; a couple of shell scripts print out a periodic "Ping" +message whilst another triggers a crash by writing to +/proc/sysrq-trigger: + + | sysrq: Trigger a crash + | Kernel panic - not syncing: sysrq triggered crash + | CPU: 0 PID: 1 Comm: init Not tainted 5.2.15 #1 + | Hardware name: linux,dummy-virt (DT) + | Call trace: + | dump_backtrace+0x0/0x148 + | show_stack+0x14/0x20 + | dump_stack+0xa0/0xc4 + | panic+0x140/0x32c + | sysrq_handle_reboot+0x0/0x20 + | __handle_sysrq+0x124/0x190 + | write_sysrq_trigger+0x64/0x88 + | proc_reg_write+0x60/0xa8 + | __vfs_write+0x18/0x40 + | vfs_write+0xa4/0x1b8 + | ksys_write+0x64/0xf0 + | __arm64_sys_write+0x14/0x20 + | el0_svc_common.constprop.0+0xb0/0x168 + | el0_svc_handler+0x28/0x78 + | el0_svc+0x8/0xc + | Kernel Offset: disabled + | CPU features: 0x0002,24002004 + | Memory Limit: none + | ---[ end Kernel panic - not syncing: sysrq triggered crash ]--- + | Ping 2! + | Ping 1! + | Ping 1! + | Ping 2! + +The issue can also be triggered on x86 kernels if CONFIG_SMP=n, +otherwise local interrupts are disabled in 'smp_send_stop()'. + +Disable preemption in 'panic()' before re-enabling interrupts. + +Link: http://lkml.kernel.org/r/20191002123538.22609-1-will@kernel.org +Link: https://lore.kernel.org/r/BX1W47JXPMR8.58IYW53H6M5N@dragonstone +Signed-off-by: Will Deacon +Reported-by: Xogium +Reviewed-by: Kees Cook +Cc: Russell King +Cc: Greg Kroah-Hartman +Cc: Ingo Molnar +Cc: Petr Mladek +Cc: Feng Tang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/panic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -146,6 +146,7 @@ void panic(const char *fmt, ...) + * after setting panic_cpu) from invoking panic() again. + */ + local_irq_disable(); ++ preempt_disable_notrace(); + + /* + * It's possible to come here directly from a panic-assertion and diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..5d3c3c5b219 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1 @@ +panic-ensure-preemption-is-disabled-during-panic.patch diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..5d3c3c5b219 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1 @@ +panic-ensure-preemption-is-disabled-during-panic.patch diff --git a/queue-5.3/series b/queue-5.3/series new file mode 100644 index 00000000000..5d3c3c5b219 --- /dev/null +++ b/queue-5.3/series @@ -0,0 +1 @@ +panic-ensure-preemption-is-disabled-during-panic.patch