From: Greg Kroah-Hartman Date: Sat, 12 Oct 2019 09:05:12 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.197~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c33137da78710b9ac8f6462daccf20de20137948;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: panic-ensure-preemption-is-disabled-during-panic.patch --- diff --git a/queue-4.4/panic-ensure-preemption-is-disabled-during-panic.patch b/queue-4.4/panic-ensure-preemption-is-disabled-during-panic.patch new file mode 100644 index 00000000000..320ea274d0d --- /dev/null +++ b/queue-4.4/panic-ensure-preemption-is-disabled-during-panic.patch @@ -0,0 +1,82 @@ +From 20bb759a66be52cf4a9ddd17fddaf509e11490cd Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Sun, 6 Oct 2019 17:58:00 -0700 +Subject: panic: ensure preemption is disabled during panic() + +From: Will Deacon + +commit 20bb759a66be52cf4a9ddd17fddaf509e11490cd upstream. + +Calling 'panic()' on a kernel with CONFIG_PREEMPT=y can leave the +calling CPU in an infinite loop, but with interrupts and preemption +enabled. From this state, userspace can continue to be scheduled, +despite the system being "dead" as far as the kernel is concerned. + +This is easily reproducible on arm64 when booting with "nosmp" on the +command line; a couple of shell scripts print out a periodic "Ping" +message whilst another triggers a crash by writing to +/proc/sysrq-trigger: + + | sysrq: Trigger a crash + | Kernel panic - not syncing: sysrq triggered crash + | CPU: 0 PID: 1 Comm: init Not tainted 5.2.15 #1 + | Hardware name: linux,dummy-virt (DT) + | Call trace: + | dump_backtrace+0x0/0x148 + | show_stack+0x14/0x20 + | dump_stack+0xa0/0xc4 + | panic+0x140/0x32c + | sysrq_handle_reboot+0x0/0x20 + | __handle_sysrq+0x124/0x190 + | write_sysrq_trigger+0x64/0x88 + | proc_reg_write+0x60/0xa8 + | __vfs_write+0x18/0x40 + | vfs_write+0xa4/0x1b8 + | ksys_write+0x64/0xf0 + | __arm64_sys_write+0x14/0x20 + | el0_svc_common.constprop.0+0xb0/0x168 + | el0_svc_handler+0x28/0x78 + | el0_svc+0x8/0xc + | Kernel Offset: disabled + | CPU features: 0x0002,24002004 + | Memory Limit: none + | ---[ end Kernel panic - not syncing: sysrq triggered crash ]--- + | Ping 2! + | Ping 1! + | Ping 1! + | Ping 2! + +The issue can also be triggered on x86 kernels if CONFIG_SMP=n, +otherwise local interrupts are disabled in 'smp_send_stop()'. + +Disable preemption in 'panic()' before re-enabling interrupts. + +Link: http://lkml.kernel.org/r/20191002123538.22609-1-will@kernel.org +Link: https://lore.kernel.org/r/BX1W47JXPMR8.58IYW53H6M5N@dragonstone +Signed-off-by: Will Deacon +Reported-by: Xogium +Reviewed-by: Kees Cook +Cc: Russell King +Cc: Greg Kroah-Hartman +Cc: Ingo Molnar +Cc: Petr Mladek +Cc: Feng Tang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/panic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/panic.c ++++ b/kernel/panic.c +@@ -84,6 +84,7 @@ void panic(const char *fmt, ...) + * after the panic_lock is acquired) from invoking panic again. + */ + local_irq_disable(); ++ preempt_disable_notrace(); + + /* + * It's possible to come here directly from a panic-assertion and diff --git a/queue-4.4/series b/queue-4.4/series index dec4b91e2e8..5d8c130ed84 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -27,3 +27,4 @@ cfg80211-add-and-use-strongly-typed-element-iteration-macros.patch cfg80211-use-const-more-consistently-in-for_each_element-macros.patch nl80211-validate-beacon-head.patch asoc-sgtl5000-improve-vag-power-and-mute-control.patch +panic-ensure-preemption-is-disabled-during-panic.patch