On Wed, Oct 02, 2019 at 01:35:38PM +0100, Will Deacon wrote:
> Calling 'panic()' on a kernel with CONFIG_PREEMPT=y can leave the
> calling CPU in an infinite loop, but with interrupts and preemption
> enabled. From this state, userspace can continue to be scheduled,
> despite the system being "dead" as far as the kernel is concerned. This
> is easily reproducible on arm64 when booting with "nosmp" on the command
> line; a couple of shell scripts print out a periodic "Ping" message
> whilst another triggers a crash by writing to /proc/sysrq-trigger:
>
> | sysrq: Trigger a crash
> | Kernel panic - not syncing: sysrq triggered crash
> | CPU: 0 PID: 1 Comm: init Not tainted 5.2.15 #1
> | Hardware name: linux,dummy-virt (DT)
> | Call trace:
> | dump_backtrace+0x0/0x148
> | show_stack+0x14/0x20
> | dump_stack+0xa0/0xc4
> | panic+0x140/0x32c
> | sysrq_handle_reboot+0x0/0x20
> | __handle_sysrq+0x124/0x190
> | write_sysrq_trigger+0x64/0x88
> | proc_reg_write+0x60/0xa8
> | __vfs_write+0x18/0x40
> | vfs_write+0xa4/0x1b8
> | ksys_write+0x64/0xf0
> | __arm64_sys_write+0x14/0x20
> | el0_svc_common.constprop.0+0xb0/0x168
> | el0_svc_handler+0x28/0x78
> | el0_svc+0x8/0xc
> | Kernel Offset: disabled
> | CPU features: 0x0002,24002004
> | Memory Limit: none
> | ---[ end Kernel panic - not syncing: sysrq triggered crash ]---
> | Ping 2!
> | Ping 1!
> | Ping 1!
> | Ping 2!
>
> The issue can also be triggered on x86 kernels if CONFIG_SMP=n, otherwise
> local interrupts are disabled in 'smp_send_stop()'.
>
> Disable preemption in 'panic()' before re-enabling interrupts.
Is this perhaps the correct solution for what commit c39ea0b9dd24 ("panic:
avoid the extra noise dmesg") was trying to fix?
Either way:
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
>
> Cc: Russell King <linux@xxxxxxxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/BX1W47JXPMR8.58IYW53H6M5N@dragonstone
> Reported-by: Xogium <contact@xxxxxxxxx>
> Signed-off-by: Will Deacon <will@xxxxxxxxxx>
> ---
> kernel/panic.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/panic.c b/kernel/panic.c
> index 47e8ebccc22b..f470a038b05b 100644
> --- a/kernel/panic.c
> +++ b/kernel/panic.c
> @@ -180,6 +180,7 @@ void panic(const char *fmt, ...)
> * after setting panic_cpu) from invoking panic() again.
> */
> local_irq_disable();
> + preempt_disable_notrace();
>
> /*
> * It's possible to come here directly from a panic-assertion and
> --
> 2.23.0.444.g18eeb5a265-goog
>
--
Kees Cook
