From nobody Mon May 25 06:43:33 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8260410F1 for ; Sun, 17 May 2026 14:37:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779028648; cv=none; b=kKmvZKfbmj6Pwj6QB1StZn5ynUGoR3NlivMMjSkxdiXIffUOFe64gUQDI+ftKn6MoIo3t4K6ULL+zA35qjbHh/OK16MaHGdMfROy30ULKbnl6eOd+D/RvVAotk4QCBjMyhew8p8VghyNyjKsdij6mj4dmt0pMP5+OElrTrp1pGo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779028648; c=relaxed/simple; bh=tPjZZln4gT+o1OK4SykygtSZfJp+8WnHYMu8dhgGcKA=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=a/VFLfRGXbAtdrFLp+BaQHXsKCTZCpUpsv3bSK4eDMpYfLqe4pBbuWepXmpE7Rp6lX1LZVcCQFt5B94NQVmxq5iW2Gk8S1vJJtiDEnnPU5jwZLubkGehEM89PMJeyMHTZqP111FHHtaPfOoF+YNnU2FYHjL8/JuhFYkScR7t8QM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from fric.. (unknown [36.110.52.2]) by APP-03 (Coremail) with SMTP id rQCowADny+KS0glq7GZKEQ--.10830S2; Sun, 17 May 2026 22:37:06 +0800 (CST) From: Jiakai Xu To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Albert Ou , Alexandre Ghiti , Chunyan Zhang , Jiakai Xu , Matthew Bystrin , Palmer Dabbelt , Paul Walmsley , Samuel Holland Subject: [PATCH v2] riscv: stacktrace: fix stack-out-of-bounds in walk_stackframe() Date: Sun, 17 May 2026 14:37:04 +0000 Message-Id: <20260517143704.659416-1-xujiakai2025@iscas.ac.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: rQCowADny+KS0glq7GZKEQ--.10830S2 X-Coremail-Antispam: 1UD129KBjvJXoWxXr4rKF4kuFykWFykKF4xtFb_yoW5WrW7pF 92kasrKrW7KrW29a4fZr1kWry5Jrs5X3y7KFsxJa45J3W7AFy5Zr9Fva45Xr1Yyryvqa47 Ca4jyrsrCan0vaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBY14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI 64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8Jw Am72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0En4kS14v26r1q6r43MxAIw28IcxkI7V AKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCj r7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6x IIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAI w20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x 0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbQVy7UUUUU== X-CM-SenderInfo: 50xmxthndljiysv6x2xfdvhtffof0/1tbiDAgKCWoJMy-3WgAAsV Content-Type: text/plain; charset="utf-8" The fp_is_valid() function uses ALIGN(sp, THREAD_SIZE) as the upper bound for the frame pointer check. This bound is calculated relative to the current sp and shifts upward when sp itself exceeds the valid stack region, allowing the unwinder to read past the end of the allocated task stack and triggering KASAN stack-out-of-bounds. Fix this by using the absolute task stack boundary=20 (task_pt_regs(task)) instead. This ensures that once the frame pointer=20 walks past the actual end of the stack, the check consistently fails=20 and the unwinding terminates. Fixes: a2a4d4a6a0bf ("riscv: stacktrace: fixed walk_stackframe()") Signed-off-by: Jiakai Xu Assisted-by: OpenClaw:DeepSeek-V3.2 Reviewed-by: Matthew Bystrin --- V1 -> V2: - Moved the NULL task check from fp_is_valid() into walk_stackframe(), as suggested by Matthew Bystrin. - Changed the upper bound from task_stack_page(task) + THREAD_SIZE to task_pt_regs(task) for a tighter boundary, as suggested by Matthew Bystrin. --- arch/riscv/kernel/stacktrace.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c index b41b6255751c..6ce3465bec2c 100644 --- a/arch/riscv/kernel/stacktrace.c +++ b/arch/riscv/kernel/stacktrace.c @@ -35,12 +35,12 @@ extern asmlinkage void handle_exception(void); extern unsigned long ret_from_exception_end; =20 -static inline int fp_is_valid(unsigned long fp, unsigned long sp) +static inline int fp_is_valid(unsigned long fp, unsigned long sp, + unsigned long high) { - unsigned long low, high; + unsigned long low; =20 low =3D sp + sizeof(struct stackframe); - high =3D ALIGN(sp, THREAD_SIZE); =20 return !(fp < low || fp > high || fp & 0x07); } @@ -48,7 +48,7 @@ static inline int fp_is_valid(unsigned long fp, unsigned = long sp) void notrace walk_stackframe(struct task_struct *task, struct pt_regs *reg= s, bool (*fn)(void *, unsigned long), void *arg) { - unsigned long fp, sp, pc; + unsigned long fp, sp, pc, high; int graph_idx =3D 0; int level =3D 0; =20 @@ -68,19 +68,24 @@ void notrace walk_stackframe(struct task_struct *task, = struct pt_regs *regs, pc =3D task->thread.ra; } =20 + if (!task) + task =3D current; + + high =3D (unsigned long)task_pt_regs(task); + for (;;) { struct stackframe *frame; =20 if (unlikely(!__kernel_text_address(pc) || (level++ >=3D 0 && !fn(arg, p= c)))) break; =20 - if (unlikely(!fp_is_valid(fp, sp))) + if (unlikely(!fp_is_valid(fp, sp, high))) break; =20 /* Unwind stack frame */ frame =3D (struct stackframe *)fp - 1; sp =3D fp; - if (regs && (regs->epc =3D=3D pc) && fp_is_valid(frame->ra, sp)) { + if (regs && (regs->epc =3D=3D pc) && fp_is_valid(frame->ra, sp, high)) { /* We hit function where ra is not saved on the stack */ fp =3D frame->ra; pc =3D regs->ra; --=20 2.34.1