From owner-svn-src-head@FreeBSD.ORG Mon Mar 30 03:55:53 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0589DC7; Mon, 30 Mar 2015 03:55:53 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E42D4947; Mon, 30 Mar 2015 03:55:52 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2U3tqeu026385; Mon, 30 Mar 2015 03:55:52 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2U3tqo2026383; Mon, 30 Mar 2015 03:55:52 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201503300355.t2U3tqo2026383@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Mon, 30 Mar 2015 03:55:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r280834 - in head/sys/cddl/dev/dtrace: amd64 i386 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2015 03:55:53 -0000 Author: markj Date: Mon Mar 30 03:55:51 2015 New Revision: 280834 URL: https://svnweb.freebsd.org/changeset/base/280834 Log: Import a missing piece of commit b8fac8e162eda7e98d from illumos-gate. This adds an upper bound, dtrace_ustackdepth_max, to the number of frames traversed when computing the userland stack depth. Some programs - notably firefox - are otherwise able to trigger an infinite loop in dtrace_getustack_common(), causing a panic. MFC after: 1 week Modified: head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c head/sys/cddl/dev/dtrace/i386/dtrace_isa.c Modified: head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c ============================================================================== --- head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c Sun Mar 29 22:46:07 2015 (r280833) +++ head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c Mon Mar 30 03:55:51 2015 (r280834) @@ -49,6 +49,8 @@ uint16_t dtrace_fuword16_nocheck(void *) uint32_t dtrace_fuword32_nocheck(void *); uint64_t dtrace_fuword64_nocheck(void *); +int dtrace_ustackdepth_max = 2048; + void dtrace_getpcstack(pc_t *pcstack, int pcstack_limit, int aframes, uint32_t *intrpc) @@ -102,14 +104,25 @@ static int dtrace_getustack_common(uint64_t *pcstack, int pcstack_limit, uintptr_t pc, uintptr_t sp) { + uintptr_t oldsp; volatile uint16_t *flags = (volatile uint16_t *)&cpu_core[curcpu].cpuc_dtrace_flags; int ret = 0; ASSERT(pcstack == NULL || pcstack_limit > 0); + ASSERT(dtrace_ustackdepth_max > 0); while (pc != 0) { - ret++; + /* + * We limit the number of times we can go around this + * loop to account for a circular stack. + */ + if (ret++ >= dtrace_ustackdepth_max) { + *flags |= CPU_DTRACE_BADSTACK; + cpu_core[curcpu].cpuc_dtrace_illval = sp; + break; + } + if (pcstack != NULL) { *pcstack++ = (uint64_t)pc; pcstack_limit--; @@ -120,10 +133,18 @@ dtrace_getustack_common(uint64_t *pcstac if (sp == 0) break; + oldsp = sp; + pc = dtrace_fuword64((void *)(sp + offsetof(struct amd64_frame, f_retaddr))); sp = dtrace_fuword64((void *)sp); + if (sp == oldsp) { + *flags |= CPU_DTRACE_BADSTACK; + cpu_core[curcpu].cpuc_dtrace_illval = sp; + break; + } + /* * This is totally bogus: if we faulted, we're going to clear * the fault and break. This is to deal with the apparently Modified: head/sys/cddl/dev/dtrace/i386/dtrace_isa.c ============================================================================== --- head/sys/cddl/dev/dtrace/i386/dtrace_isa.c Sun Mar 29 22:46:07 2015 (r280833) +++ head/sys/cddl/dev/dtrace/i386/dtrace_isa.c Mon Mar 30 03:55:51 2015 (r280834) @@ -55,6 +55,8 @@ uint16_t dtrace_fuword16_nocheck(void *) uint32_t dtrace_fuword32_nocheck(void *); uint64_t dtrace_fuword64_nocheck(void *); +int dtrace_ustackdepth_max = 2048; + void dtrace_getpcstack(pc_t *pcstack, int pcstack_limit, int aframes, uint32_t *intrpc) @@ -113,11 +115,13 @@ dtrace_getustack_common(uint64_t *pcstac uintptr_t oldcontext = lwp->lwp_oldcontext; /* XXX signal stack. */ size_t s1, s2; #endif + uintptr_t oldsp; volatile uint16_t *flags = (volatile uint16_t *)&cpu_core[curcpu].cpuc_dtrace_flags; int ret = 0; ASSERT(pcstack == NULL || pcstack_limit > 0); + ASSERT(dtrace_ustackdepth_max > 0); #ifdef notyet /* XXX signal stack. */ if (p->p_model == DATAMODEL_NATIVE) { @@ -130,7 +134,16 @@ dtrace_getustack_common(uint64_t *pcstac #endif while (pc != 0) { - ret++; + /* + * We limit the number of times we can go around this + * loop to account for a circular stack. + */ + if (ret++ >= dtrace_ustackdepth_max) { + *flags |= CPU_DTRACE_BADSTACK; + cpu_core[curcpu].cpuc_dtrace_illval = sp; + break; + } + if (pcstack != NULL) { *pcstack++ = (uint64_t)pc; pcstack_limit--; @@ -141,6 +154,8 @@ dtrace_getustack_common(uint64_t *pcstac if (sp == 0) break; + oldsp = sp; + #ifdef notyet /* XXX signal stack. */ if (oldcontext == sp + s1 || oldcontext == sp + s2) { if (p->p_model == DATAMODEL_NATIVE) { @@ -179,6 +194,12 @@ dtrace_getustack_common(uint64_t *pcstac sp = dtrace_fuword32((void *)sp); #endif /* ! notyet */ + if (sp == oldsp) { + *flags |= CPU_DTRACE_BADSTACK; + cpu_core[curcpu].cpuc_dtrace_illval = sp; + break; + } + /* * This is totally bogus: if we faulted, we're going to clear * the fault and break. This is to deal with the apparently