From: Thomas Weißschuh thomas.weissschuh@linutronix.de
[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ]
Not all tasks have an ABI associated or vDSO mapped, for example kthreads never do. If such a task ever ends up calling stack_top(), it will derefence the NULL ABI pointer and crash.
This can for example happen when using kunit:
mips_stack_top+0x28/0xc0 arch_pick_mmap_layout+0x190/0x220 kunit_vm_mmap_init+0xf8/0x138 __kunit_add_resource+0x40/0xa8 kunit_vm_mmap+0x88/0xd8 usercopy_test_init+0xb8/0x240 kunit_try_run_case+0x5c/0x1a8 kunit_generic_run_threadfn_adapter+0x28/0x50 kthread+0x118/0x240 ret_from_kernel_thread+0x14/0x1c
Only dereference the ABI point if it is set.
The GIC page is also included as it is specific to the vDSO. Also move the randomization adjustment into the same conditional.
Signed-off-by: Thomas Weißschuh thomas.weissschuh@linutronix.de Reviewed-by: David Gow davidgow@google.com Reviewed-by: Huacai Chen chenhuacai@loongson.cn Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Based on my analysis, here's my assessment:
**YES**, this commit should be backported to stable kernel trees.
## Extensive Explanation:
### 1. **Critical NULL Pointer Dereference Fix** The commit fixes a kernel crash caused by NULL pointer dereference in `mips_stack_top()`. The original code unconditionally dereferences `current->thread.abi->vdso->size` at line 694, but kernel threads (kthreads) never have an ABI structure associated with them, leading to `current->thread.abi` being NULL.
### 2. **Real-World Impact** The crash is triggered by legitimate kernel functionality introduced in June 2024 (commit 51104c19d857 added kunit_vm_mmap). The stack trace shows this happens when kunit tests run, specifically during `kunit_vm_mmap_init()` which calls `arch_pick_mmap_layout()`, eventually reaching `mips_stack_top()`. This affects any MIPS system running kernel unit tests, which is increasingly common for kernel development and CI/CD pipelines.
### 3. **Clear Bug Fix, Not a Feature** The change is purely defensive - it adds a NULL check before dereferencing the ABI pointer: ```c if (current->thread.abi) { top -= PAGE_ALIGN(current->thread.abi->vdso->size); top -= PAGE_SIZE; top -= mips_gic_present() ? PAGE_SIZE : 0; /* Space to randomize the VDSO base */ if (current->flags & PF_RANDOMIZE) top -= VDSO_RANDOMIZE_SIZE; } ```
### 4. **Small and Contained Change** The fix is minimal - only 9 lines added and 7 removed in a single function. It doesn't change any architecture, APIs, or behavior for normal processes that have an ABI. It only prevents crashes for kernel threads that legitimately don't have vDSO mappings.
### 5. **Pattern of Similar Fixes** The LoongArch architecture had an identical fix (commit 134475a9ab84) for the same issue in October 2024. This shows it's a real problem affecting multiple architectures when kernel threads interact with memory mapping code that assumes userspace context.
### 6. **Low Risk of Regression** The change is conservative - it only affects code paths where `current->thread.abi` is NULL, which would have crashed before. For all normal userspace tasks with valid ABI structures, the behavior remains unchanged. The GIC page handling and randomization are correctly moved inside the conditional since they're vDSO-specific.
### 7. **Affects Stable Kernels** Since kunit_vm_mmap was introduced in kernel 6.10 (June 2024), any MIPS stable kernel from 6.10 onwards that includes kunit functionality is vulnerable to this crash. The bug has existed since mips_stack_top() was introduced in 2018 (commit ea7e0480a4b69) but was only exposed when kunit started using vm_mmap in kernel threads.
### 8. **Meets Stable Criteria** According to stable kernel rules: - ✓ Fixes a real bug (kernel crash) - ✓ Small change (16 lines diff) - ✓ Already in mainline (merged July 2025) - ✓ No new features added - ✓ Minimal risk of introducing new issues
The commit should be backported to stable kernels 6.10 and later where kunit_vm_mmap exists and can trigger this crash on MIPS systems.
arch/mips/kernel/process.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c index b630604c577f..02aa6a04a21d 100644 --- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c @@ -690,18 +690,20 @@ unsigned long mips_stack_top(void) }
/* Space for the VDSO, data page & GIC user page */ - top -= PAGE_ALIGN(current->thread.abi->vdso->size); - top -= PAGE_SIZE; - top -= mips_gic_present() ? PAGE_SIZE : 0; + if (current->thread.abi) { + top -= PAGE_ALIGN(current->thread.abi->vdso->size); + top -= PAGE_SIZE; + top -= mips_gic_present() ? PAGE_SIZE : 0; + + /* Space to randomize the VDSO base */ + if (current->flags & PF_RANDOMIZE) + top -= VDSO_RANDOMIZE_SIZE; + }
/* Space for cache colour alignment */ if (cpu_has_dc_aliases) top -= shm_align_mask + 1;
- /* Space to randomize the VDSO base */ - if (current->flags & PF_RANDOMIZE) - top -= VDSO_RANDOMIZE_SIZE; - return top; }