ARM: backtrace-clang: avoid crash on bogus frame pointer

The Clang backtrace code dereferences the link register value pulled from the stack to decide whether the caller was a branch-and-link instruction, in order to subsequently decode the offset to find the start of the calling function. Unlike other loads in this routine, this one is not protected by a fixup, and may therefore cause a crash if the address in question is bogus. So let's fix this, by treating the fault as a failure to decode the 'bl' instruction. To avoid a label renum, reuse a fixup label that guards an instruction that cannot fault to begin with. Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Tested-by: Marc Zyngier <maz@kernel.org> Tested-by: Vladimir Murzin <vladimir.murzin@arm.com> # ARMv7M
2021-10-15 16:27:09 +02:00 · 2021-10-15 16:27:09 +02:00 · eae9523fdd
--- a/arch/arm/lib/backtrace-clang.S
+++ b/arch/arm/lib/backtrace-clang.S
@ -144,7 +144,7 @@ for_each_frame:	tst	frame, mask		@ Check for address exceptions
 */
 1003:		ldr	sv_lr, [sv_fp, #4]	@ get saved lr from next frame

-		ldr	r0, [sv_lr, #-4]	@ get call instruction
+1004:		ldr	r0, [sv_lr, #-4]	@ get call instruction
 		ldr	r3, .Lopcode+4
 		and	r2, r3, r0		@ is this a bl call
 		teq	r2, r3
@ -164,7 +164,7 @@ finished_setup:
 /*
 * Print the function (sv_pc) and where it was called from (sv_lr).
 */
-1004:		mov	r0, sv_pc
+		mov	r0, sv_pc

 		mov	r1, sv_lr
 		mov	r2, frame
@ -210,7 +210,7 @@ ENDPROC(c_backtrace)
 		.long	1001b, 1006b
 		.long	1002b, 1006b
 		.long	1003b, 1006b
-		.long	1004b, 1006b
+		.long	1004b, finished_setup
 		.long   1005b, 1006b
 		.popsection