On Sat, Oct 25, 2014 at 2:22 AM, Andy Lutomirski <l...@amacapital.net> wrote: > Is there any good reason not to use vmalloc for x86_64 stacks? > > The tricky bits I've thought of are: > > - On any context switch, we probably need to probe the new stack > before switching to it. That way, if it's going to fault due to an > out-of-sync pgd, we still have a stack available to handle the fault. > > - Any time we change cr3, we may need to check that the pgd > corresponding to rsp is there. If now, we need to sync it over. > > - For simplicity, we probably want all stack ptes to be present all > the time. This is fine; vmalloc already works that way. > > - If we overrun the stack, we double-fault. This should be easy to > detect: any double-fault where rsp is less than 20 bytes from the > bottom of the stack is a failure to deliver a non-IST exception due to > a stack overflow. The question is: what do we do if this happens? > We could just panic (guaranteed to work). We could also try to > recover by killing the offending task, but that might be a bit > challenging, since we're in IST context. We could do something truly > awful: increment RSP by a few hundred bytes, point RIP at do_exit, and > return from the double fault. > > Thoughts? This shouldn't be all that much code.
FWIW, grsecurity has this already. Maybe we can reuse their GRKERNSEC_KSTACKOVERFLOW feature. It allocates the kernel stack using vmalloc() and installs guard pages. -- Thanks, //richard -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
