User: Password:
|
|
Subscribe / Log in / New account

4K stacks for everyone?

4K stacks for everyone?

Posted Sep 9, 2005 1:06 UTC (Fri) by mcelrath (guest, #8094)
Parent article: 4K stacks for everyone?

I noticed the other day while configuring my 2.6.13 kernel that there is now an experimental option to use register arguments for function calls. I imagine this should seriously reduce stack usage. Perhaps a default 4k stack should require register arguments.

But this just begs the question...does the kernel really have no means of detecting or handling stack overflows? That just seems like bad design. Can't the stack be set up so that if it is over-written it will trigger a page fault, and the kernel could handle it? gcc/libc can allocate more stack pages for userspace programs if needed, but why not the kernel?


(Log in to post comments)

VM for device drivers?

Posted Sep 9, 2005 4:36 UTC (Fri) by xoddam (subscriber, #2322) [Link]

> gcc/libc can allocate more stack pages for userspace programs
> if needed, but why not the kernel?

A defining characteristic of kernel-space programming is that
you don't get the benefits of implicit memory protection.
Everything has to be done explicitly by the kernel itself.

It's possible in principle to give kernel-space tasks virtual
memory support, but it would open a big can of worms. If
you want deep recursion, do it in userspace.

As things stand the kernel-space page map is never changed
implicitly, and rarely explicitly. The prospect of giving
kernel tasks their own vm maps with holes to fit new pages
which are to be faulted in (from where?) when the stack
overflows is nightmarish! Performance and maintainability
are much, much more important than a growable stack.

If stack usage in kernel space isn't demonstrably finite
then the code is broken. The best solution is explicit
management of the resources (eg. using a queue) so that
the stack size ceases to be an issue.

VM for device drivers?

Posted Sep 11, 2005 1:14 UTC (Sun) by giraffedata (subscriber, #1954) [Link]

The kernel uses virtual memory address translation today, and that's all that's required to do this kind of stack overflow protection. Make the stack one page and the page immediately after it invalid. A process tries to overflow the stack, and it gets oopsed.

However, I believe the point of 4K stacks is that there is a dirth of kernel virtual memory address space, so have 4K of usable addresses plus 4K of unusable obviates the 4K stack change.

To be robust like other OSes in this area, we'd have to go to some complex system with multiple kernel address spaces, and that probably would bring with it a pageable kernel.

VM for device drivers?

Posted Sep 13, 2005 1:17 UTC (Tue) by mcelrath (guest, #8094) [Link]

Dirth isn't a word. The word you wanted is dearth. (back at cha)

Anyway, one really needs an oops or panic if the kernel stack is overflowed. A previous poster said page faults in kernel space aren't detectable. You are proposing a 4k page at the end of the stack to check if the stack has overflowed. If there are no page faults in kernel space, then one has to check the stack-overflow page on every process switch? That seems expensive.

Then on the other hand this overflow page can probably be only one physical page, shared among all processes (and an oops or panic if ANY process writes it), and if a page fault isn't possible then the task switch could just do an

if(stack_overflow[0] != STACK_OVERFLOW_PATTERN) { oops }

e.g. just check the first byte. So overall it costs 1 cmp per task switch and 4k. Seems much better than silent stack overflows, and the possible security flaws that might come from them too...

VM for device drivers?

Posted Sep 13, 2005 16:07 UTC (Tue) by giraffedata (subscriber, #1954) [Link]

The kernel can and does detect page faults in kernel space. When the kernel tries to dereference a null pointer, the oops you see is due to the page fault. The same thing would work with the invalid page after the end of the stack (that's called a "guard page").

The earlier comment really meant that the kernel is not set up to handle a page fault in a virtual memory fashion -- i.e. do a pagein and continue as if nothing had happened.

But, unfortunately, the guard page has the same problem as 8K stacks -- requires an extra 4K per thread of kernel virtual memory address space and requires 2 contiguous virtual pages. There was a time when virtual address space was in abundant supply and we just worried about real memory, but today the reverse is often true.

VM for device drivers?

Posted Sep 20, 2005 20:19 UTC (Tue) by renox (subscriber, #23785) [Link]

>There was a time when virtual address space was in abundant supply and we just worried about real memory, but today the reverse is often true.

Well, only on 32 bit CPUs. The suggestion of adding guard page seems very valid to me, even if only for 64 bit CPUs: less crash or at least 'controlled crash' are always better.

4K stacks for everyone?

Posted Sep 9, 2005 17:09 UTC (Fri) by Ross (guest, #4065) [Link]

Actually the kernel is what expands the userspace stack, not the C library. If you think about it, it is exanded even in a program which doesn't call any functions in the C library.

How exactly would you handle a stack overflow in kernel space?

Posted Sep 10, 2005 10:15 UTC (Sat) by pkolloch (subscriber, #21709) [Link]

I think it is not that easy to gracefully deal with stack overflows, even if they get detected. What do you do, if the process scheduler triggers a stack overflow? Disable it?

Even for device drivers the general case gets tricky... [besides the fact that at least the device in question would have to stop working]

How exactly would you handle a stack overflow in kernel space?

Posted Sep 11, 2005 1:04 UTC (Sun) by giraffedata (subscriber, #1954) [Link]

In most cases, an oops is easy, and significantly more graceful than what we have now. In some cases (e.g. process scheduler), oops isn't possible, but panic is still more graceful than we we have.

4K stacks for everyone?

Posted Sep 11, 2005 1:15 UTC (Sun) by giraffedata (subscriber, #1954) [Link]

But this just begs the question...does the kernel really have no means of detecting or handling stack overflows?

It doesn't beg any question. It just raises one. "Beg" means "evade."


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds