sched: Add default-disabled option to BUG() when stack end location is overwritten

Currently in the event of a stack overrun a call to schedule() does not check for this type of corruption. This corruption is often silent and can go unnoticed. However once the corrupted region is examined at a later stage, the outcome is undefined and often results in a sporadic page fault which cannot be handled. This patch checks for a stack overrun and takes appropriate action since the damage is already done, there is no point in continuing. Signed-off-by: Aaron Tomlin <atomlin@redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: aneesh.kumar@linux.vnet.ibm.com Cc: dzickus@redhat.com Cc: bmr@redhat.com Cc: jcastillo@redhat.com Cc: oleg@redhat.com Cc: riel@redhat.com Cc: prarit@redhat.com Cc: jgh@redhat.com Cc: minchan@kernel.org Cc: mpe@ellerman.id.au Cc: tglx@linutronix.de Cc: rostedt@goodmis.org Cc: hannes@cmpxchg.org Cc: Alexei Starovoitov <ast@plumgrid.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Andi Kleen <ak@linux.intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Dan Streetman <ddstreet@ieee.org> Cc: Davidlohr Bueso <davidlohr@hp.com> Cc: David S. Miller <davem@davemloft.net> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Lubomir Rintel <lkundrak@v3.sk> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Link: http://lkml.kernel.org/r/1410527779-8133-4-git-send-email-atomlin@redhat.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
author: Aaron Tomlin <atomlin@redhat.com> 2014-09-12 09:16:19 -0400
committer: Ingo Molnar <mingo@kernel.org> 2014-09-19 06:35:24 -0400
commit: 0d9e26329b0c9263d4d9e0422d80a0e73268c52f (patch)
tree: ab0e520be3ecb71faa143c55a30cb9e8f48135e1
parent: a70857e46dd13e87ae06bf0e64cb6a2d4f436265 (diff)
2 files changed, 15 insertions, 0 deletions
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 4b1ddebed54a..61ee2b327a27 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -2693,6 +2693,9 @@ static noinline void __schedule_bug(struct task_struct *prev)
 */
 static inline void schedule_debug(struct task_struct *prev)
 {
+#ifdef CONFIG_SCHED_STACK_END_CHECK
+        BUG_ON(unlikely(task_stack_end_corrupted(prev)));
+#endif
        /*
         * Test if we are atomic. Since do_exit() needs to call into
         * schedule() atomically, we ignore that path. Otherwise whine
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index a28590083622..e58163d69db1 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -824,6 +824,18 @@ config SCHEDSTATS
          application, you can say N to avoid the very slight overhead
          this adds.
+config SCHED_STACK_END_CHECK
+        bool "Detect stack corruption on calls to schedule()"
+        depends on DEBUG_KERNEL
+        default n
+        help
+          This option checks for a stack overrun on calls to schedule().
+          If the stack end location is found to be over written always panic as
+          the content of the corrupted region can no longer be trusted.
+          This is to ensure no erroneous behaviour occurs which could result in
+          data corruption or a sporadic crash at a later stage once the region
+          is examined. The runtime overhead introduced is minimal.
 config TIMER_STATS
        bool "Collect kernel timers statistics"
        depends on DEBUG_KERNEL && PROC_FS
author	Aaron Tomlin <atomlin@redhat.com>	2014-09-12 09:16:19 -0400
committer	Ingo Molnar <mingo@kernel.org>	2014-09-19 06:35:24 -0400
commit	0d9e26329b0c9263d4d9e0422d80a0e73268c52f (patch)
tree	ab0e520be3ecb71faa143c55a30cb9e8f48135e1
parent	a70857e46dd13e87ae06bf0e64cb6a2d4f436265 (diff)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 4b1ddebed54a..61ee2b327a27 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c
@@ -2693,6 +2693,9 @@ static noinline void __schedule_bug(struct task_struct *prev)
2693	*/	2693	*/
2694	static inline void schedule_debug(struct task_struct *prev)	2694	static inline void schedule_debug(struct task_struct *prev)
2695	{	2695	{
		2696	#ifdef CONFIG_SCHED_STACK_END_CHECK
		2697	BUG_ON(unlikely(task_stack_end_corrupted(prev)));
		2698	#endif
2696	/*	2699	/*
2697	* Test if we are atomic. Since do_exit() needs to call into	2700	* Test if we are atomic. Since do_exit() needs to call into
2698	* schedule() atomically, we ignore that path. Otherwise whine	2701	* schedule() atomically, we ignore that path. Otherwise whine


diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index a28590083622..e58163d69db1 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug
@@ -824,6 +824,18 @@ config SCHEDSTATS
824	application, you can say N to avoid the very slight overhead	824	application, you can say N to avoid the very slight overhead
825	this adds.	825	this adds.
826		826
		827	config SCHED_STACK_END_CHECK
		828	bool "Detect stack corruption on calls to schedule()"
		829	depends on DEBUG_KERNEL
		830	default n
		831	help
		832	This option checks for a stack overrun on calls to schedule().
		833	If the stack end location is found to be over written always panic as
		834	the content of the corrupted region can no longer be trusted.
		835	This is to ensure no erroneous behaviour occurs which could result in
		836	data corruption or a sporadic crash at a later stage once the region
		837	is examined. The runtime overhead introduced is minimal.
		838
827	config TIMER_STATS	839	config TIMER_STATS
828	bool "Collect kernel timers statistics"	840	bool "Collect kernel timers statistics"
829	depends on DEBUG_KERNEL && PROC_FS	841	depends on DEBUG_KERNEL && PROC_FS