Re: kernel stack corruption

Linux Kernel Mailing list (kernel@cc91339-a.ewndsr1.nj.home.com)
Mon, 15 Feb 1999 16:07:13 -0500


Kernel stack corruption usually occurs when the stack overflows. There is
no check for the overflow that I know of.

This happened to me during the development of the Overlay Filesystem many
times due to a recursive function call.

Try to make sure that your source does not run into any recursions;
especially deep ones, and that you do not allocate too much memory on the
stack, as in the following example:

bad_kernel_function (int x)
{
struct some_large_struct array[1024];
}

Another possibility is that your source may have a pointer problem where
it overruns an object on the stack, thereby overwritting the MAGIC number
for some process on the stack, such as:

bad_kernel_function2 (int x)
{
char buf[256];
char *ptr;

...

ptr = buf + strlen(buf) - 1;
while ( ptr != ':' )
ptr--;

ptr[0] = '\0';

...
}

The code that you pointed out that checks the stack is a sanity
check that indicates that there is a problem with the stack; it
checks when a process is completed by looking for the MAGIC
number that gets put on the stack when the process is started.

At 03:55 PM 2/12/99 +0100, vgo@Ratio.de wrote:
>Every time when I use ioclt commands on my driver I get a "kernel stack
>corruption. Aiee".
>I set a breakpoint in exit.c at line 142 (using gdbstub and debugging with
>ddd) and
>printed the graphic of the task task_struct *p in a file which is attached
>to this mail.
>
>
>--------------------------------------------------------------------
> 139 REMOVE_LINKS(p);
> 140 release_thread(p);
> 141 if (STACK_MAGIC != *(unsigned long
>*)p->kernel_stack_page)
> 142 printk(KERN_ALERT "release: %s kernel
>stack corruption. Aiee\n"
>, p->comm);
> 143 free_kernel_stack(p->kernel_stack_page);
> 144 current->cmin_flt += p->min_flt + p->cmin_flt;
>
>--------------------------------------------------------------------
>
>Who can tell me why my p->kernel_stack_page isn't STACK_MAGIC?
>
>in linux/kernel.h
>
>#define STACK_MAGIC 0xdeadbeef
>
>*(unsigned long *)p->kernel_stack_page = 0x2b;
>
>By calling the ioctl the driver allocates thought vmalloc 111600 bytes of
>kernel space
>which is used until a new ioctl call.
>Is this the reason for the stack corruption?
>Has any memory who is allocated thought ioctl calls to be freed before
>returning the call?
>
>Hope you can help me
>Vasili
>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/