0

I am writing a kernel module in Linux, on aarch64 architecture, that has, as a global, a structure. I am working on a Pixel 8 device (shiba), with callyxos, AOSP (android open source project) kernel [uname -r: 5.15.137-android14-11-gbc062a78e195-ab12057991].

  • What I want: sp register to point to this global structure, that is, I want that the stack will be managed inside on my global variable.
  • What happens: Whenever I set sp to point my global structure, and access this memory (for example using stp instruction), I immediately get a kernel panic due to a kernel stack overflow.

Here is an example code that causes a KP- kernel stack overflow:

mov x16, #0x12
    
mov x17, #0x34
    
mov x1, sp
    
ldr x0, =new_stack
    
mov sp, x0

stp x16, x17, [sp]      <---- KP HERE

mov sp, x1

And here are couple of snippets out of /sys/fs/pstore/console-ramoops-0:

RAMDUMP_MSG.txt:

  reset message: KP: kernel stack overflow

  UUID: a916fabb-7bb8-5a4e-aafa-7c7936d8d495

  last kernel version: 5.15.137-android14-11-gb60f0c2a8346-ab12076200

  aosp kernel version: 5.15.137-android14-11-gbc062a78e195-ab12057991

  build: google/shiba/shiba:14/AP2A.240905.003/12231197:user/release-keys

  RST_STAT: 0x80 - SYSTEM_SWRESET_SYSTEM

  GSA_RESET_STATUS: 0x10 - GSA_INTERMEDIATE_RESET

  Reboot reason: 0xbaba - Kernel PANIC

  Reboot mode: 0x0 - Normal Boot

Stack backtrace:

     Call trace:
      dump_backtrace+0xf8/0x1e8
      sched_show_task+0x1f0/0x328
      dbg_snapshot_dump_one_task_info+0x184/0x1a8 [dss]
      dbg_snapshot_dump_task_info+0xc4/0x128 [dss]
      dbg_snapshot_panic_handler+0x2dc/0x408 [dss]
      atomic_notifier_call_chain+0x84/0x128
      panic+0x1a8/0x430
      panic_bad_stack+0x1bc/0x1d8
      patch_alternative+0x0/0x114
      __bad_stack+0x8c/0x90
      execute+0x280/0x380 [revisor_executor]
      trace+0x2c/0x48 [revisor_executor]
      revisor_ioctl+0x1d0/0x210 [revisor_executor]
      __arm64_sys_ioctl+0x178/0x1f8
      invoke_syscall+0x58/0x138
      el0_svc_common+0xb0/0xe8
      do_el0_svc+0x20/0x7c
      el0_svc+0x28/0x9c
      el0t_64_sync_handler+0x7c/0xe4
      el0t_64_sync+0x1b4/0x1b8

What I did:

  • I have checked the alignment of sp register, and it is aligned to 16 bytes.
  • I also checked that with other registers, for example, the same code with x8, works just fine.
  • I guess that there is some valid range for sp to point to, so my question is how can I change this range?

Thank you very much!

Improve this question
7
  • github.com/torvalds/linux/blob/master/arch/arm64/kernel/… Commented Jan 15 at 14:45
  • Hi, thank you for your help! But I am not sure how to use it or how can I change the boundaries using it Commented Jan 15 at 15:00
  • This seems like an XY question. Can you explain why you want to change the stack? What problem do you hope to solve by doing so? The stack setup is pretty basic to the kernel, so if you want to change it, I expect that extensive hacking will be needed. Thus you should think about whether there's a better way to accomplish your overall goal. Commented Jan 15 at 18:50
  • 1
    In particular, every task is supposed to have its own kernel stack. So if you intend to use a global block of memory, you will at minimum need locking to ensure that no two tasks try to use it simultaneously. Commented Jan 15 at 18:51
  • Sorry but I don't know what is XY question. I am trying to create a snadbox for a code that I generate to run, and I want to monitor all that it is doing, as part of this, I want to monitor the stack. Commented Jan 15 at 19:52
Related questions
145
kernel stack and user space stack
126
Read/write files within a Linux kernel module
1
Modifying control register in kernel module
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.