Windows kernel: why is my memory mapping not working? - windows

I have a kmdf that allocates a single buffer using MmAllocateContiguousMemorySpecifyCache and gets its mdl:
auto ptr = MmAllocateContiguousMemorySpecifyCache(
BUFFER_SIZE,
lowestAcceptible,
highestAcceptible,
lowestAcceptible,
MmCached);
PQUEUE_CONTEXT queueContext = QueueGetContext(queue);
if (ptr)
{
RtlZeroMemory(ptr, BUFFER_SIZE);
queueContext->stage_buffer_ptr = ptr;
queueContext->stage_buffer_byte_size = BUFFER_SIZE;
queueContext->stage_buffer_bus_address = MmGetPhysicalAddress(ptr).QuadPart;
queueContext->mdl = IoAllocateMdl(
ptr,
static_cast<ULONG>(queueContext->stage_buffer_byte_size),
false,
false,
nullptr
);
Once that buffer is allocated, the driver handles a ioctl (method neither) that maps the pre-allocated buffer to the requesting process address space using MmMapLockedPagesSpecifyCache:
auto queueContext = QueueGetContext(Queue);
auto user_ptr = MmMapLockedPagesSpecifyCache(
queueContext->mdl,
UserMode,
MmCached,
nullptr,
false,
MM_PAGE_PRIORITY::HighPagePriority
);
A few lines after, I fill the memory with testing values:
auto vals = (int*)queueContext->stage_buffer_ptr; // kernel virtual address
for (auto i = 0; i < 10; ++i)
{
vals[i] = i;
}
but when the user loops on its mapped address, it gets garbage values.
I tried to debug this issue with WinDbg and when I break after the loop I see the following:
kernel virtual address:
1: kd> dc 0xffffb901`c6f5d000 (ok)
ffffb901`c6f5d000 00000000 00000001 00000002 00000003 ................
ffffb901`c6f5d010 00000004 00000005 00000006 00000007 ................
ffffb901`c6f5d020 00000008 00000009 00000000 00000000 ................
ffffb901`c6f5d030 00000000 00000000 00000000 00000000
user virtual address: (displays junk)
1: kd> dc 0x00000174`423f0000
00000174`423f0000 332c3000 ffffcc05 bc823afb 01d40a37 .0,3.....:..7...
00000174`423f0010 5e784ab3 01d5da99 5e784ab3 01d5da99 .Jx^.....Jx^....
00000174`423f0020 b1de413c 01d5db3f 00002000 00000000 <A..?.... ......
00000174`423f0030 00002000 00000000 00000010 00000000 . ..............
So why don't I see the same values via the pointer received by MmMapLockedPagesSpecifyCache?

Related

Identify Cause of NULL_CLASS_PTR_READ_c0000005 on combase!CStdMarshal::UnmarshalIPID in PowerBuilder 10 App

What are some alternate steps that could be used to identify the root cause of this access violation read crash. I don't have access to source code or the customer env so need to specify steps to collect required information.
The issue only occurs when 3rd party firewall software is running, of which it's driver can be seen in stack traces of the process when using ProcMon stack summary feature. However I need to work out more explicitly how the issue is caused to enable a fix from 3rd party firewall vendor.
I have tried to walk customer through capturing API Monitor traces and Time Travel Debugging Trace however they are triggering the application to crash before issue can be reproduced.
The application seems to be built with PowerBuilder 10.2.1.0.
Crash dump output shows the following:
0:000> !analyze -v
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
eax=00000010 ebx=009c653c ecx=06da3ce4 edx=0019ccf8 esi=00000000 edi=00a63f88
eip=756afcbf esp=0019cb7c ebp=0019cbc0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
combase!CStdMarshal::UnmarshalIPID+0xb8:
756afcbf 8b5804 mov ebx,dword ptr [eax+4] ds:002b:00000014=????????
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 756afcbf (combase!CStdMarshal::UnmarshalIPID+0x000000b8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014
PROCESS_NAME: appname.exe
READ_ADDRESS: 00000014
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000014
STACK_TEXT:
0019cbc0 756c62a5 0019ccf8 0019cd08 009c5aa0 combase!CStdMarshal::UnmarshalIPID+0xb8
0019cc48 756d61b0 0019ccf0 0019cf1c 00000000 combase!CStdMarshal::UnmarshalObjRef+0x155
0019ce54 5b309fe8 009ef828 5b2f5fa4 0019cf1c combase!CoUnmarshalInterface+0xdc0
0019ceec 5b312666 5b2f5fa4 0019cf1c 0000003d oleacc!SharedBuffer_Free+0x2b8
0019cf7c 5b3097fb 00002728 0000003d 00000001 oleacc!SharedBuffer_Allocate+0x8e36
0019cfa0 1123c095 11437d18 ffffffff 03d977cc oleacc!EXTERNAL_LresultFromObject+0x4b
WARNING: Stack unwind information not available. Following frames may be wrong.
0019cfd4 112363b7 0007079e ffffffff fffffffc pbvm100!FN_EvtTimerWnd+0xa75
0019d068 75db44bb 0007079e 0000003d ffffffff pbvm100!FN_DataWindowWnd+0x4a7
0019d094 75d94ffc 11235f10 0007079e 0000003d user32!_InternalCallWinProc+0x2b
0019d178 75d94b9a 11235f10 00000000 0000003d user32!UserCallWinProcCheckWow+0x3ac
0019d1dc 75d9e1df 01098290 00000000 0000003d user32!DispatchClientMessage+0xea
0019d218 7758428d 0019d234 00000020 0019d408 user32!__fnDWORD+0x3f
0019d250 759a2c0c 75db2d92 0007079e 0000003d ntdll!KiUserCallbackDispatcher+0x4d
0019d254 75db2d92 0007079e 0000003d ffffffff win32u!NtUserMessageCall+0xc
0019d298 75db2cf2 ffffffff fffffffc 00000002 user32!SendMessageTimeoutWorker+0x9b
0019d2bc 5b309695 0007079e 0000003d ffffffff user32!SendMessageTimeoutW+0x22
0019d2f8 5b30954b 0007079e fffffffc 5b2f5cc4 oleacc!NativeIAccessibleFromWindow+0x70
0019d328 5b32f49e 5b2f5cc4 0019d348 fffffffc oleacc!AccessibleObjectFromWindow+0x27
0019d360 5b32fa57 00000000 0019d3f8 0019d3c0 oleacc!AccessibleObjectFromEvent+0x5e
0019d374 76080c8b 0007079e fffffffc 00000000 oleacc!EXTERNAL_AccessibleObjectFromEvent+0x27
0019d39c 76080bae 00000000 0019d3f8 0019d3c0 msctf!AccessibleObjectFromEvent+0x38
0019d418 7606a0c5 0007079e fffffffc 00000000 msctf!CThreadInputMgr::OnAccFocusEvent+0x9f
0019d468 76069320 00008005 0007079e fffffffc msctf!CThreadInputMgr::OnCiceroEvent+0xa5
0019d4c4 75d9f019 001f02b7 00008005 0007079e msctf!WinEventProc+0xf0
0019d508 7758428d 0019d524 00000020 0019d928 user32!__ClientCallWinEventProc+0x39
0019d540 11297886 0007079e 0007079e 0704d628 ntdll!KiUserCallbackDispatcher+0x4d
0019d558 11234dd9 000b0736 00000000 00000000 pbvm100!FN_WndProc+0x766
0019d828 75db44bb 000b0736 00000007 00360360 pbvm100!FN_WindowWnd+0x14e9
0019d854 75d94ffc 112338f0 000b0736 00000007 user32!_InternalCallWinProc+0x2b
0019d938 75d9454f 112338f0 00000000 00000007 user32!UserCallWinProcCheckWow+0x3ac
0019d970 10b8f24d 112338f0 000b0736 00000007 user32!CallWindowProcW+0x7f
0019d998 75db44bb 000b0736 00000007 00360360 pbshr100!PBC_MainProc3D+0x16d
0019d9c4 75d94ffc 10b8f0e0 000b0736 00000007 user32!_InternalCallWinProc+0x2b
0019daa8 75d94b9a 10b8f0e0 00000000 00000007 user32!UserCallWinProcCheckWow+0x3ac
0019db0c 75d9e1df 010832e0 00000000 00000007 user32!DispatchClientMessage+0xea
0019db48 7758428d 0019db64 00000020 0019dce4 user32!__fnDWORD+0x3f
0019db80 759a30ac 75da6b6e 000b0736 00000007 ntdll!KiUserCallbackDispatcher+0x4d
0019db84 75da6b6e 000b0736 00000007 00000000 win32u!NtUserSetFocus+0xc
0019dbc4 75dee1b9 0102ab40 00000000 00000007 user32!MDIClientWndProcWorker+0x14e
0019dbe4 75db44bb 00360360 00000007 00360360 user32!MDIClientWndProcW+0x29
0019dc10 75d94ffc 75dee190 00360360 00000007 user32!_InternalCallWinProc+0x2b
0019dcf4 75d9454f 75dee190 00000000 00000007 user32!UserCallWinProcCheckWow+0x3ac
0019dd2c 10b8cdd2 75dee190 00360360 00000007 user32!CallWindowProcW+0x7f
0019dd54 75d952a1 00000000 77554470 112338f0 pbshr100!PBC_NormalProc3D+0x72
0019dd90 75d94ffc 10b8cd60 00360360 00000007 user32!UserCallWinProcCheckWow+0x651
0019de74 75d9454f 10b8cd60 00000000 00000007 user32!UserCallWinProcCheckWow+0x3ac
0019deac 112380fd 10b8cd60 00360360 00000007 user32!CallWindowProcW+0x7f
0019deec 75db44bb 00360360 00000007 00360360 pbvm100!FN_MDIClientWnd+0x2dd
0019df18 75d94ffc 11237e20 00360360 00000007 user32!_InternalCallWinProc+0x2b
0019dffc 75d947ad 11237e20 00000000 00000007 user32!UserCallWinProcCheckWow+0x3ac
0019e060 75d94473 0102ab40 00000000 00000000 user32!SendMessageWorker+0x1fd
0019e094 75da669a 00360360 00000007 00360360 user32!SendMessageW+0x123
0019e0d0 75da62a7 0102ab40 00000000 010832e0 user32!xxxMDIActivate+0x201
0019e114 75deea18 00000000 00000000 00000000 user32!DefMDIChildProcWorker+0x1f7
0019e128 112971f8 000b0736 00000022 00000000 user32!DefMDIChildProcW+0x18
0019e150 112dcf2a 000b0736 00000022 00000000 pbvm100!FN_WndProc+0xd8
0019e168 112dcba9 11297120 000b0736 00000022 pbvm100!fn_txnservice_create_instance+0x912a
0019e18c 11235260 11297120 000b0736 00000022 pbvm100!fn_txnservice_create_instance+0x8da9
0019e470 75db44bb 000b0736 00000022 00000000 pbvm100!FN_WindowWnd+0x1970
0019e49c 75d94ffc 112338f0 000b0736 00000022 user32!_InternalCallWinProc+0x2b
0019e580 75d9454f 112338f0 00000000 00000022 user32!UserCallWinProcCheckWow+0x3ac
0019e5b8 10b8f24d 112338f0 000b0736 00000022 user32!CallWindowProcW+0x7f
0019e5e0 75db44bb 000b0736 00000022 00000000 pbshr100!PBC_MainProc3D+0x16d
0019e60c 75d94ffc 10b8f0e0 000b0736 00000022 user32!_InternalCallWinProc+0x2b
0019e6f0 75d94b9a 10b8f0e0 00000000 00000022 user32!UserCallWinProcCheckWow+0x3ac
0019e754 75d9e1df 010832e0 00000000 00000022 user32!DispatchClientMessage+0xea
0019e790 7758428d 0019e7ac 00000020 0019ea6c user32!__fnDWORD+0x3f
0019e7c8 759a2ddc 75dcaa02 000b0736 00000000 ntdll!KiUserCallbackDispatcher+0x4d
0019e7cc 75dcaa02 000b0736 00000000 00000000 win32u!NtUserSetWindowPos+0xc
0019e820 75d8fa58 00000001 00000000 0019ee94 user32!MDICompleteChildCreation+0x1b895
0019e8d8 75da6be3 03d994c4 16cf0000 80000000 user32!CreateWindowInternal+0x2ec
0019e94c 75dee1b9 0102ab40 00000000 00000220 user32!MDIClientWndProcWorker+0x1c3
0019e96c 75db44bb 00360360 00000220 00000000 user32!MDIClientWndProcW+0x29
0019e998 75d94ffc 75dee190 00360360 00000220 user32!_InternalCallWinProc+0x2b
0019ea7c 75d9454f 75dee190 00000000 00000220 user32!UserCallWinProcCheckWow+0x3ac
0019eab4 10b8cdd2 75dee190 00360360 00000220 user32!CallWindowProcW+0x7f
0019eaec 75db44bb 00360360 00000220 00000000 pbshr100!PBC_NormalProc3D+0x72
00000000 00000000 00000000 00000000 00000000 user32!_InternalCallWinProc+0x2b
SYMBOL_NAME: oleacc!SharedBuffer_Free+2b8
MODULE_NAME: oleacc
IMAGE_NAME: oleacc.dll
STACK_COMMAND: ~0s ; .ecxr ; kb
FAILURE_BUCKET_ID: NULL_CLASS_PTR_READ_c0000005_oleacc.dll!SharedBuffer_Free
OS_VERSION: 10.0.18362.239
BUILDLAB_STR: 19h1_release_svc_prod1
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 7.2.18362.1
FAILURE_ID_HASH: {2506b308-0659-fc20-d871-5cc908d8929d}
Followup: MachineOwner
The parameters passed to the COM APIs are:
0c 0019cbc0 756c62a5 combase!CStdMarshal::UnmarshalIPID(struct _GUID * riid = 0x0019ccf8 {618736E0-3C3D-11CF-810C-00AA00389B71}, struct tagSTDOBJREF * pStd = 0x0019cd08, class OXIDEntry * pOXIDEntry = 0x009c5aa0, void ** ppv = 0x0019cf1c)+0xb8 [onecore\com\combase\dcomrem\marshal.cxx # 2406]
0d 0019cc48 756d61b0 combase!CStdMarshal::UnmarshalObjRef(struct tagOBJREF * objref = 0x0019ccf0, void ** ppv = 0x0019cf1c)+0x155 [onecore\com\combase\dcomrem\marshal.cxx # 2194]
0e (Inline) -------- combase!UnmarshalSwitch(void)+0xe7 [onecore\com\combase\dcomrem\marshal.cxx # 1825]
0f (Inline) -------- combase!UnmarshalObjRef(void)+0x1f8 [onecore\com\combase\dcomrem\marshal.cxx # 1963]
10 0019ce54 5b309fe8 combase!CoUnmarshalInterface(struct IStream * pStm = 0x009ef828, struct _GUID * riid = 0x5b2f5fa4 {00000000-0000-0000-C000-000000000046}, void ** ppv = 0x0019cf1c)+0xdc0 [onecore\com\combase\dcomrem\coapi.cxx # 1993]
This seems to reference IAccessible interface which has the following registry info:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\interface\{618736E0-3C3D-11CF-810C-00AA00389B71}]
#="IAccessible"
[HKEY_CLASSES_ROOT\interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32]
#="{00020424-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
#="{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"
"Version"="1.1"
This then seems to refer to PSOAInterface:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\clsid\{00020424-0000-0000-C000-000000000046}]
#="PSOAInterface"
[HKEY_CLASSES_ROOT\clsid\{00020424-0000-0000-C000-000000000046}\InprocServer32]
#="C:\\Windows\\System32\\oleaut32.dll"
"ThreadingModel"="Both"
Reversing the crashing function to psuedocode this code is within the PowerBuilder runtime i.e. pbvm100.dll:
0:000> lmvm pbvm100
Browse full module list
start end module name
111e0000 11528000 pbvm100 (export symbols) pbvm100.dll
Loaded symbol image file: pbvm100.dll
Image path: C:\Program Files\AppName\pbvm100.dll
Image name: pbvm100.dll
Browse all global symbols functions data
Timestamp: Wed Aug 15 13:28:53 2007 (46C272F5)
CheckSum: 004132DA
ImageSize: 00348000
File version: 10.2.1.9948
Product version: 10.2.1.0
File flags: 2 (Mask 3) Pre-release
File OS: 10001 DOS Win16
File type: 1.65 App
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Sybase Inc.
ProductName: PowerBuilder/InfoMaker
InternalName: PB 10.0
FileVersion: 10.2.1.9948
FileDescription: Sybase Inc. Product File
LegalCopyright: Copyright Sybase Inc. 2004
LRESULT __stdcall FN_DataWindowWnd(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{
etc..
if ( Msg <= 0x106 )
{
if ( Msg == 262 )
return CallWindowProcW(*((WNDPROC *)v12 + 3), hWnd, 0x106u, wParam, lParam);
switch ( Msg )
{
case 0x3Du:
if ( lParam != -4 )
goto LABEL_72;
result = CrashingFunction(hWnd, wParam, -4, 0);
break;
etc...
}
}
}
int __cdecl CrashingFunction(HWND hWnd, int a2, int a3, int a4)
{
int result; // eax
int v5; // [esp+Ch] [ebp-14h]
int v6; // [esp+14h] [ebp-Ch]
int v7; // [esp+18h] [ebp-8h] BYREF
int v8; // [esp+1Ch] [ebp-4h]
v8 = 0;
v7 = 0;
v6 = GetWindowProperties(hWnd);
if ( !v6 )
return 0;
if ( *(_DWORD *)(v6 + 628) || (v8 = PB_CreateAccessibleService(v6 + 628)) == 0 && *(_DWORD *)(v6 + 628) )
{
v5 = GetWinProp(hWnd);
if ( v5 )
{
if ( *(_DWORD *)v5 == 16509 )
{
v8 = (*(int (__stdcall **)(_DWORD, HWND, int))(**(_DWORD **)(v6 + 628) + 16))(
*(_DWORD *)(v6 + 628),
hWnd,
v5 + 256);
if ( !v8 && *(_DWORD *)(v5 + 256) )
{
if ( a4 )
{
(*(void (__stdcall **)(_DWORD, int, int *))(**(_DWORD **)(v5 + 256) + 116))(*(_DWORD *)(v5 + 256), a4, &v7);
if ( v7 )
result = PB_LresultFromObject(&unk_11437D18, a2, v7);
else
result = 0;
}
else
{
result = PB_LresultFromObject(&unk_11437D18, a2, *(_DWORD *)(v5 + 256));
}
}
else
{
switch ( v8 )
{
case -2147467261:
DisplayErrorMsg(0x4B0u, 0x4B4u);
break;
case -2147024890:
DisplayErrorMsg(0x4B0u, 0x4B2u);
break;
case -2147024882:
DisplayErrorMsg(0x4B0u, 0x4B6u);
break;
}
result = 0;
}
}
else
{
result = 0;
}
}
else
{
result = 0;
}
}
else
{
if ( v8 == -2147024882 )
DisplayErrorMsg(0x4B0u, 0x4B6u);
else
DisplayErrorMsg(0x4B0u, 0x4B1u);
result = 0;
}
return result;
}

Cannot connect UART to RB6 on PIC24FJ128GA204

Using the RPOR registers, I can successfully connect RB3 or RB15 or other pins to a UART (1-4) ... but not RB6. I don't see anything in the documentation or errata that say RB6 (RP6) is uniquely unavailable. Any guesses?
Here are my RPOR registers when I have RB3, RB6, and RC3 all connected to UART0. RB3 and RC3 operate correctly, but RB6 only operates as a digital output.
03D6 RPOR0 0x0000 0 00000000 00000000 '..'
03D8 RPOR1 0x0300 768 00000011 00000000 '..'
03DA RPOR2 0x0000 0 00000000 00000000 '..'
03DC RPOR3 0x0003 3 00000000 00000011 '..'
03DE RPOR4 0x0000 0 00000000 00000000 '..'
03E0 RPOR5 0x0000 0 00000000 00000000 '..'
03E2 RPOR6 0x0000 0 00000000 00000000 '..'
03E4 RPOR7 0x0000 0 00000000 00000000 '..'
03E6 RPOR8 0x0000 0 00000000 00000000 '..'
03E8 RPOR9 0x0300 768 00000011 00000000 '..'
03EA RPOR10 0x0000 0 00000000 00000000 '..'
03EC RPOR11 0x0700 1792 00000111 00000000 '..'
03EE RPOR12 0x0008 8 00000000 00001000 '..'
Here is how PORTB is set up:
018A TRISB 0x22A2 8866 00100010 10100010 '"¢'
018C PORTB 0x00C8 200 00000000 11001000 '.È'
018E LATB 0x0040 64 00000000 01000000 '.#'
0190 ODCB 0x0000 0 00000000 00000000 '..'
0192 ANSB 0x2000 8192 00100000 00000000 '..'
... and here are the CONFIG bits:
_CONFIG1(JTAGEN_OFF & GCP_OFF & GWRP_OFF & ICS_PGx1 & FWDTEN_ON & WINDIS_OFF & FWPSA_PR128 & WDTPS_PS1024);
_CONFIG2(IESO_ON & WDTCMX_LPRC & FNOSC_FRC & FCKSM_CSDCMD & OSCIOFCN_ON & POSCMD_NONE)
_CONFIG3(SOSCSEL_ON)
_CONFIG4(IOL1WAY_OFF & PLLDIV_DISABLED & DSWDTPS_DSWDTPS15)
I am trying to get on the Microchip fora to ask this, but their registration process is apparently down. Hoping the good folks of StackOverflow can help. Thanks!
Microchip, with infinite and God like wisdom, decided to have analog input functionality on the RB6 input but suppress almost all documentation of this and remove any mention of this in the PIC24FJ128GA204 errata.
The the data sheet has vague hints about this here:
And here:
To get what you need clear ANSB bit 6 to zero.

Debugging kernel panic error

I have a arm board on which I am running yocto with kernel 4.1.15. While I am running my python program I get following kernel error frequently but randomly
Unable to handle kernel paging request at virtual address 7f101f7c
pgd = 80004000
[7f101f7c] *pgd=8c6c4811, *pte=00000000, *ppte=00000000
Internal error: Oops: 80000007 [#1] PREEMPT SMP ARM
Modules linked in: wilc3000(O) at_pwr_dev(O) pn5xx_i2c [last unloaded: at_pwr_dev]
CPU: 0 PID: 1336 Comm: DebugThread Tainted: G O 4.1.15-1.2.0+g77f6154
Hardware name: Freescale i.MX6 Ultralite (Device Tree)
task: 8c73b900 ti: 8c8d6000 task.ti: 8c8d6000
PC is at 0x7f101f7c
LR is at _raw_spin_unlock_irqrestore+0x28/0x54
pc : [<7f101f7c>] lr : [<807e1238>] psr: 600f0013
sp : 8c8d7f30 ip : 00000000 fp : 00000000
r10: 7f107d30 r9 : 7f107d20 r8 : 7f107f48
r7 : 00000000 r6 : 8c57b000 r5 : 7f107f48 r4 : 8c54aa00
r3 : 00000000 r2 : 00000000 r1 : 20000013 r0 : ffffffc2
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
Control: 10c53c7d Table: 8c52c06a DAC: 00000015
Process DebugThread (pid: 1336, stack limit = 0x8c8d6210)
Stack: (0x8c8d7f30 to 0x8c8d8000) 7f20: 8c8063a0 00000000 8c8d6000 00000000
7f40: 00000000 00000000 00000000 8c975c40 8c54aa00 7f101f28 00000000 00000000
7f60: 00000000 8004d070 00000000 00000000 7ee95a5c 8c54aa00 00000000 00000000
7f80: 8c8d7f80 8c8d7f80 00000000 00000000 8c8d7f90 8c8d7f90 8c8d7fac 8c975c40
7fa0: 8004cf94 00000000 00000000 8000f528 00000000 00000000 00000000 00000000
7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 7a9ce301 72611f00
[<807e1238>] (_raw_spin_unlock_irqrestore) from [<00000000>] ( (null))
Code: bad PC value
How can I debug this error considering the fact that I don't have access to JTAG on this board. What is the meaning of Code: bad PC value? If there any to find anything regarding problem from this log?
pc : [<7f101f7c>] lr : [<807e1238>] psr: 600f0013
In order to translate it into source code line:
arm-none-linux-gnueabi-addr2line -f -e vmlinux 7f101f7c
You must use your addr2line command.

MIPS32 router: module_init not called for kernel module

I'm developing a kernel module that I want to run on my router. The router model is DGN2200v2 by Netgear. It's running Linux 2.6.30 on MIPS. My problem is that when I load my module it seems that my module_init isn't getting called. I tried to narrow it down by modifying my module_init to return -3 (which indicates an error?) and insmod still reports success. I can see my module in the output of lsmod, but I don't see my printk output using dmesg.
For starters, I wanted to create the simplest possible module:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
static int my_init(void)
{
printk(KERN_EMERG "init_module() called\n");
return -3;
}
static void my_cleanup(void)
{
printk(KERN_EMERG "cleanup_module() called\n");
}
module_init(my_init);
module_exit(my_cleanup);
This is the Makefile I'm using:
TOOLCHAIN=/home/user/buildroot-2016.08/output/host/usr/bin/mips-buildroot-linux-uclibc-
ARCH=mips
CC = $(TOOLCHAIN)gcc
KBUILD_CFLAGS:=.
EXTRA_CFLAGS := -I/home/user/buildroot-2016.08/output/build/linux-headers-2.6.30/include\
-I/home/user/buildroot-2016.08/output/build/linux-headers-2.6.30/arch/mips/include/asm/mach-mipssim\
-I/home/user/buildroot-2016.08/output/build/linux-headers-2.6.30/arch/mips/include/asm/mach-generic\
-fno-pic -mno-abicalls -O2
obj-m := module.o
KDIR := /home/user/buildroot-2016.08/output/build/linux-headers-2.6.30
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
I'm running make like so:
make ARCH=mips CROSS_COMPILE=/home/user/buildroot-2016.08/output/host/usr/bin/mips-buildroot-linux-uclibc-
which passes successfully.
As you can see, I'm using Buildroot which I (hopefully) configured correctly. I can paste my .config if needed.
I ran objdump on my module and didn't find a problem. In particular, the module_init symbol seems to point to the same place as my my_init function, and it seems to have the code I expect it to:
module.ko: file format elf32-tradbigmips
module.ko
architecture: mips:isa32, flags 0x00000011:
HAS_RELOC, HAS_SYMS
start address 0x00000000
private flags = 50001001: [abi=O32] [mips32] [not 32bitmode] [noreorder]
MIPS ABI Flags Version: 0
ISA: MIPS32
GPR size: 32
CPR1 size: 0
CPR2 size: 0
FP ABI: Soft float
ISA Extension: None
ASEs:
None
FLAGS 1: 00000001
FLAGS 2: 00000000
Sections:
Idx Name Size VMA LMA File off Algn
0 .MIPS.abiflags 00000018 00000000 00000000 00000038 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA, LINK_ONCE_SAME_SIZE
1 .reginfo 00000018 00000000 00000000 00000050 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA, LINK_ONCE_SAME_SIZE
2 .note.gnu.build-id 00000024 00000018 00000018 00000068 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .text 00000040 00000000 00000000 00000090 2**4
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
4 .rodata.str1.4 00000038 00000000 00000000 000000d0 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .modinfo 0000005c 00000000 00000000 00000108 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .data 00000000 00000000 00000000 00000170 2**4
CONTENTS, ALLOC, LOAD, DATA
7 .gnu.linkonce.this_module 0000014c 00000000 00000000 00000170 2**2
CONTENTS, ALLOC, LOAD, RELOC, DATA, LINK_ONCE_DISCARD
8 .bss 00000000 00000000 00000000 000002c0 2**4
ALLOC
9 .comment 00000040 00000000 00000000 000002c0 2**0
CONTENTS, READONLY
10 .pdr 00000040 00000000 00000000 00000300 2**2
CONTENTS, RELOC, READONLY
11 .gnu.attributes 00000010 00000000 00000000 00000340 2**0
CONTENTS, READONLY
12 .mdebug.abi32 00000000 00000000 00000000 00000350 2**0
CONTENTS, READONLY
SYMBOL TABLE:
00000000 l d .MIPS.abiflags 00000000 .MIPS.abiflags
00000000 l d .reginfo 00000000 .reginfo
00000018 l d .note.gnu.build-id 00000000 .note.gnu.build-id
00000000 l d .text 00000000 .text
00000000 l d .rodata.str1.4 00000000 .rodata.str1.4
00000000 l d .modinfo 00000000 .modinfo
00000000 l d .data 00000000 .data
00000000 l d .gnu.linkonce.this_module 00000000 .gnu.linkonce.this_module
00000000 l d .bss 00000000 .bss
00000000 l d .comment 00000000 .comment
00000000 l d .pdr 00000000 .pdr
00000000 l d .gnu.attributes 00000000 .gnu.attributes
00000000 l d .mdebug.abi32 00000000 .mdebug.abi32
00000000 l df *ABS* 00000000 module.c
00000000 l F .text 0000002c my_init
0000002c l F .text 00000014 my_cleanup
00000000 l .rodata.str1.4 00000000 $LC0
0000001c l .rodata.str1.4 00000000 $LC1
00000000 l df *ABS* 00000000 module.mod.c
00000000 l O .modinfo 00000023 __mod_srcversion23
00000024 l O .modinfo 00000009 __module_depends
00000030 l O .modinfo 0000002c __mod_vermagic5
00000000 g O .gnu.linkonce.this_module 0000014c __this_module
0000002c g F .text 00000014 cleanup_module
00000000 g F .text 0000002c init_module
00000000 *UND* 00000000 printk
Disassembly of section .MIPS.abiflags:
00000000 <.MIPS.abiflags>:
0: 00002001 movf a0,zero,$fcc0
4: 01000003 0x1000003
...
10: 00000001 movf zero,zero,$fcc0
14: 00000000 nop
Disassembly of section .reginfo:
00000000 <.reginfo>:
0: a2000014 sb zero,20(s0)
...
14: 00007fef 0x7fef
Disassembly of section .note.gnu.build-id:
00000018 <.note.gnu.build-id>:
18: 00000004 sllv zero,zero,zero
1c: 00000014 0x14
20: 00000003 sra zero,zero,0x0
24: 474e5500 c1 0x14e5500
28: c8e5d654 lwc2 $5,-10668(a3)
2c: cb477d3d lwc2 $7,32061(k0)
30: dfa48d71 ldc3 $4,-29327(sp)
34: c2ea16da ll t2,5850(s7)
38: f6bcae7d sdc1 $f28,-20867(s5)
Disassembly of section .text:
00000000 <init_module>:
0: 27bdffe8 addiu sp,sp,-24
4: 3c040000 lui a0,0x0
4: R_MIPS_HI16 $LC0
8: 3c020000 lui v0,0x0
8: R_MIPS_HI16 printk
c: afbf0014 sw ra,20(sp)
10: 24420000 addiu v0,v0,0
10: R_MIPS_LO16 printk
14: 0040f809 jalr v0
18: 24840000 addiu a0,a0,0
18: R_MIPS_LO16 $LC0
1c: 8fbf0014 lw ra,20(sp)
20: 2402fffd li v0,-3
24: 03e00008 jr ra
28: 27bd0018 addiu sp,sp,24
modinfo output also matches what I expect (same modinfo output as for another .ko that's found on the router, except for the srcversion which my module has but the other module on the router doesn't):
filename: /home/user/module/module.ko
srcversion: B0BADBA395A121CF49B74DC
depends:
vermagic: 2.6.30 mod_unload MIPS32_R1 32BIT
It's entirely possible that I messed something up in my Buildroot configuration, or something doesn't quite match the CPU type of the router, but my init code is so minimal that I'm out of ideas as to what could be wrong.
It turns out that the problem was related to a different kernel configuration between my development environment and the router. Specifically, my kernel was using CONFIG_UNUSED_SYMBOLS whereas the router's was not.
The reason this caused a problem even in a trivial module is that when the kernel loads a module it doesn't only look up the module_init symbol in the module's symbol table. Rather, it reads the module struct from the module (from the .gnu.linkonce.this_module section), and then calls the init module through that struct.
The offset of the init function pointer inside the module struct depends on the kernel configuration, which explains why the kernel can't find the init function if the configuration is different.
Thanks to Sam Protsenko for investing a lot of time in helping me crack this!

Debugging page allocation failure on Coldfire uCLinux

I'm sometimes getting this crash output below on my Coldfire uCLinux system. How do I work out what's causing the problem?
Apr 4 10:44:33 (none) user.debug syslog: starting NTP
sh: page allocation failure. order:8, mode:0xd0
Stack from 41da5dcc:
4005b0f2 400553b6 40207431 406131f8 00000008 000000d0 00000008 00000000
000000a2 000a2000 000a2000 0000000c 40544a14 00000000 405434fc 00000077
41da5eac 00000000 00000010 00000000 41da5008 41da5000 00000000 00000100
00000000 41da5000 00000000 000200d0 4024eecc 00000080 00000000 00000000
4005de52 000000d0 00000008 4024eec8 00000000 00000001 00004d09 00079100
00000004 00003f20 00013424 41cd7000 41da5fcc 41da5f2a 00015790 00000000
Call Trace with CONFIG_FRAME_POINTER disabled:
[4005b0f2] [400553b6] [40207431] [4005de52] [40067d64]
[40093892] [4004b15e] [400390d8] [40020e70] [400677d8]
[40020e70] [401f0c92] [40068468] [4006aa4e] [40020ea0]
[4002386c]
Mem-Info:
DMA per-cpu:
CPU 0: hi: 0, btch: 1 usd: 0
Active_anon:0 active_file:0 inactive_anon:0
inactive_file:4484 dirty:0 writeback:0 unstable:0
free:8806 slab:565 mapped:0 pagetables:0 bounce:0
DMA free:35216kB min:1016kB low:1268kB high:1524kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:17936kB present:65024kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0
DMA: 0*4kB 0*8kB 1*16kB 4*32kB 6*64kB 3*128kB 46*256kB 44*512kB 0*1024kB 0*2048kB 0*4096kB 0*8192kB 0*16384kB = 35216kB
4484 total pagecache pages
0 pages RAM
0 pages reserved
0 pages shared
0 pages non-shared
Allocation of length 663552 from process 476 (sh) failed
DMA per-cpu:
CPU 0: hi: 0, btch: 1 usd: 0
Active_anon:0 active_file:0 inactive_anon:0
inactive_file:4484 dirty:0 writeback:0 unstable:0
free:8804 slab:567 mapped:0 pagetables:0 bounce:0
DMA free:35216kB min:1016kB low:1268kB high:1524kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:17936kB present:65024kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0
DMA: 0*4kB 0*8kB 1*16kB 4*32kB 6*64kB 3*128kB 46*256kB 44*512kB 0*1024kB 0*2048kB 0*4096kB 0*8192kB 0*16384kB = 35216kB
4484 total pagecache pages
Unable to allocate RAM for process text/data, errno 12
sh: page allocation failure. order:8, mode:0xd0
Stack from 41ea6dcc:
4005b0f2 400553b6 40207431 40645848 00000008 000000d0 00000008 00000000
000000a2 000a2000 000a2000 0000000c 40544a6c 00000000 405434fc 00000077
41ea6eac 00000000 00000010 00000000 41ea6008 41ea6000 00000000 00000100
00000000 41ea6000 00000000 000200d0 4024eecc 00000080 00000000 00000000
4005de52 000000d0 00000008 4024eec8 00000000 00000001 00004d09 00079100
00000004 00003f20 00013424 410ae600 41ea6fcc 41ea6f2a 00015790 00000000
Call Trace with CONFIG_FRAME_POINTER disabled:
[4005b0f2] [400553b6] [40207431] [4005de52] [40067d64]
[40093892] [4004b15e] [400390d8] [40020e70] [400677d8]
[40020e70] [401f0c92] [40068468] [4006aa4e] [40020ea0]
[400239c2] [4002386c]
Mem-Info:
Your system has run out of 1 MB free pages. With the power of two allocator, you need a free page of size 1 MB to allocate 663552 byes. This is caused by memory fragmentation. Normally, an MMU would reorganize the free space so that it appears contiguous for new allocations.
You can only take care of the problem through prevention. If the 663552 bytes are the sh binary, you will have to prevent it from being continously re-loaded into memory. This might be done by putting it into an XIP file system.
It might be a heap allocation done by the shell. In this case, you will have to change whatever processing is causing such a large malloc.
At the system level, you will also have to see which programs are large or cause large mallocs and change their behavior so that they don't cause more fragmentation.

Resources