During the way to learn how to program the Keyboard interrupt handling in Kernel mode, and following the example below, I get such an error after loading the driver in kernel space.
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/sched.h>
#include <linux/workqueue.h>
#include <linux/interrupt.h>
#include <asm/io.h>
MODULE_LICENSE("GPL");
irqreturn_t irq_handler(int irq, void *dev_id, struct pt_regs *regs) {
static unsigned char scancode, status;
status = inb(0x64);
scancode = inb(0x60);
switch (scancode)
{
case 0x01: printk (KERN_INFO "! You pressed Esc ...\n");
break;
case 0x3B: printk (KERN_INFO "! You pressed F1 ...\n");
break;
case 0x3C: printk (KERN_INFO "! You pressed F2 ...\n");
break;
default: break;
}
return IRQ_HANDLED;
}
static int __init irq_ex_init(void) {
printk (KERN_INFO "DEVICE OPEN...\n");
free_irq(1,NULL);
return request_irq (1,(irq_handler_t)irq_handler,IRQF_SHARED,"test_keyboard_irq_handler",(void*)(irq_handler));
}
static void __exit irq_ex_exit(void) {
printk (KERN_INFO "!DEVICE CLOSE...\n");
free_irq(1,(void*)(irq_handler));
}
module_init(irq_ex_init);
module_exit(irq_ex_exit);
The unloading also work fine, but after loading by insmod, I get such an error. I was wondering if somebody can explain it.
I use Ubuntu 16.04.2 LTS.
Dec 5 12:02:01 iman kernel: [ 502.506500] ------------[ cut here ]------------
Dec 5 12:02:01 iman kernel: [ 502.506510] WARNING: CPU: 1 PID: 4240 at /build/linux-hwe-zOpU13/linux-hwe-4.10.0/kernel/irq/manage.c:1484 __free_irq+0xa4/0x290
Dec 5 12:02:01 iman kernel: [ 502.506511] Trying to free already-free IRQ 1
Dec 5 12:02:01 iman kernel: [ 502.506512] Modules linked in: DDriver(OE+) Driver(OE) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat libcrc32c nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables snd_hda_codec_hdmi eeepc_wmi asus_wmi sparse_keymap intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel cryptd intel_cstate intel_rapl_perf joydev input_leds snd_seq_midi snd_seq_midi_event snd_hda_codec_realtek snd_hda_codec_generic snd_rawmidi snd_hda_intel snd_hda_codec lpc_ich snd_seq snd_hda_core snd_hwdep snd_seq_device snd_pcm snd_timer snd soundcore mei_me shpchp mei mac_hid kvm binfmt_misc
Dec 5 12:02:01 iman kernel: [ 502.506560] irqbypass parport_pc ppdev lp parport autofs4 hid_cherry hid_generic usbhid hid nouveau mxm_wmi i2c_algo_bit ttm drm_kms_helper ahci syscopyarea libahci sysfillrect r8169 sysimgblt mii fb_sys_fops drm wmi fjes video [last unloaded: DDriver]
Dec 5 12:02:01 iman kernel: [ 502.506584] CPU: 1 PID: 4240 Comm: insmod Tainted: G W OE 4.10.0-40-generic #44~16.04.1-Ubuntu
Dec 5 12:02:01 iman kernel: [ 502.506585] Hardware name: ASUSTeK Computer INC. V-P8H67E/V-P8H67E, BIOS 1401 12/12/2011
Dec 5 12:02:01 iman kernel: [ 502.506586] Call Trace:
Dec 5 12:02:01 iman kernel: [ 502.506593] dump_stack+0x63/0x90
Dec 5 12:02:01 iman kernel: [ 502.506596] __warn+0xcb/0xf0
Dec 5 12:02:01 iman kernel: [ 502.506598] warn_slowpath_fmt+0x5f/0x80
Dec 5 12:02:01 iman kernel: [ 502.506602] __free_irq+0xa4/0x290
Dec 5 12:02:01 iman kernel: [ 502.506604] free_irq+0x39/0x90
Dec 5 12:02:01 iman kernel: [ 502.506607] ? 0xffffffffc0183000
Dec 5 12:02:01 iman kernel: [ 502.506611] irq_ex_init+0x26/0x1000 [DDriver]
Dec 5 12:02:01 iman kernel: [ 502.506614] do_one_initcall+0x53/0x1c0
Dec 5 12:02:01 iman kernel: [ 502.506619] ? kmem_cache_alloc_trace+0x152/0x1c0
Dec 5 12:02:01 iman kernel: [ 502.506624] do_init_module+0x5f/0x1ff
Dec 5 12:02:01 iman kernel: [ 502.506629] load_module+0x1825/0x1bf0
Dec 5 12:02:01 iman kernel: [ 502.506632] ? __symbol_put+0x60/0x60
Dec 5 12:02:01 iman kernel: [ 502.506636] ? ima_post_read_file+0x7d/0xa0
Dec 5 12:02:01 iman kernel: [ 502.506640] ? security_kernel_post_read_file+0x6b/0x80
Dec 5 12:02:01 iman kernel: [ 502.506644] SYSC_finit_module+0xdf/0x110
Dec 5 12:02:01 iman kernel: [ 502.506648] SyS_finit_module+0xe/0x10
Dec 5 12:02:01 iman kernel: [ 502.506652] entry_SYSCALL_64_fastpath+0x1e/0xad
Dec 5 12:02:01 iman kernel: [ 502.506655] RIP: 0033:0x7f0f6a2a3499
Dec 5 12:02:01 iman kernel: [ 502.506656] RSP: 002b:00007fff1b8c96f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000139
Dec 5 12:02:01 iman kernel: [ 502.506659] RAX: ffffffffffffffda RBX: 00007f0f6a566b20 RCX: 00007f0f6a2a3499
Dec 5 12:02:01 iman kernel: [ 502.506661] RDX: 0000000000000000 RSI: 000055649bd65246 RDI: 0000000000000003
Dec 5 12:02:01 iman kernel: [ 502.506663] RBP: 0000000000001011 R08: 0000000000000000 R09: 00007f0f6a568ea0
Dec 5 12:02:01 iman kernel: [ 502.506664] R10: 0000000000000003 R11: 0000000000000202 R12: 00007f0f6a566b78
Dec 5 12:02:01 iman kernel: [ 502.506665] R13: 00007f0f6a566b78 R14: 000000000000270f R15: 00007f0f6a5671a8
Dec 5 12:02:01 iman kernel: [ 502.506668] ---[ end trace 4b89a13407b08cea ]---
free_irq() should never be called with NULL, you should pass the unique handler that you have used during registering the IRQ.
free_irq(1,(void*)(irq_handler)); //In your case
You should not free the IRQ in init function, free_irq() should be called after register_irq() call has been made in the same module.
Even if you call free_irq(1,(void*)(irq_handler)); in init function the kernel will taint as the handler was not previously registered.
You need to let the kernel know which handler you want to remove.
As you don't know which module has already registered the same IRQ so the logic is to use a shared IRQ in your module which you have already implemented in your code.
In short, do not free the IRQ in init function.
Related
So I have been trying to get the sys call table by brute forcing and the module keeps bringing up an error at a certain address "ffffffff81000018". The following is the code I have used:
#include<linux/kernel.h>
#include<linux/module.h>
#include<linux/dirent.h>
#include<linux/syscalls.h>
#include<linux/sysfs.h>
#include<linux/list.h>
#include<linux/proc_fs.h>
#include<linux/string.h>
#include<linux/uaccess.h>
#include<linux/fs.h>
#include<linux/unistd.h>
#include<linux/cred.h>
#if defined __x86_64__
#define START_ADDRESS 0xffffffff81000000
#define END_ADDRESS 0xffffffffa2000000
#endif
MODULE_LICENSE("GPL");
void **syscall_table;
void **find_syscall_table(void)
{
void **sctable;
void *i = (void *) START_ADDRESS;
while ( i < (void *) END_ADDRESS )
{
sctable = (void *)i;
if (sctable[__NR_close] == (void *)sys_close)
{
return sctable;
}
i += sizeof(void *);
}
return NULL;
}
int init_module(void)
{
syscall_table = (void *)find_syscall_table();
if (syscall_table != NULL)
pr_info("Found sys_call_table at %p\n", syscall_table);
return 0;
}
void cleanup_module(void)
{
pr_info("Good bye kernel!!!!");
return;
}
and the problem am get is the following
[ 1376.153652] BUG: unable to handle kernel paging request at ffffffff81000018
[ 1376.153660] IP: init_module+0x1b/0x50 [hide_file]
[ 1376.153662] PGD 1bc0e067 P4D 1bc0e067 PUD 1bc0f063 PMD 0
[ 1376.153666] Oops: 0000 [#1] SMP PTI
[ 1376.153668] Modules linked in: hide_file(O+) fuse bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) binfmt_misc nls_ascii nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core snd_soc_skl videodev snd_hda_codec_hdmi media intel_rapl snd_soc_skl_ipc snd_hda_ext_core x86_pkg_temp_thermal btusb intel_powerclamp snd_soc_sst_dsp coretemp snd_soc_sst_ipc btrtl btbcm snd_soc_acpi btintel snd_hda_codec_realtek snd_hda_codec_generic snd_soc_core bluetooth snd_compress kvm drbg ansi_cprng snd_hda_intel ecdh_generic i915 irqbypass snd_hda_codec snd_hda_core arc4 wmi_bmof rtsx_pci_ms intel_cstate snd_hwdep iwlmvm snd_pcm mac80211 iwlwifi intel_uncore thinkpad_acpi drm_kms_helper mei_me snd_timer memstick nvram cfg80211 efi_pstore intel_rapl_perf snd evdev
[ 1376.153706] efivars sg drm soundcore mei joydev pcspkr serio_raw rfkill wmi shpchp intel_pch_thermal iTCO_wdt iTCO_vendor_support battery ac video i2c_algo_bit button tpm_crb efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb hid_generic usbhid hid sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc rtsx_pci_sdmmc mmc_core aesni_intel aes_x86_64 crypto_simd glue_helper cryptd rtsx_pci ahci mfd_core e1000e libahci xhci_pci ptp psmouse pps_core libata xhci_hcd i2c_i801 scsi_mod usbcore usb_common thermal
[ 1376.153737] CPU: 0 PID: 2244 Comm: insmod Tainted: G O 4.15.0-kali2-amd64 #1 Debian 4.15.11-1kali1
[ 1376.153742] RIP: 0010:init_module+0x1b/0x50 [hide_file]
[ 1376.153743] RSP: 0018:ffffc0adc85cfcc8 EFLAGS: 00010246
[ 1376.153745] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 1376.153747] RDX: 000000000004e55a RSI: ffffffff81000000 RDI: ffffffffc0eea030
[ 1376.153749] RBP: ffffffffc0eea030 R08: ffff9965a2424b60 R09: ffffffffbcb0b288
[ 1376.153750] R10: ffffea3746bc08c0 R11: 0000000000000000 R12: ffff9965521f7a60
[ 1376.153752] R13: ffffffffc0eec018 R14: 0000000000000001 R15: ffff9964ff2474e0
[ 1376.153754] FS: 00007f2e082e8b80(0000) GS:ffff9965a2400000(0000) knlGS:0000000000000000
[ 1376.153755] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1376.153757] CR2: ffffffff81000018 CR3: 0000000154c84002 CR4: 00000000003606f0
[ 1376.153758] Call Trace:
[ 1376.153763] do_one_initcall+0x4e/0x18d
[ 1376.153768] ? free_unref_page_commit+0x95/0x110
[ 1376.153770] ? _cond_resched+0x15/0x40
[ 1376.153773] ? kmem_cache_alloc_trace+0x14b/0x1a0
[ 1376.153777] ? do_init_module+0x22/0x201
[ 1376.153779] do_init_module+0x5b/0x201
[ 1376.153783] load_module.constprop.54+0x2725/0x2c70
[ 1376.153786] ? vfs_read+0x113/0x130
[ 1376.153789] ? SYSC_finit_module+0xe9/0x110
[ 1376.153792] SYSC_finit_module+0xe9/0x110
[ 1376.153795] do_syscall_64+0x6e/0x130
[ 1376.153798] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 1376.153801] RIP: 0033:0x7f2e07c178f9
[ 1376.153802] RSP: 002b:00007ffd4e622498 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1376.153804] RAX: ffffffffffffffda RBX: 00005629814157b0 RCX: 00007f2e07c178f9
[ 1376.153806] RDX: 0000000000000000 RSI: 000056297fbc9a78 RDI: 0000000000000003
[ 1376.153807] RBP: 000056297fbc9a78 R08: 0000000000000000 R09: 00007f2e07edd000
[ 1376.153809] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[ 1376.153810] R13: 0000562981415760 R14: 0000000000000000 R15: 0000000000000000
[ 1376.153812] Code: c2 bc 75 ea f3 c3 31 c0 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 48 c7 c6 00 00 00 81 eb 0d 48 83 c6 08 48 81 fe 00 00 00 a2 74 19 <48> 81 7e 18 d0 c5 c2 bc 75 e9 48 85 f6 48 89 35 e1 22 00 00 75
[ 1376.153844] RIP: init_module+0x1b/0x50 [hide_file] RSP: ffffc0adc85cfcc8
[ 1376.153845] CR2: ffffffff81000018
[ 1376.153847] ---[ end trace ec4600bb069abdd2 ]---
Could anyone please guide me on how to solve this problem so as to be able to hijack sys calls.
Thanks.
Just use the kernel function kallsyms_lookup_name("sys_call_table") in "linux/kallsyms.h". That will return the address of the system call table as found in the /proc/kallsyms file. Don't worry if the address found in
/boot/System.map-`uname -r`
is different; you still found the sys_call_table.
This is not a "certain address". close syscall number is 3, thus the very first address you are testing is START_ADDRESS + 3 * sizeof(void *) and it equals precisely to the faulting address.
This then suggests that the params you used here are wrong to begin with.
The real question is why are you looking for a system call table, let alone in this manner. In vast majority of cases you don't want to overwrite any syscall entries.
I'm need to create a loadable kernel module which sends data to another remote computer.
I'm writing to 4.10 kernel.
I tried the netpoll API but all I got was errors and I can't find any new and up-do-date information about socket programming inside the kernel.
can anyone give my an example (or any directions) to it?
int init_netpoll(void)
{
np_t.name = "LRNG";
strlcpy(np_t.dev_name, "enp3s0", IFNAMSIZ);
np_t.local_ip.ip = htonl((unsigned long int)0xc6a80121);
np_t.local_ip.in.s_addr = htonl((unsigned long int)0xc6a80121);
np_t.remote_ip.ip = htonl((unsigned long int)0xc6a80114);
np_t.remote_ip.in.s_addr = htonl((unsigned long int)0xc6a80114);
np_t.ipv6 = 0;//no IPv6
np_t.local_port = 6666;
np_t.remote_port = 80;
///////////////
///////////////
memset(np_t.remote_mac, 0xff, ETH_ALEN);
netpoll_print_options(&np_t);
if(!netpoll_setup(&np_t)) {
return 1;
}
np = &np_t;
return 0;
}
void clean_netpoll(void)
{
//nothing
}
void sendUdp(const char* buf)
{
printk("********** SEND UDP **********");
netpoll_send_udp(np,buf,strlen(buf));
}
The log:
[ 278.702352] ********** SEND UDP **********
[ 278.702353] ------------[ cut here ]------------
[ 278.702358] WARNING: CPU: 2 PID: 2153 at /build/linux-nhaT8l/linux-4.10.0/net/core/netpoll.c:394 netpoll_send_udp+0x443/0x450
[ 278.702359] Modules linked in: netCharDev(OE+) rfcomm bnep btusb btrtl btbcm btintel bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev media wl(POE) intel_rapl x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_hdmi coretemp kvm irqbypass binfmt_misc crct10dif_pclmul snd_hda_codec_realtek snd_hda_codec_generic crc32_pclmul ghash_clmulni_intel cryptd intel_cstate intel_rapl_perf snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm joydev input_leds serio_raw snd_seq_midi snd_seq_midi_event snd_rawmidi thinkpad_acpi nvram snd_seq snd_seq_device cfg80211 snd_timer lpc_ich snd shpchp mei_me mei soundcore mac_hid parport_pc ppdev lp parport ip_tables x_tables autofs4 uas usb_storage i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops
[ 278.702393] psmouse ahci drm r8169 libahci mii wmi fjes video
[ 278.702399] CPU: 2 PID: 2153 Comm: insmod Tainted: P OE 4.10.0-33-generic #37-Ubuntu
[ 278.702400] Hardware name: LENOVO 62742BG/62742BG, BIOS H1ET69WW (1.12 ) 11/15/2012
[ 278.702400] Call Trace:
[ 278.702404] dump_stack+0x63/0x81
[ 278.702406] __warn+0xcb/0xf0
[ 278.702409] warn_slowpath_null+0x1d/0x20
[ 278.702411] netpoll_send_udp+0x443/0x450
[ 278.702413] ? netpoll_setup+0x166/0x2d0
[ 278.702416] sendUdp+0x32/0x35 [netCharDev]
[ 278.702417] ? 0xffffffffc025d000
[ 278.702420] netCharDev_init+0x26/0x1000 [netCharDev]
[ 278.702421] ? 0xffffffffc025d000
[ 278.702423] do_one_initcall+0x52/0x1b0
[ 278.702426] ? kmem_cache_alloc_trace+0x142/0x190
[ 278.702428] do_init_module+0x5f/0x200
[ 278.702432] load_module+0x190b/0x1c70
[ 278.702433] ? __symbol_put+0x60/0x60
[ 278.702436] ? ima_post_read_file+0x7e/0xa0
[ 278.702438] ? security_kernel_post_read_file+0x6b/0x80
[ 278.702440] SYSC_finit_module+0xdf/0x110
[ 278.702443] SyS_finit_module+0xe/0x10
[ 278.702445] entry_SYSCALL_64_fastpath+0x1e/0xad
[ 278.702447] RIP: 0033:0x7feb867b39f9
[ 278.702448] RSP: 002b:00007ffd0e884438 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 278.702449] RAX: ffffffffffffffda RBX: 0000563b09907a70 RCX: 00007feb867b39f9
[ 278.702450] RDX: 0000000000000000 RSI: 0000563b091e7f8b RDI: 0000000000000003
[ 278.702451] RBP: 00007feb86a72b00 R08: 0000000000000000 R09: 00007feb86a74ea0
[ 278.702452] R10: 0000000000000003 R11: 0000000000000246 R12: 00007feb86a72b58
[ 278.702453] R13: 00007feb86a72b58 R14: 000000000000270f R15: 0000000000001010
[ 278.702455] ---[ end trace ca1c43e67bc5a307 ]---
[ 278.702460] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
[ 278.702507] IP: netpoll_send_udp+0x30/0x450
[ 278.702528] PGD 0
[ 278.702550] Oops: 0000 [#1] SMP
[ 278.702567] Modules linked in: netCharDev(OE+) rfcomm bnep btusb btrtl btbcm btintel bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev media wl(POE) intel_rapl x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_hdmi coretemp kvm irqbypass binfmt_misc crct10dif_pclmul snd_hda_codec_realtek snd_hda_codec_generic crc32_pclmul ghash_clmulni_intel cryptd intel_cstate intel_rapl_perf snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm joydev input_leds serio_raw snd_seq_midi snd_seq_midi_event snd_rawmidi thinkpad_acpi nvram snd_seq snd_seq_device cfg80211 snd_timer lpc_ich snd shpchp mei_me mei soundcore mac_hid parport_pc ppdev lp parport ip_tables x_tables autofs4 uas usb_storage i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops
[ 278.705010] psmouse ahci drm r8169 libahci mii wmi fjes video
[ 278.705917] CPU: 2 PID: 2153 Comm: insmod Tainted: P W OE 4.10.0-33-generic #37-Ubuntu
[ 278.706956] Hardware name: LENOVO 62742BG/62742BG, BIOS H1ET69WW (1.12 ) 11/15/2012
[ 278.707781] task: ffff95ea2cc78000 task.stack: ffffa707c2318000
[ 278.708618] RIP: 0010:netpoll_send_udp+0x30/0x450
[ 278.709876] RSP: 0018:ffffa707c231bc30 EFLAGS: 00010286
[ 278.711806] RAX: 0000000000000024 RBX: ffffffffc07e33fa RCX: 0000000000000006
[ 278.713766] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
[ 278.715709] RBP: ffffa707c231bc70 R08: 0000000000000001 R09: 000000000000035c
[ 278.716998] R10: ffffffffafe06a40 R11: 0000000000000000 R12: 0000000000000000
[ 278.719051] R13: 0000000000000004 R14: ffff95ea0b9b7240 R15: ffff95ea0b9b7288
[ 278.721031] FS: 00007feb86c7c700(0000) GS:ffff95ea9e280000(0000) knlGS:0000000000000000
[ 278.723056] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 278.725069] CR2: 0000000000000040 CR3: 000000008bb50000 CR4: 00000000001406e0
[ 278.727111] Call Trace:
[ 278.729143] ? netpoll_setup+0x166/0x2d0
[ 278.731205] sendUdp+0x32/0x35 [netCharDev]
[ 278.733273] ? 0xffffffffc025d000
[ 278.735303] netCharDev_init+0x26/0x1000 [netCharDev]
[ 278.737356] ? 0xffffffffc025d000
[ 278.739401] do_one_initcall+0x52/0x1b0
[ 278.741440] ? kmem_cache_alloc_trace+0x142/0x190
[ 278.743465] do_init_module+0x5f/0x200
[ 278.745506] load_module+0x190b/0x1c70
[ 278.747510] ? __symbol_put+0x60/0x60
[ 278.749517] ? ima_post_read_file+0x7e/0xa0
[ 278.751477] ? security_kernel_post_read_file+0x6b/0x80
[ 278.753435] SYSC_finit_module+0xdf/0x110
[ 278.755327] SyS_finit_module+0xe/0x10
[ 278.757264] entry_SYSCALL_64_fastpath+0x1e/0xad
[ 278.759180] RIP: 0033:0x7feb867b39f9
[ 278.761256] RSP: 002b:00007ffd0e884438 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 278.761260] RAX: ffffffffffffffda RBX: 0000563b09907a70 RCX: 00007feb867b39f9
[ 278.761261] RDX: 0000000000000000 RSI: 0000563b091e7f8b RDI: 0000000000000003
[ 278.761263] RBP: 00007feb86a72b00 R08: 0000000000000000 R09: 00007feb86a74ea0
[ 278.761265] R10: 0000000000000003 R11: 0000000000000246 R12: 00007feb86a72b58
[ 278.761266] R13: 00007feb86a72b58 R14: 000000000000270f R15: 0000000000001010
[ 278.761269] Code: 55 48 89 e5 41 57 41 56 41 55 41 54 49 89 fc 53 41 89 d5 48 83 ec 18 48 89 34 24 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 ee 03 00 00 <41> 80 7c 24 40 00 41 8d 45 08 41 8d 55 1c bb 0a 00 00 00 41 bf
[ 278.761336] RIP: netpoll_send_udp+0x30/0x450 RSP: ffffa707c231bc30
[ 278.761337] CR2: 0000000000000040
[ 278.772275] ---[ end trace ca1c43e67bc5a308 ]---
Is there anyway I can debug a kernel code to see maybe the error is somewhere inside the net poll API?
P.S.
for those who will say I should to this in the userspace, I did my thinking and I really need to this inside the kernel space.
I've also rad the following question and it was no help for me:
Sending UDP packets from the Linux Kernel
Sending UDP packets from the Linux Kernel (different question)
As I tried to find the solution by using netpoll, I found that using socket might be more useful.
I found this link of a github repository that have exactly the example of echo client server in the linux kernel.
Hope it will help everyone who searched for it too.
I am trying to create a kernel module which needs to find whether a specific USB device is attached or not namely a USB Keyboard and whether It has DMA access or not.
To achieve this I am traversing through all the URB structures (linux/usb.h) present in the RAM. When I find a struct that is not null, I am trying to access the device information via struct usb_device *dev pointer declared inside URB structure.
However access to any information inside the *dev results in an OOPS condition with the bug stating Unable to handle kernel paging request at ffffe00121160800. The address remains constant every time.
The following is just a snippet of my whole kernel module.
#define x(y) ((void *)((uint32_t)(y)+PAGE_OFFSET))
static int __init check(void)
{
unsigned long long i;
for(i = 0; i < ULLONG_MAX; i += 0x10)
{ struct urb *urbptr = (struct urb *)x(i);
if((((unsigned long)urbptr->dev) % 0x400) == 0)
{
if ((((unsigned long)urbptr->transfer_dma) % 0x20) == 0)
{
if (urbptr->transfer_buffer_length ==8)
{
if (urbptr->transfer_buffer_length ==8)
{
if (urbptr->transfer_buffer !=NULL)
{
if(urbptr->dev !=NULL)
{
printk("\n%s\n",urbptr->dev->product);
}
}
}
}
}
}
}
The error occurs each time I try to access any value of a usb_device structure (not just char * product). After a lot of debugging I was able to identify that the error occurs only at the printk statement i.e the *dev is not null, the pagefault occurs only when I am trying to access its data members.
Source of struct usb_device
Source of struct urb
Here is the dmesg output:
[ 93.925232] BUG: unable to handle kernel paging request at ffffe00121160800
[ 93.925287] IP: [<ffffffffc01320f0>] check+0xf0/0x1000 [check]
[ 93.925334] PGD 0
[ 93.925350] Oops: 0000 [#1] SMP
[ 93.925375] Modules linked in: check(POE+) ctr ccm nvram msr pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep rfcomm binfmt_misc nls_iso8859_1 uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core v4l2_common videodev media rtsx_usb_ms memstick btusb bluetooth 6lowpan_iphc fglrx(POE) ip6t_REJECT xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 ipt_REJECT xt_LOG xt_limit xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack iptable_filter ip_tables x_tables wl(POE) arc4 iwldvm mac80211 dell_wmi sparse_keymap dell_laptop dcdbas snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_realtek snd_hda_codec_generic kvm_intel kvm snd_hda_intel snd_hda_controller snd_hda_codec crct10dif_pclmul crc32_pclmul snd_hwdep ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul snd_pcm glue_helper ablk_helper cryptd snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq joydev serio_raw iwlwifi cfg80211 snd_seq_device snd_timer snd lpc_ich soundcore mei_me mei amd_iommu_v2 mac_hid shpchp parport_pc ppdev lp parport rtsx_usb_sdmmc rtsx_usb i915 psmouse ahci libahci i2c_algo_bit drm_kms_helper drm r8169 mii wmi video
[ 93.926369] CPU: 3 PID: 3410 Comm: modprobe Tainted: P OE 3.16.0-41-generic #57~14.04.1-Ubuntu
[ 93.926439] task: ffff88008b7fd180 ti: ffff880221114000 task.ti: ffff880221114000
[ 93.926448] RIP: 0010:[<ffffffffc01320f0>] [<ffffffffc01320f0>] scan_start+0xf0/0x1000 [check]
[ 93.926449] RSP: 0018:ffff880221117d28 EFLAGS: 00010282
[ 93.926450] RAX: 0000000000000005 RBX: 0000000000207f40 RCX: 0000000000004c00
[ 93.926451] RDX: 000000000000e76a RSI: 0000000000000046 RDI: 0000000000000246
[ 93.926453] RBP: ffff880221117d40 R08: 0000000000000092 R09: 0000000000061bd7
[ 93.926454] R10: 0000000000000000 R11: ffff880221117ac6 R12: ffffe00121160800
[ 93.926455] R13: ffff880000000000 R14: ffffffffc0132000 R15: ffffffffc1c42000
[ 93.926457] FS: 00007f3eb6c9e740(0000) GS:ffff88025f2c0000(0000) knlGS:0000000000000000
[ 93.926459] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 93.926460] CR2: ffffe00121160800 CR3: 00000002210c3000 CR4: 00000000001407e0
[ 93.926461] Stack:
[ 93.926464] ffffffff81c1a020 ffff8802371db940 0000000000000000 ffff880221117db8
[ 93.926466] ffffffff81002144 0000000000000001 0000000000000001 0000000000000002
[ 93.926468] ffff8802502e4140 0000000000000001 ffff880221117da0 ffffffff8119d672
[ 93.926469] Call Trace:
[ 93.926479] [<ffffffff81002144>] do_one_initcall+0xd4/0x210
[ 93.926488] [<ffffffff8119d672>] ? __vunmap+0xb2/0x100
[ 93.926498] [<ffffffff810edc91>] load_module+0x13c1/0x1b80
[ 93.926505] [<ffffffff810e9840>] ? store_uevent+0x40/0x40
[ 93.926510] [<ffffffff810ee5c6>] SyS_finit_module+0x86/0xb0
[ 93.926519] [<ffffffff8176de4d>] system_call_fastpath+0x1a/0x1f
[ 93.926631] Code: 24 68 00 74 38 31 c0 48 c7 c7 4b 10 c4 c1 e8 b2 c5 62 c1 4d 8b 64 24 48 4d 85 e4 74 20 48 c7 c7 50 10 c4 c1 31 c0 e8 9a c5 62 c1 <41> 8b 34 24 48 c7 c7 56 10 c4 c1 31 c0 e8 88 c5 62 c1 48 c7 c7
[ 93.926636] RIP [<ffffffffc01320f0>] check+0xf0/0x1000 [check]
[ 93.926639] RSP <ffff880221117d28>
[ 93.926641] CR2: ffffe00121160800
[ 93.940769] ---[ end trace f2349a61d7dd6264 ]---
Is there any reason for the kernel not being able to access this particular structure? Even if that kernel space is write protected I am only trying to read it. commands like lsusb access the same struct while in userspace so I believe there should be no reason that this kernel is over stepping its bounds.
I have wrote this simple module to handle a device and call some of its power management methods such as .suspend and .resume. At its initialization, the module simple lookup for a particular device and try to call its methods.
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/device.h>
#include <linux/pci.h>
static int __init mfps_driver_init(void){
struct pci_dev *dev = NULL;
struct pci_driver *driver = NULL;
struct device *device = NULL;
dev = pci_get_device(0x8086, 0x15a2, NULL);
if((dev == NULL) || (dev == 0)){
printk(KERN_INFO "LEONZO: NOTHING FOUND SIZE %ld\n", sizeof(dev));
} else {
driver = dev->driver;
printk(KERN_INFO "LEONZO: I FOUND THE DEVICE OF THE SIZE %ld\n", sizeof(dev));
printk(KERN_INFO "LEONZO: HERE IS ITS DRIVER NAME %s\n", driver->name);
printk(KERN_INFO "LEONZO: CALLING IT SUSPEND METHOD\n");
*device = dev->dev;
device_lock(device);
device_unlock(device);
}
return 0;
}
static void __exit mfps_driver_exit(void){
}
module_init(mfps_driver_init);
module_exit(mfps_driver_exit);
The code compile successfully. But the I get a kernel bug when I load the module:
sudo insmod MyFirstPowerState.ko
And the dmesg show the following output
[ 59.545180] MyFirstPowerState: module license 'unspecified' taints kernel.
[ 59.545183] Disabling lock debugging due to kernel taint
[ 59.546010] LEONZO: I FOUND THE DEVICE OF THE SIZE 8
[ 59.546012] LEONZO: HERE IS ITS DRIVER NAME e1000e
[ 59.546013] LEONZO: CALLING IT SUSPEND METHOD
[ 59.546021] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 59.546051] IP: [<ffffffffc011907e>] mfps_driver_init+0x7e/0x1000 [MyFirstPowerState]
[ 59.546077] PGD 0
[ 59.546085] Oops: 0002 [#1] SMP
[ 59.546097] Modules linked in: MyFirstPowerState(POE+) xt_CHECKSUM arc4 iwlmvm mac80211 snd_hda_codec_hdmi snd_hda_codec_realtek iwlwifi snd_hda_codec_generic rtsx_pci_ms memstick cfg80211 nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_tcpudp ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter ip_tables x_tables dm_crypt hp_wmi sparse_keymap intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul dm_multipath crc32_pclmul scsi_dh aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd joydev serio_raw lpc_ich uvcvideo snd_seq_midi snd_seq_midi_event snd_rawmidi snd_hda_intel snd_hda_controller snd_hda_codec videobuf2_vmalloc snd_hwdep shpchp snd_pcm videobuf2_memops videobuf2_core v4l2_common snd_seq e1000e(OE) i915_bpo ptp mei_me pps_core mei videodev media snd_seq_device intel_ips snd_timer drm_kms_helper drm btusb snd i2c_algo_bit soundcore 8250_fintek hp_accel lis3lv02d input_polldev tpm_infineon hp_wireless mac_hid parport_pc ppdev lp parport rfcomm bnep bluetooth binfmt_misc btrfs xor raid6_pq dm_mirror dm_region_hash dm_log uas usb_storage hid_generic usbhid hid rtsx_pci_sdmmc ahci psmouse libahci rtsx_pci wmi video
[ 59.546577] CPU: 1 PID: 4180 Comm: insmod Tainted: P OE 3.19.0-51-generic #58~14.04.1-Ubuntu
[ 59.546613] Hardware name: Hewlett-Packard HP EliteBook 840 G2/2216, BIOS M71 Ver. 01.05 03/26/2015
[ 59.546648] task: ffff880241a7b110 ti: ffff880242f68000 task.ti: ffff880242f68000
[ 59.546678] RIP: 0010:[<ffffffffc011907e>] [<ffffffffc011907e>] mfps_driver_init+0x7e/0x1000 [MyFirstPowerState]
[ 59.546720] RSP: 0018:ffff880242f6bd18 EFLAGS: 00010246
[ 59.546741] RAX: 0000000000000000 RBX: ffff880245b4d000 RCX: 00000000000000ae
[ 59.546772] RDX: 0000000000000000 RSI: ffff880245b4d098 RDI: 0000000000000000
[ 59.546807] RBP: ffff880242f6bd28 R08: 000000000000000a R09: 0000000000000000
[ 59.546839] R10: 0000000000000d53 R11: ffff880242f6b9de R12: ffffffffc06a8000
[ 59.546868] R13: 0000000000000000 R14: ffffffffc0119000 R15: ffff880242f6bef8
[ 59.546900] FS: 00007f8787aa6740(0000) GS:ffff88024f440000(0000) knlGS:0000000000000000
[ 59.546921] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 59.546936] CR2: 0000000000000000 CR3: 0000000244393000 CR4: 00000000003407e0
[ 59.546955] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 59.546978] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 59.547006] Stack:
[ 59.547014] ffffffff81c1d060 ffff880204cd3280 ffff880242f6bda8 ffffffff81002144
[ 59.547046] 0000000000000001 0000000000000002 ffff8801f8ddc4c0 0000000000000001
[ 59.547079] ffff880242f6bd88 ffffffff811cef19 ffffffff810f7aac 0000000000000018
[ 59.547114] Call Trace:
[ 59.547131] [<ffffffff81002144>] do_one_initcall+0xd4/0x210
[ 59.547162] [<ffffffff811cef19>] ? kmem_cache_alloc_trace+0x199/0x220
[ 59.547194] [<ffffffff810f7aac>] ? load_module+0x164c/0x1cc0
[ 59.547222] [<ffffffff810f7ae5>] load_module+0x1685/0x1cc0
[ 59.547247] [<ffffffff810f3380>] ? store_uevent+0x40/0x40
[ 59.547274] [<ffffffff810f8296>] SyS_finit_module+0x86/0xb0
[ 59.547298] [<ffffffff817b788d>] system_call_fastpath+0x16/0x1b
[ 59.547314] Code: c7 80 c0 4b c0 31 c0 e8 19 14 69 c1 48 c7 c7 a8 c0 4b c0 31 c0 e8 0b 14 69 c1 31 c0 48 8d b3 98 00 00 00 b9 ae 00 00 00 48 89 c7 <f3> a5 bf 60 00 00 00 e8 26 c7 69 c1 bf 60 00 00 00 e8 ac c5 69
[ 59.547393] RIP [<ffffffffc011907e>] mfps_driver_init+0x7e/0x1000 [MyFirstPowerState]
[ 59.547416] RSP <ffff880242f6bd18>
[ 59.547425] CR2: 0000000000000000
[ 59.554577] ---[ end trace 42e3b1c73677cdfa ]---
I also notice that it is therefore impossible to remove the module:
sudo rmmod MyFirstPowerState.ko
rmmod: ERROR: Module MyFirstPowerState is in use
Any idea of what this code mean and how to correct the error ?
I will be attempting to explain the massive wall of text that is dmesg bellow. As a note the values in brackets to the left are times I forget with what exactly they are in relation to but for you they don't really matter.
[ 59.545180] MyFirstPowerState: module license 'unspecified' taints kernel.
[ 59.545183] Disabling lock debugging due to kernel taint
This is because you did not declare a module license. Usually you will see people put something like this in their code in the same section as the module_init.
MODULE_LICENSE("GPL");
[ 59.546010] LEONZO: I FOUND THE DEVICE OF THE SIZE 8
[ 59.546012] LEONZO: HERE IS ITS DRIVER NAME e1000e
[ 59.546013] LEONZO: CALLING IT SUSPEND METHOD
These are your printk messages nothing really special here.
[ 59.546021] BUG: unable to handle kernel NULL pointer dereference at (null)
Here is where the cause for your crash actually lives. The kernel tried to dereference a NULL pointer which causes a seg fault. For more details on what exactly that means see here. As Ian noted in the comments earlier it looks like the cause of your crash is you put *device=dev->dev instead of device=dev->dev. In the code you have you attempted to assign the value device points to to dev->dev however since device=NULL currently you attempted to dereference NULL causing a crash.
[ 59.546051] IP: [] mfps_driver_init+0x7e/0x1000 [MyFirstPowerState]
[ 59.546648] task: ffff880241a7b110 ti: ffff880242f68000 task.ti: ffff880242f68000
The chunk of errors contained within those above do not have much valuable to you currently and are more for people who have deployed something and some specific user has a problem. It is listing things like the hardware installed, the module that caused the crash, and modules that is also calling all things that in your case are very well known.
[ 59.546678] RIP: 0010:[] [] mfps_driver_init+0x7e/0x1000 [MyFirstPowerState][ 59.547079] ffff880242f6bd88 ffffffff811cef19 ffffffff810f7aac 0000000000000018
Everything in this section is assembly information which if you have no assembly experience means nothing to you although I would suggest knowing the basics it does help in these cases. The top half is registers and their current values and the bottom half is the current stack frame.
> [ 59.547114] Call Trace:
[ 59.547131] [<ffffffff81002144>] do_one_initcall+0xd4/0x210
[ 59.547162] [<ffffffff811cef19>] ? kmem_cache_alloc_trace+0x199/0x220
[ 59.547194] [<ffffffff810f7aac>] ? load_module+0x164c/0x1cc0
Everything within the call trace can be exceptionally helpful especially when the module becomes long and difficult to debug with things like interrupts. Basically it is listing out every single function call (or otherwise) the system has made to lead to this crash. In your case since you went from the load module straight to the crash the trace really only has your load_module along with some wrappers and some deep system calls. However, if say your load module called another function and that caused the crash you could see this call path here.
The last little bit appears to be more registers.
Hopefully that explained the wall of text that you get from dmesg when you cause a kernel issue (not sure if this is a panic someone please correct me). If there is anything that is still vague I'll try to explain although I am by no means an expert on this.
I'm experiencing some very odd behavior with the code segment pointed to by task->mm and I hope someone out there can help me out. What I'm doing is pulling the code segment out and putting it in a buffer and then generating an HMAC from it. Occasionally I'll get an Ooops! saying that the can't with the call stack terminating at memcpy(). What appears to be happening is that the data goes away in the middle of the copy process and it causes a page fault and then the Ooops. I've searched far and wide for references to this seemingly ephemeral nature of the memory used in mm_struct, but have found nothing. I don't believe I'm doing anything controversial in the code; here it is with comments etc removed for brevity.
struct mm_struct* __mm;
...
__mm = get_task_mm(__task);
if(likely(__mm))
{
__buflen = (__mm->end_code - __mm->start_code);
if(likely(__buflen > 0))
{
__buf = (unsigned char*)__get_buffer(__buflen);
if(likely(__buf))
{
preempt_disable();
memcpy(__buf, (uint8_t*)__mm->start_code, __buflen);
preempt_enable();
mmput(__mm);
if(unlikely(!__do_ntru_hmac(__buf, __buflen, __hmac)))
{
__retcode = 0;
}
__release_buffer(__buf, __buflen);
}
else
{
printk(KERN_ERR "[%s] Buffer allocation failure [%d]\n", __task->comm, __buflen);
__retcode = 0;
}
...
The memory allocation routines are simple and aimed at being able to allocate large blocks of memory at once. They look like this:
void* __get_buffer(unsigned long __buflen)
{
if(likely(__buflen <= KMALLOC_MAX_SIZE))
{
return kmalloc(__buflen, GFP_KERNEL);
}
else
{
return (void*)__get_free_pages(GFP_KERNEL, get_order(__buflen));
}
return NULL;
}
void __release_buffer(void* __buffer, unsigned long __buflen)
{
if(likely(__buflen <= KMALLOC_MAX_SIZE))
{
kfree(__buffer);
}
else
{
free_pages((unsigned long)__buffer, get_order(__buflen));
}
return;
}
The error seems to occur randomly and I can't tie it to a task, parent or any other components of struct task_struct. I've tried mutexes and spinlocks to protect the memory during memcpy, I've tried stopping the task altogether using set_task_state() and restarting it after the copy, but nothing seems to stop the problem.
UPDATE: I'm still hammering away at this problem and though I'd toss in some more data. Here's the Oops dump.
Mar 16 09:39:27 ubuntu kernel: [ 324.229195] BUG: unable to handle kernel paging request at 0804b000
Mar 16 09:39:27 ubuntu kernel: [ 324.229199] IP: [<c1312dfd>] memcpy+0x1d/0x40
Mar 16 09:39:27 ubuntu kernel: [ 324.229221] *pdpt = 000000002cf4c001 *pde = 000000003b72c067
Mar 16 09:39:27 ubuntu kernel: [ 324.229223] Oops: 0000 [#1] SMP
Mar 16 09:39:27 ubuntu kernel: [ 324.229225] Modules linked in: aerolock(OF) vmhgfs(OF) vmw_balloon psmouse snd_ens1371 serio_raw gameport snd_ac97_codec ac97_bus snd_pcm snd_seq_midi btusb snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device vmwgfx snd ttm drm bnep rfcomm soundcore mac_hid bluetooth snd_page_alloc vmw_vmci i2c_piix4 parport_pc ppdev shpchp lp parport hid_generic usbhid hid pcnet32 mptspi ahci libahci mptscsih mptbase floppy mii vmw_pvscsi vmxnet3
Mar 16 09:39:27 ubuntu kernel: [ 324.229256] CPU: 0 PID: 2880 Comm: aerolockd Tainted: GF O 3.11.0-17-generic #31~precise1-Ubuntu
Mar 16 09:39:27 ubuntu kernel: [ 324.229258] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
Mar 16 09:39:27 ubuntu kernel: [ 324.229259] task: f1816700 ti: ed774000 task.ti: ed774000
Mar 16 09:39:27 ubuntu kernel: [ 324.229262] EIP: 0060:[<c1312dfd>] EFLAGS: 00010202 CPU: 0
Mar 16 09:39:27 ubuntu kernel: [ 324.229264] EIP is at memcpy+0x1d/0x40
Mar 16 09:39:27 ubuntu kernel: [ 324.229266] EAX: ecc80000 EBX: 00011cd0 ECX: 00003b34 EDX: 08048000
Mar 16 09:39:27 ubuntu kernel: [ 324.229268] ESI: 0804b000 EDI: ecc83000 EBP: ed775e74 ESP: ed775e68
Mar 16 09:39:27 ubuntu kernel: [ 324.229269] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Mar 16 09:39:27 ubuntu kernel: [ 324.229271] CR0: 80050033 CR2: 0804b000 CR3: 2d9d5000 CR4: 001407f0
Mar 16 09:39:27 ubuntu kernel: [ 324.229345] Stack:
Mar 16 09:39:27 ubuntu kernel: [ 324.229347] 00011cd0 f1816700 f33703b4 ed775eb0 f9ba3a1b 0000063b 00000000 00000000
Mar 16 09:39:27 ubuntu kernel: [ 324.229353] 0000063c c1b80e4c f1816700 ed775ee0 08048000 ecc80000 00000000 f1816700
Mar 16 09:39:27 ubuntu kernel: [ 324.229358] f9baa952 f1816700 ed775f08 f9ba3b6e 00000000 00000000 00000000 c1b9d642
Mar 16 09:39:27 ubuntu kernel: [ 324.229364] Call Trace:
Mar 16 09:39:27 ubuntu kernel: [ 324.229370] [<f9ba3a1b>] __generate_hmac+0x8b/0x190 [aerolock]
Mar 16 09:39:27 ubuntu kernel: [ 324.229373] [<f9ba3b6e>] __validate_hmac+0x4e/0x220 [aerolock]
Mar 16 09:39:27 ubuntu kernel: [ 324.229377] [<f9ba3da0>] ret_do_fork+0x60/0x70 [aerolock]
Mar 16 09:39:27 ubuntu kernel: [ 324.229384] [<c167f12a>] trampoline_handler+0x11a/0x1c0
Mar 16 09:39:27 ubuntu kernel: [ 324.229390] [<c10839a4>] ? wake_up_new_task+0xe4/0x150
Mar 16 09:39:27 ubuntu kernel: [ 324.229394] [<c1054bf5>] ? SyS_clone+0x25/0x30
Mar 16 09:39:27 ubuntu kernel: [ 324.229397] [<c1054bf5>] ? SyS_clone+0x25/0x30
Mar 16 09:39:27 ubuntu kernel: [ 324.229400] [<c167efee>] kretprobe_trampoline+0x16/0x38
Mar 16 09:39:27 ubuntu kernel: [ 324.229404] [<c167efd8>] ? kretprobe_trampoline_holder+0x8/0x8
Mar 16 09:39:27 ubuntu kernel: [ 324.229406] [<c167c937>] syscall_call+0x7/0xb
Mar 16 09:39:27 ubuntu kernel: [ 324.229408] Code: c3 90 8d 74 26 00 e8 33 fe ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89
Mar 16 09:39:27 ubuntu kernel: [ 324.229439] EIP: [<c1312dfd>] memcpy+0x1d/0x40 SS:ESP 0068:ed775e68
Mar 16 09:39:27 ubuntu kernel: [ 324.229444] CR2: 000000000804b000
Mar 16 09:39:27 ubuntu kernel: [ 324.229447] ---[ end trace 3c014cb0223fa59a ]---
I've tried a lot of different tacks but have met with failure on all. copy_from_user() for example fails every time; sometimes not reading the whole request and sometimes returning a partial. Every time it fails on a partial it does so on a page boundary--again making it seem like the memory is being taken away mid-copy.
Given that I'm hooking do_fork(), could the process just be transitioning from kernel space to user space while I'm trying to capture it? As I mentioned before, I've tried stopping the current task and restarting post copy, but it has no effect.
Also interesting to note; I've had the same (memcpy()) code running for six weeks straight under varying loads without a failure on a single processor ARM BeagleBoard Black running Ubuntu 12.04 (3.8.13-bone28). The problem only seems to happen on my x86 box running Ubuntu 12.04 and then only when I put a heavy load on it like starting Chromium.
Sorry to be so long winded here, I'm stumped.
Any ideas?
Thanks again in advance,
Pete
You can't reliably copy memory directly from userspace, as you've discovered.
Use copy_from_user() instead of memcpy(). And don't disable preemption, there's no point.