Memory write with kernel module causes kernel oops in Android kernel
I am currently trying to debug the stock android kernel, but I encountered a few problems which I need help with. I have the source of the kernel, but I do not want to rebuild the kernel and flash into the phone, I only wish to carry out debugging on the stock kernel existing in my phone. Kprobes is enabled in the stock kernel (I confirmed this by looking at the list of symbols present at /proc/kallsyms).
Firstly, I tried by compiling my own kernel module to manipulate the kernel memory. I am able to read from the memory by mapping the physical address to virtual address, and then assigning it to a pointer, like this:
unsigned char *my_ptr;
my_ptr = (unsigned char *)phys_to_virt((unsigned long)0x001C1D50);
printk(KERN_INFO "%02X", *my_ptr);
But when I tried to write to the memory using this: my_ptr[0] = 0;
, the kernel goes into a panic(oops) state, and just restarts the phone. From /proc/last_kmsg, I get the following log:
<3>[ 149.720085] RKP -> Inst bf3db69c out of cpu_v7_set_pte_ext range from c01159c4 to c0115a1c
<1>[ 149.720233] Unable to handle kernel paging request at virtual address c01c1d50
<1>[ 149.720355] pgd = eb760000
<1>[ 149.720419] [c01c1d50] *pgd=0da00011
<0>[ 149.720658] Internal error: Oops: 80f [#1] PREEMPT SMP ARM
<4>[ 149.720749] Modules linked in: t_mod(O) wlan(PO) mhi(O)
<4>[ 149.720889] CPU: 0 PID: 5561 Comm: tmp-mksh Tainted: P W O 3.10.0-2413392 #1
<4>[ 149.721007] task: eba75400 ti: eb01a000 task.ti: eb01a000
<4>[ 149.721118] PC is at my_write+0x230/0x300 [t_mod]
<4>[ 149.721216] LR is at _kstrtoull+0x28/0x74
<4>[ 149.721298] pc : [<bf3db69c>] lr : [<c03cbf4c>] psr: 60010013
<4>[ 149.721298] sp : eb01be78 ip : 0000003f fp : 00000000
<4>[ 149.721464] r10: 00000000 r9 : eb01a000 r8 : bf3dd270
<4>[ 149.721550] r7 : 00000005 r6 : 00000008 r5 : eb01be7c r4 : eb01be86
<4>[ 149.721650] r3 : c01c1d48 r2 : 00000002 r1 : 00000000 r0 : 00000000
<4>[ 149.721754] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
<4>[ 149.721863] Control: 10c5787d Table: 2b76006a DAC: 00000015
<4>[ 149.721954]
<4>[ 149.721954] LR: 0xc03cbecc:
<4>[ 149.722038] becc e00b3001 e1921003 0a000007 e3a01000 e1a04007 e1e00008 e1e01001 ebffbc2c
<4>[ 149.722235] beec e153000b 0152000a 33a06001 e083279a e2855001 e0233b97 e092a008 e2a3b000
<4>[ 149.722439] bf0c e7d93005 e3530000 1affffd8 eaffffde e1a00005 e8bd8ffe e92d407f e28d3010
<4>[ 149.722641] bf2c e1a06002 e523100c e1a01003 ebffffa6 e59d1004 e28d2008 e1a04000 ebffffc2
<4>[ 149.722842] bf4c e3500000 ba00000b e3d00102 0a00000b e7d42000 e0843000 e352000a 02833001
<4>[ 149.723043] bf6c e5d30000 e3500000 1a000004 e1cd40d8 e1c640f0 ea000002 e3e00021 ea000000
<4>[ 149.723244] bf8c e3e00015 e28dd010 e8bd8070 e5d03000 e353002b 02800001 eaffffde e92d4070
<4>[ 149.723444] bfac e1a06003 e59f30bc e24dd048 e1a0e000 e3510042 31a04001 23a04042 e1a05002
<4>[ 149.723650]
<4>[ 149.723650] SP: 0xeb01bdf8:
<4>[ 149.723745] bdf8 00000000 ed77d74c eb01be86 eb01be38 eb01be38 eb01be86 eb01be7c eb01be50
<4>[ 149.723947] be18 bf3db69c 60010013 ffffffff eb01be64 bf3dd270 c0abd1d8 00000000 00000000
<4>[ 149.724147] be38 00000002 c01c1d48 eb01be86 eb01be7c 00000008 00000005 bf3dd270 eb01a000
<4>[ 149.724344] be58 00000000 00000000 0000003f eb01be78 c03cbf4c bf3db69c 60010013 ffffffff
<4>[ 149.724526] be78 00000000 eb01be89 00000002 3230ea28 20303000 31203030 e82b0041 eb01a000
<4>[ 149.724707] be98 00000800 00000000 c1219210 c024cfa4 eb01bebc e82ba000 00000002 eb7b7270
<4>[ 149.724888] beb8 6400742d 00000000 ea277e50 e8e7a7f8 ed77d74c c0192094 eba75400 eb01bf78
<4>[ 149.725069] bed8 00000001 e82ba000 ffffff9c c0106344 c036f940 00000002 e958e180 b85b0ab4
<4>[ 149.725255]
<4>[ 149.725255] R3: 0xc01c1cc8:
<4>[ 149.725339] 1cc8 e1a03007 e58db010 eb23c055 e3a01001 e5960008 eb0cee18 ebfd4d09 e1a01005
<4>[ 149.725523] 1ce8 e58d7000 e1a02007 e1a0300b e5960008 eb0cf40e e1a05000 e1a01004 e5960008
<4>[ 149.725706] 1d08 eb0cee0d e3550000 0a00000c e1a01005 e59f015c eb23c042 e59f0158 eb23c040
<4>[ 149.725887] 1d28 e2860008 eb0cf52e e3500000 05864008 0a00003a e59f0140 eb23c039 ea000037
<4>[ 149.726068] 1d48 e5981144 e3510000 00000000 e59f012c eb23c033 ea000032 e59f5124 e59f0124
<4>[ 149.726251] 1d68 eb23c02f e30810d0 e3a02010 e5950018 eb01e34a e2506000 1a000003 e59f1108
<4>[ 149.726451] 1d88 e59f0108 eb23c026 ea000024 e3a01010 e59f20fc e3e03000 eb081633 e5950020
<4>[ 149.726651] 1da8 e30810d0 e3a02c01 e58d6020 eb01e33b e2505000 1a000004 e59f00d0 e59f10c8
<4>[ 149.726857]
<4>[ 149.726857] R4: 0xeb01be06:
<4>[ 149.726950] be04 eb01be38 eb01be38 eb01be86 eb01be7c eb01be50 bf3db69c 60010013 ffffffff
<4>[ 149.727153] be24 eb01be64 bf3dd270 c0abd1d8 00000000 00000000 00000002 c01c1d48 eb01be86
<4>[ 149.727353] be44 eb01be7c 00000008 00000005 bf3dd270 eb01a000 00000000 00000000 0000003f
<4>[ 149.727552] be64 eb01be78 c03cbf4c bf3db69c 60010013 ffffffff 00000000 eb01be89 00000002
<4>[ 149.727751] be84 3230ea28 20303000 31203030 e82b0041 eb01a000 00000800 00000000 c1219210
<4>[ 149.727951] bea4 c024cfa4 eb01bebc e82ba000 00000002 eb7b7270 6400742d 00000000 ea277e50
<4>[ 149.728151] bec4 e8e7a7f8 ed77d74c c0192094 eba75400 eb01bf78 00000001 e82ba000 ffffff9c
<4>[ 149.728351] bee4 c0106344 c036f940 00000002 e958e180 b85b0ab4 eb01bf80 c03681d0 00000000
<4>[ 149.728534] bf04 ef00e400 00000001 b85b0ab4 00000001 c0241a04 00000020 a8279bb7 eb05dcbc
<4>[ 149.728719]
<4>[ 149.728719] R5: 0xeb01bdfc:
<4>[ 149.728803] bdfc ed77d74c eb01be86 eb01be38 eb01be38 eb01be86 eb01be7c eb01be50 bf3db69c
<4>[ 149.728986] be1c 60010013 ffffffff eb01be64 bf3dd270 c0abd1d8 00000000 00000000 00000002
<4>[ 149.729166] be3c c01c1d48 eb01be86 eb01be7c 00000008 00000005 bf3dd270 eb01a000 00000000
<4>[ 149.729347] be5c 00000000 0000003f eb01be78 c03cbf4c bf3db69c 60010013 ffffffff 00000000
<4>[ 149.729528] be7c eb01be89 00000002 3230ea28 20303000 31203030 e82b0041 eb01a000 00000800
<4>[ 149.729710] be9c 00000000 c1219210 c024cfa4 eb01bebc e82ba000 00000002 eb7b7270 6400742d
<4>[ 149.729891] bebc 00000000 ea277e50 e8e7a7f8 ed77d74c c0192094 eba75400 eb01bf78 00000001
<4>[ 149.730072] bedc e82ba000 ffffff9c c0106344 c036f940 00000002 e958e180 b85b0ab4 eb01bf80
<4>[ 149.730256]
<4>[ 149.730256] R9: 0xeb019f80:
<4>[ 149.730347] 9f80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[ 149.730544] 9fa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[ 149.730742] 9fc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[ 149.730939] 9fe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[ 149.731136] a000 00000200 00000001 00000000 eba75400 c1240d78 00000000 00000015 eba75400
<4>[ 149.731336] a020 c5151f00 eb01a000 c120df00 ed5fb500 00000000 ed2f1500 eb01be7c eb01bdf0
<4>[ 149.731538] a040 c0abba1c 00000000 00000000 00000004 00000000 00000000 01010000 00000000
<4>[ 149.731737] a060 b6f23f24 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<0>[ 149.731944] Process tmp-mksh (pid: 5561, stack limit = 0xeb01a238)
<0>[ 149.732053] Stack: (0xeb01be78 to 0xeb01c000)
<0>[ 149.732145] be60: 00000000 eb01be89
<0>[ 149.732295] be80: 00000002 3230ea28 20303000 31203030 e82b0041 eb01a000 00000800 00000000
<0>[ 149.732425] bea0: c1219210 c024cfa4 eb01bebc e82ba000 00000002 eb7b7270 6400742d 00000000
<0>[ 149.732554] bec0: ea277e50 e8e7a7f8 ed77d74c c0192094 eba75400 eb01bf78 00000001 e82ba000
<0>[ 149.732684] bee0: ffffff9c c0106344 c036f940 00000002 e958e180 b85b0ab4 eb01bf80 c03681d0
<0>[ 149.732812] bf00: 00000000 ef00e400 00000001 b85b0ab4 00000001 c0241a04 00000020 a8279bb7
<0>[ 149.732942] bf20: eb05dcbc eb05dc80 00000000 eb05dcbc 00000001 c0287c78 eb01bf80 e958e180
<0>[ 149.733071] bf40: 00000005 b85b0ab4 eb01bf80 b85b0ab4 00000005 c0240328 e958e180 b85b0ab4
<0>[ 149.733199] bf60: 00000005 00000000 00000000 e958e180 00000000 b85b0ab4 00000005 c0240680
<0>[ 149.733325] bf80: 00000000 00000000 00000005 00000003 00000005 00000001 00000004 c0106344
<0>[ 149.733454] bfa0: 00000200 c0106328 00000003 00000005 00000001 b85b0ab4 00000005 ffffffff
<0>[ 149.733580] bfc0: 00000003 00000005 00000001 00000004 b85b0ab4 00000000 00000000 00000000
<0>[ 149.733715] bfe0: 00000000 bef89528 b6f34d75 b6ed34ac 20010010 00000001 00000000 00000000
<4>[ 149.733918] [<bf3db69c>] (my_write+0x230/0x300 [t_mod]) from [<c0287c78>] (proc_reg_write+0x60/0x90)
<4>[ 149.734116] [<c0287c78>] (proc_reg_write+0x60/0x90) from [<c0240328>] (vfs_write+0xcc/0x174)
<4>[ 149.734288] [<c0240328>] (vfs_write+0xcc/0x174) from [<c0240680>] (SyS_write+0x38/0x64)
<4>[ 149.734457] [<c0240680>] (SyS_write+0x38/0x64) from [<c0106328>] (__sys_trace_return+0x0/0x18)
<0>[ 149.734617] Code: e3a01010 eb3fc49f e5983004 e59d2008 (e7c32006)
<4>[ 149.738191] ---[ end trace dec6997083161644 ]---
<0>[ 149.738295] Kernel panic - not syncing: Fatal exception
I thought that this had something to do with my kernel module, so I went ahead to use the kprobes function which are available in the kernel (mainly register_kprobe), like this:
static struct kprobe kp = {
.symbol_name = "do_fork",
.pre_handler = handler_pre,
.post_handler = handler_post,
.fault_handler = handler_fault,
};
static int __init kprobe_init(void)
{
int ret;
ret = register_kprobe(&kp);
if (ret < 0) {
printk(KERN_INFO "register_kprobe failed, returned %dn", ret);
return ret;
}
printk(KERN_INFO "Planted kprobe at %pn", kp.addr);
return 0;
}
The same thing happens when I inserted the kernel module with the above code, the kernel generates a panic(oops), and then it restarts the phone. The last_kmsg logged is around the same as the one I provided above.
I would highly appreciate it if anyone who is familiar in this field can help me with the problem above. I would like to know whether if there is any memory protection implemented in the Android system. In a previous phone that I had, when /dev/mem is still implemented in the kernel, I am able to read/write memory through the driver as I wish. I have tried ioremap but it only returns NULL pointer. Thanks in advance!
EDIT: sorry for the confusion above, i used 0x12345678 as an example, I get the addresses from /proc/kallsyms, and i translate it to a physical address. For example, if it's 0xc01c1d50, I will need to subtract 0xc0008000 from it, and since the kernel itself has a starting offset of 0x00008000, I will add it to the result, and hence it will be 0x001C1D50.
Here's the /proc/last_kmsg output when I tried to register a kprobe with register_kprobe():
<3>[ 184.769314] RKP -> Inst c0abe2a0 out of cpu_v7_set_pte_ext range from c01159c4 to c0115a1c
<1>[ 184.769369] Unable to handle kernel paging request at virtual address c0170ce4
<1>[ 184.769416] pgd = dc828000
<1>[ 184.769439] [c0170ce4] *pgd=0da00011
<0>[ 184.769535] Internal error: Oops: 80f [#1] PREEMPT SMP ARM
<4>[ 184.769572] Modules linked in: kp_mod(O+) wlan(PO) mhi(O)
<4>[ 184.769620] CPU: 0 PID: 5835 Comm: insmod Tainted: P W O 3.10.0-2413392 #1
<4>[ 184.769665] task: ea0cf8c0 ti: de9a0000 task.ti: de9a0000
<4>[ 184.769706] PC is at __patch_text+0x24/0x3c
<4>[ 184.769734] LR is at __patch_text+0x1c/0x3c
<4>[ 184.769764] pc : [<c0abe2a0>] lr : [<c0abe298>] psr: 800f0093
<4>[ 184.769764] sp : de9a1df8 ip : 00000000 fp : 0000001c
<4>[ 184.769830] r10: e9a0b0c0 r9 : 00000000 r8 : bf3dd008
<4>[ 184.769862] r7 : 00000000 r6 : 00000000 r5 : e7f001f8 r4 : c0170ce4
<4>[ 184.769901] r3 : 0da00411 r2 : dc82b004 r1 : c0170ce4 r0 : c0170ce4
<4>[ 184.769942] Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
<4>[ 184.769984] Control: 10c5787d Table: 1c82806a DAC: 00000015
<4>[ 184.770019]
<4>[ 184.770019] PC: 0xc0abe220:
<4>[ 184.770049] e220 e12fff33 e8bd81f0 e592300c e3a00002 e5813004 e8bd81f0 e592300c e5813004
<4>[ 184.770116] e240 e5913000 e5830000 e3a00001 e8bd81f0 e1a00005 e8bd81f0 e1a0000c e8bd81f0
<4>[ 184.770186] e260 e3a00000 e8bd81f0 e1a0f00e c0b00714 dddddddd 22222222 00020103 e92d4037
<4>[ 184.770257] e280 e1a04000 e28d0004 e1a05001 ebd95615 e1a00004 ebd9561f e1a01004 e1a00004
<4>[ 184.770327] e2a0 e4815004 ebd95ba5 ebd95646 e28d0004 ebd95613 e8bd803e eaffffef e5902030
<4>[ 184.770398] e2c0 e5903014 e3c204ff e3120401 e1a00100 12832004 e2833008 e200c402 15812038
<4>[ 184.770468] e2e0 e26cc000 e18c0000 e0833000 e581303c e12fff1e e5903030 e5900014 e3c324ff
<4>[ 184.770538] e300 e1a03ba3 e280c004 e1a02102 e2800008 e581c038 e2033002 e202c402 e26cc000
<4>[ 184.770610]
<4>[ 184.770610] LR: 0xc0abe218:
<4>[ 184.770643] e218 eaffffb5 e592300c e12fff33 e8bd81f0 e592300c e3a00002 e5813004 e8bd81f0
<4>[ 184.770713] e238 e592300c e5813004 e5913000 e5830000 e3a00001 e8bd81f0 e1a00005 e8bd81f0
<4>[ 184.770784] e258 e1a0000c e8bd81f0 e3a00000 e8bd81f0 e1a0f00e c0b00714 dddddddd 22222222
<4>[ 184.770853] e278 00020103 e92d4037 e1a04000 e28d0004 e1a05001 ebd95615 e1a00004 ebd9561f
<4>[ 184.770919] e298 e1a01004 e1a00004 e4815004 ebd95ba5 ebd95646 e28d0004 ebd95613 e8bd803e
<4>[ 184.770982] e2b8 eaffffef e5902030 e5903014 e3c204ff e3120401 e1a00100 12832004 e2833008
<4>[ 184.771046] e2d8 e200c402 15812038 e26cc000 e18c0000 e0833000 e581303c e12fff1e e5903030
<4>[ 184.771110] e2f8 e5900014 e3c324ff e1a03ba3 e280c004 e1a02102 e2800008 e581c038 e2033002
<4>[ 184.771174]
<4>[ 184.771174] SP: 0xde9a1d78:
<4>[ 184.771204] 1d78 000002d0 ffffffff 00000000 e9a0b0c0 0000001c c0230b4c 00000001 dc804980
<4>[ 184.771268] 1d98 c0abe2a0 800f0093 ffffffff de9a1de4 bf3dd008 c0abd1d8 c0170ce4 c0170ce4
<4>[ 184.771332] 1db8 dc82b004 0da00411 c0170ce4 e7f001f8 00000000 00000000 bf3dd008 00000000
<4>[ 184.771395] 1dd8 e9a0b0c0 0000001c 00000000 de9a1df8 c0abe298 c0abe2a0 800f0093 ffffffff
<4>[ 184.771459] 1df8 c0170ce4 200f0013 de9a1e08 bf3dd000 bf3dd000 c0abf000 00000000 c0ac03d8
<4>[ 184.771522] 1e18 bf3dd04c bf3dd000 bf3dd058 00000001 bf3e0000 00000000 e9a0b0c0 bf3e0010
<4>[ 184.771589] 1e38 de9a0000 bf3dd04c de9a1f58 c010065c bf3e1000 00000001 ffffffff 00000000
<4>[ 184.771659] 1e58 bf3e2000 00000002 bf3e0000 bf3dd04c de9a1f58 bf3dd058 00000001 bf3dd094
<4>[ 184.771730]
<4>[ 184.771730] R0: 0xc0170c64:
<4>[ 184.771763] 0c64 eafffe41 e1a00004 e28dd01c e8bd8ff0 20000100 c1443500 003000d0 c12f4a00
<4>[ 184.771834] 0c84 57ac6e9d c1242858 c0ebd7ae c01779ec c0ebd7c2 c1443524 c0ebd7d4 c12f83bc
<4>[ 184.771905] 0ca4 c0ebd7eb c1242fe0 c1212040 c0ebb032 c1220cb8 c120a758 c12f8744 e1a0200d
<4>[ 184.771975] 0cc4 e3a01000 e3c23d7f e3c3303f e593200c e58202e8 e593000c e1a02001 ea007583
<4>[ 184.772045] 0ce4 e3100203 e92d45f0 e1a05000 e24dd01c e1a08003 0a000001 e3100906 1a0000ba
<4>[ 184.772115] 0d04 e3150502 13a06000 1a000011 e3150901 13a06002 1a000004 e6ef6075 e3560011
<4>[ 184.772185] 0d24 03a06001 13a06003 eaffffff e1a0c00d e2860003 e3cc3d7f e3a0c001 e3c3303f
<4>[ 184.772255] 0d44 e593300c e5933010 e013301c 03a06000 eaffffff e59f32c4 e59f02c0 e0053003
<4>[ 184.772323]
<4>[ 184.772323] R1: 0xc0170c64:
<4>[ 184.772353] 0c64 eafffe41 e1a00004 e28dd01c e8bd8ff0 20000100 c1443500 003000d0 c12f4a00
<4>[ 184.772417] 0c84 57ac6e9d c1242858 c0ebd7ae c01779ec c0ebd7c2 c1443524 c0ebd7d4 c12f83bc
<4>[ 184.772481] 0ca4 c0ebd7eb c1242fe0 c1212040 c0ebb032 c1220cb8 c120a758 c12f8744 e1a0200d
<4>[ 184.772544] 0cc4 e3a01000 e3c23d7f e3c3303f e593200c e58202e8 e593000c e1a02001 ea007583
<4>[ 184.772608] 0ce4 e3100203 e92d45f0 e1a05000 e24dd01c e1a08003 0a000001 e3100906 1a0000ba
<4>[ 184.772671] 0d04 e3150502 13a06000 1a000011 e3150901 13a06002 1a000004 e6ef6075 e3560011
<4>[ 184.772735] 0d24 03a06001 13a06003 eaffffff e1a0c00d e2860003 e3cc3d7f e3a0c001 e3c3303f
<4>[ 184.772799] 0d44 e593300c e5933010 e013301c 03a06000 eaffffff e59f32c4 e59f02c0 e0053003
<4>[ 184.772863]
<4>[ 184.772863] R2: 0xdc82af84:
<4>[ 184.772893] af84 00000000 00000000 00000000 00000000 00000000 00000000 00000000 2b57f835
<4>[ 184.772956] afa4 2b57fc35 00000000 00000000 00000000 00000000 00000000 00000000 2c501811
<4>[ 184.773025] afc4 2c501c11 2a5ad811 2a5adc11 2a61e811 2a61ec11 00000000 00000000 00000000
<4>[ 184.773094] afe4 00000000 00000000 00000000 00000000 00000000 304f2811 304f2c11 0da00011
<4>[ 184.773163] b004 0da00411 0021940e 0031940e 0041940e 0051940e 0061940e 0071940e 0081940e
<4>[ 184.773233] b024 0091940e 00a1940e 0da00811 0da00c11 0da01011 0da01411 0da01811 0da01c11
<4>[ 184.773303] b044 0da02011 0da02411 0da02811 0da02c11 0da03011 0da03411 0da03811 0da03c11
<4>[ 184.773373] b064 0da04011 0da04411 0da04811 0da04c11 0da05011 0da05411 0da05811 0da05c11
<4>[ 184.773445]
<4>[ 184.773445] R4: 0xc0170c64:
<4>[ 184.773478] 0c64 eafffe41 e1a00004 e28dd01c e8bd8ff0 20000100 c1443500 003000d0 c12f4a00
<4>[ 184.773549] 0c84 57ac6e9d c1242858 c0ebd7ae c01779ec c0ebd7c2 c1443524 c0ebd7d4 c12f83bc
<4>[ 184.773619] 0ca4 c0ebd7eb c1242fe0 c1212040 c0ebb032 c1220cb8 c120a758 c12f8744 e1a0200d
<4>[ 184.773690] 0cc4 e3a01000 e3c23d7f e3c3303f e593200c e58202e8 e593000c e1a02001 ea007583
<4>[ 184.773754] 0ce4 e3100203 e92d45f0 e1a05000 e24dd01c e1a08003 0a000001 e3100906 1a0000ba
<4>[ 184.773817] 0d04 e3150502 13a06000 1a000011 e3150901 13a06002 1a000004 e6ef6075 e3560011
<4>[ 184.773881] 0d24 03a06001 13a06003 eaffffff e1a0c00d e2860003 e3cc3d7f e3a0c001 e3c3303f
<4>[ 184.773944] 0d44 e593300c e5933010 e013301c 03a06000 eaffffff e59f32c4 e59f02c0 e0053003
<4>[ 184.774009]
<4>[ 184.774009] R5: 0xe7f00178:
<4>[ 184.774039] 0178 000406ab 0000d2ab 06ae06ac 0000cd09 06ae06ad 0000cd09 1cbd06ae 0000957c
<4>[ 184.774104] 0198 058006ae 00009595 048106ae 00009596 04fb06ae 00009597 04fb06ae 00009598
<4>[ 184.774168] 01b8 04fb06ae 00009599 080106ae 000096e5 07c306ae 000097c9 00ec06ae 00009813
<4>[ 184.774231] 01d8 050206ae 00009852 067606ae 00009859 1dd806ae 000098ec 04fb06ae 00009b4e
<4>[ 184.774294] 01f8 18a606ae 00009c0f 058006ae 00009c10 0bdc06ae 00009c62 1c2706ae 00009ca0
<4>[ 184.774358] 0218 1e5a06ae 0000a03a 1dd806ae 0000a210 058006ae 0000a288 058006ae 0000a289
<4>[ 184.774427] 0238 0d4806af 00009850 056306af 00009b3f 04f206af 00009cc3 000406af 0000a023
<4>[ 184.774497] 0258 1e5a06af 0000a03a 073406b0 0000957b 005306b2 000095b4 080206b2 000096c6
<4>[ 184.774568]
<4>[ 184.774568] R10: 0xe9a0b040:
<4>[ 184.774602] b040 e9a0b680 e9a0b044 e9a0b044 bf3dd094 00000000 c12611f4 dc804840 00000001
<4>[ 184.774673] b060 00000003 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[ 184.774742] b080 000136ad eba6ec05 eaee9984 ea766f84 c329f811 deb3c7d0 ea9b0b10 00000000
<4>[ 184.774812] b0a0 debf6ba0 e9fd2a00 debf6b80 000001c9 00000001 00000001 00000000 00000000
<4>[ 184.774882] b0c0 e9a0b040 00000001 eb9600c0 00000124 00000024 bf3dc0c4 c01c1f6c 00000000
<4>[ 184.774952] b0e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<4>[ 184.775021] b100 00000001 00000000 eb960fc0 eb9600c0 eb960b50 00000000 00000000 00000000
<4>[ 184.775091] b120 00000000 5499790f e9824578 00000000 00000000 81240002 00001c0d 00000000
<0>[ 184.775159] Process insmod (pid: 5835, stack limit = 0xde9a0238)
<0>[ 184.775195] Stack: (0xde9a1df8 to 0xde9a2000)
<0>[ 184.775225] 1de0: c0170ce4 200f0013
<0>[ 184.775275] 1e00: de9a1e08 bf3dd000 bf3dd000 c0abf000 00000000 c0ac03d8 bf3dd04c bf3dd000
<0>[ 184.775324] 1e20: bf3dd058 00000001 bf3e0000 00000000 e9a0b0c0 bf3e0010 de9a0000 bf3dd04c
<0>[ 184.775373] 1e40: de9a1f58 c010065c bf3e1000 00000001 ffffffff 00000000 bf3e2000 00000002
<0>[ 184.775422] 1e60: bf3e0000 bf3dd04c de9a1f58 bf3dd058 00000001 bf3dd094 00000001 e9a0b0c0
<0>[ 184.775472] 1e80: 0000001c c01c524c bf3dd058 00007fff c03d6a48 c023007c de9a0000 00000028
<0>[ 184.775521] 1ea0: 00000000 c01c1ff4 00000000 c1218444 bf3dd1a0 00000041 c0b093fc f09ddd90
<0>[ 184.775570] 1ec0: de9a1edc be8c93c4 de9a1f0c c1055198 00000000 00000000 00000000 00000000
<0>[ 184.775619] 1ee0: 00000000 00000000 6e72656b 00006c65 00000000 00000000 00000000 00000000
<0>[ 184.775669] 1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
<0>[ 184.775724] 1f20: 00000000 a8279bb7 000000d2 b6d3f008 00015a68 be8c93c4 00000080 c0106344
<0>[ 184.775780] 1f40: de9a0000 00000200 00015a68 c01c5670 00000080 00000080 f09cd000 00015a68
<0>[ 184.775836] 1f60: f09dd700 f09dd54a f09e2940 00003000 00003130 00000000 00000000 00000000
<0>[ 184.775892] 1f80: 0000002a 0000002b 00000015 00000012 00000010 00000000 00015a68 b6d3f008
<0>[ 184.775948] 1fa0: b6f7fc74 c0106328 00015a68 b6d3f008 b6d3f008 00015a68 be8c93c4 00000000
<0>[ 184.776004] 1fc0: 00015a68 b6d3f008 b6f7fc74 00000080 be8c9844 00000038 00000002 00015a68
<0>[ 184.776059] 1fe0: 00000004 be8c9348 b6f66785 b6efc7f0 600b0010 b6d3f008 00000000 00000000
<4>[ 184.776127] [<c0abe2a0>] (__patch_text+0x24/0x3c) from [<c0abf000>] (arm_kprobe+0x24/0x34)
<4>[ 184.776188] [<c0abf000>] (arm_kprobe+0x24/0x34) from [<c0ac03d8>] (register_kprobe+0x4f0/0x58c)
<4>[ 184.776256] [<c0ac03d8>] (register_kprobe+0x4f0/0x58c) from [<bf3e0010>] (kprobe_init+0x10/0x1000 [kp_mod])
<4>[ 184.776325] [<bf3e0010>] (kprobe_init+0x10/0x1000 [kp_mod]) from [<c010065c>] (do_one_initcall+0xcc/0x180)
<4>[ 184.776391] [<c010065c>] (do_one_initcall+0xcc/0x180) from [<c01c524c>] (load_module+0x1c98/0x1fc0)
<4>[ 184.776450] [<c01c524c>] (load_module+0x1c98/0x1fc0) from [<c01c5670>] (SyS_init_module+0xfc/0x11c)
<4>[ 184.776508] [<c01c5670>] (SyS_init_module+0xfc/0x11c) from [<c0106328>] (__sys_trace_return+0x0/0x18)
<0>[ 184.776563] Code: e1a00004 ebd9561f e1a01004 e1a00004 (e4815004)
<4>[ 184.776608] ---[ end trace dec6997083161644 ]---
<0>[ 184.776642] Kernel panic - not syncing: Fatal exception
EDIT 2: I tried using the following code to do a page walk and setting the pte to be write enabled, but writing to the address causes the kernel to die and restart again.
unsigned long my_addr = 0x1C1D50;
pgd = pgd_offset(mm, my_addr);
if (pgd_none(*pgd) || pgd_bad(*pgd))
goto out;
prints("Valid pgd: [%08lx] *pgd=%08llxn", my_addr, (long long)pgd_val(*pgd));
pud = pud_offset(pgd, my_addr);
if (pud_none(*pud) || pud_bad(*pud))
goto out;
prints("Valid pudn");
pmd = pmd_offset(pud, my_addr);
if (pmd_none(*pmd) || pmd_bad(*pmd))
goto out;
prints("Valid pmdn");
ptep = pte_offset_map(pmd, my_addr);
if (!ptep)
goto out;
pte = *ptep;
page = pte_page(pte);
if (page)
prints("page frame struct is @ %pn", page);
if (pte_write(pte))
prints("Pte is writable!n");
else {
prints("Pte is read-only!n");
pte = pte_mkwrite(pte);
if (pte_write(pte)) {
prints("Pte is now writable!n");
p[0] = 0x02;
p[3] = 0x1A;
pte = pte_wrprotect(pte);
}
else
prints("Pte is still read-only!n");
}
any insights on this issue?
The virtual to physical mapping is controlled by hardware. The hardware, specifically the memory management unit (MMU) needs to be programmed to understand what the virtual to physical mapping is. Furthermore phys_to_virt
does not set up any virtual to physical mapping using the MMU. In fact depending on the architecture it is just doing a simple calculation:
#define __phys_to_virt(x) ((unsigned long)((x) - PHYS_OFFSET + PAGE_OFFSET))
static inline void *phys_to_virt(phys_addr_t x)
{
return (void *)(__phys_to_virt(x));
}
This is taken from the ARM64 Linux kernel. I am assuming ARM64 since we are talking about Android but the general idea applies for x86 and ARM 32 bit.
This simple offset calculation works because phys_to_virt
only works when passed a physical address in the kernel mapping. Taken from this Linux doc:
The returned virtual address is a current CPU mapping for the memory address given. It is only valid to use this function on addresses that have a kernel mapping
This function does not handle bus mappings for DMA transfers. In almost all conceivable cases a device driver should not be using this function
So to summarize, you cannot pass in any random value for the physical address and expect phys_to_virt
to work.
Update based on question update and comments:
If you are able to read from a memory location but not write to it then most likely it has been marked as read only using the MMU data structures. Some internet searching reveals that there are some patches and proposals to make the text and read only sections of the ARM Linux kernel read only.
链接地址: http://www.djcxy.com/p/70324.html上一篇: 内核如何通过虚拟地址到达虚拟内存