On a old PowerMac G5: two 32-bit powerpc FreeBSD vmcore's from having protected most wired kernel memory from execution: what is common
Mark Millard
markmi at dsl-only.net
Fri Jun 2 13:15:38 UTC 2017
Based on the changed page protections. . .
Instead of illegal instruction the periodic/random kernel panic
reported for both example panics:
fatal kernel trap:
exception = 0x400 instruction storage interrupt
virtual address = 0x90a0f0
srr0 = 0x90a0f0
srr1 = 0x10001032
lr = 0x535ad0
(sched_affinity+0x18 ???)
curthread = 0x147d360
pid = 11, comm = idle: cpu1
[ thread pid 11 tid 100003 ]
Stopped at etext+0xb8fc: illegal instruction 0
(So it looks like I disabled execute in that
area correctly.)
Most levels of the backtraces are different
between vmcore.5 and vmcore.6 . But the
lowest level ones are the same.
In particular the prior bl is to tdq_add
from sched_add but the 0x90a0f0 it jumps
to when getting the 0x400 exception is
wildly different than the 0x5356ec for the
bl to tdq_add.
For reference: sched_affinity through
sched_affinity+0x18 is:
00535ab8 <sched_affinity> stwu r1,-32(r1)
00535abc <sched_affinity+0x4> mflr r0
00535ac0 <sched_affinity+0x8> stw r29,20(r1)
00535ac4 <sched_affinity+0xc> stw r30,24(r1)
00535ac8 <sched_affinity+0x10> stw r31,28(r1)
00535acc <sched_affinity+0x14> stw r0,36(r1)
00535ad0 <sched_affinity+0x18> mr r31,r1
So 00535ad0 is an odd spot for a lr value.
backtrace summary for vmcore.5:
(Listing the LR values, not 4 back from that.)
trapexit+0x0 (after trapagain+0x4) for 0x400 trap
0x90a0f0 from .hash section (bad address)
sched_add+0x1a0
005359c4 <sched_add+0x188> bl 004cde6c <thread_lock_unblock>
005359c8 <sched_add+0x18c> bl 008ea4e0 <spinlock_exit>
005359cc <sched_add+0x190> mr r3,r28
005359d0 <sched_add+0x194> mr r4,r27
005359d4 <sched_add+0x198> mr r5,r25
005359d8 <sched_add+0x19c> bl 005356ec <tdq_add>
005359dc <sched_add+0x1a0> mfsprg r9,0
(from here until cpu_idle_60x+0x88 is not common with vmcore.6)
intr_event_schedule_thread+0xd0
004a8780 <intr_event_schedule_thread+0xc4> mr r3,r28
004a8784 <intr_event_schedule_thread+0xc8> li r4,4
004a8788 <intr_event_schedule_thread+0xcc> bl 0053583c <sched_add>
004a878c <intr_event_schedule_thread+0xd0> lwz r9,0(r28)
intr_event_handle+0x114
powerpc_dispatch_intr+0xcc
openpic_dispatch+0x94
powerpc_interrupt+0xc4
trapexit+0x0 (after trapagain+0x4) for 0x500 trap (vmcore.6: 0x900)
cpu_idle_60x+0x88
. . . (not shown)
backtrace summary for vmcore.6:
(Listing the LR values, not 4 back from that.)
trapexit+0x0 (after trapagain+0x4) for 0x400 trap
0x90a0f0 from .hash section (bad address)
sched_add+0x1a0
005359c4 <sched_add+0x188> bl 004cde6c <thread_lock_unblock>
005359c8 <sched_add+0x18c> bl 008ea4e0 <spinlock_exit>
005359cc <sched_add+0x190> mr r3,r28
005359d0 <sched_add+0x194> mr r4,r27
005359d4 <sched_add+0x198> mr r5,r25
005359d8 <sched_add+0x19c> bl 005356ec <tdq_add>
005359dc <sched_add+0x1a0> mfsprg r9,0
(from here until cpu_idle_60x+0x88 is not common with vmcore.5)
sched_wakeup+0xa8
00535c0c <sched_wakeup+0x9c> mr r3,r29
00535c10 <sched_wakeup+0xa0> li r4,0
00535c14 <sched_wakeup+0xa4> bl 0053583c <sched_add>
00535c18 <sched_wakeup+0xa8> lwz r11,0(r1)
setrunnable+0xa0
sleepq_resume_thread+0x180
sleepq_timeout+0xcc
softclock_call_cc+0x1f4
callout_process+0x280
handleevents+0x2ac
timercb+0x4c4
decr_intr+0xf4
powerpc_dispatch_intr+0xf8
trapexit+0x0 (after trapagain+0x4) for 0x900 trap (vmcore.5: 0x500)
cpu_idle_60x+0x88
. . . (not shown)
From the vmcore.5:
(The formatting depends on mono-spaced text)
[ ]: trapexit+0x0 (after trapagain+0x4)
013ed680 df 5e a7 40 00 10 08 f8 00 00 00 04 df 5e a7 40 |.^. at .........^.@|
013ed690 01 47 d3 60 00 00 00 14 01 47 e3 60 00 00 00 04 |.G.`.....G.`....|
013ed6a0 00 00 00 04 00 fd 98 7f 00 00 00 00 00 d4 c0 50 |...............P|
013ed6b0 01 47 d3 60 df 5e a7 80 df 5d 0d 00 00 00 00 00 |.G.`.^...]......|
013ed6c0 00 d4 be 00 00 cb 98 98 00 c9 66 bc 00 c4 5e a8 |..........f...^.|
013ed6d0 00 c9 66 bc 00 d4 c5 4c df 5e a9 e0 00 eb a8 00 |..f....L.^......|
013ed6e0 00 c9 66 bc 01 47 d3 60 00 00 00 00 df 5e a8 78 |..f..G.`.....^.x|
013ed6f0 01 44 0e 00 01 47 d3 60 00 eb af 00 01 47 d3 60 |.D...G.`.....G.`|
013ed700 00 d1 ca ac df 5e a7 40 00 53 5a d0 20 00 90 34 |.....^. at .SZ. ..4|
[ ]: sched_affinity+0x18
[ ]: From .hash section
013ed710 00 00 00 00 00 8d ef b4 00 90 a0 f0 10 00 10 32 |...............2|
[0x400 trap]
013ed720 00 00 04 00 41 a1 e5 68 0a 00 00 00 01 47 e3 60 |....A..h.....G.`|
013ed730 00 eb af 00 01 47 d3 60 00 d1 ca ac df 5e a7 40 |.....G.`.....^.@|
[ ]: sched_add+0x1a0
013ed740 df 5e a7 80 00 53 59 dc 00 c9 66 bc 00 d4 c5 4c |.^...SY...f....L|
013ed750 df 5e a9 e0 00 eb a8 00 00 c9 66 bc 00 00 00 04 |.^........f.....|
013ed760 00 00 00 00 df 5e a8 78 01 44 0e 00 01 47 d3 60 |.....^.x.D...G.`|
013ed770 01 47 e3 60 01 51 ff 80 00 d1 b4 30 df 5e a7 80 |.G.`.Q.....0.^..|
[ ]: intr_event_schedule_thread+0xd0
013ed780 df 5e a7 b0 00 4a 87 8c 6d 0c 21 5c df 5e 00 00 |.^...J..m.!\.^..|
013ed790 df 5e a7 b0 00 00 00 7c 00 00 00 00 01 47 d3 60 |.^.....|.....G.`|
013ed7a0 00 00 00 01 00 00 00 00 00 d2 6e 70 df 5e a7 b0 |..........np.^..|
[ ]: intr_event_handle+0x114
013ed7b0 df 5e a7 e0 00 4a 95 fc 00 c9 66 bc 00 00 00 00 |.^...J....f.....|
013ed7c0 df 5e a9 8c df 5e a8 78 df 5e a8 78 01 44 0e 00 |.^...^.x.^.x.D..|
013ed7d0 00 02 10 a0 01 48 b2 80 00 d2 6e 70 df 5e a7 e0 |.....H....np.^..|
[ ]: powerpc_dispatch_intr+0xcc
013ed7e0 df 5e a8 10 00 8e 91 8c df 5e a7 f0 00 cf 48 a8 |.^.......^....H.|
013ed7f0 df 5e a8 10 df 5e a8 78 01 47 d3 60 df 5e a8 78 |.^...^.x.G.`.^.x|
013ed800 00 02 10 a0 01 4c d4 00 00 d2 70 2c df 5e a8 10 |.....L....p,.^..|
[ ]: openpic_dispatch+0x94
013ed810 df 5e a8 40 00 8e c9 48 ec 94 8e 64 e6 38 8f 72 |.^. at ...H...d.8.r|
013ed820 df 5e a8 40 00 00 00 02 00 00 00 00 00 eb af 00 |.^. at ............|
013ed830 41 a1 e5 68 01 48 b1 00 00 d2 6e 60 df 5e a8 40 |A..h.H....n`.^.@|
[ ]: powerpc_interrupt+0xc4
013ed840 df 5e a8 70 00 8e 7d 28 8b 00 00 00 00 00 55 c4 |.^.p..}(......U.|
013ed850 00 cd f0 74 00 00 00 03 00 00 00 03 00 eb af 00 |...t............|
013ed860 41 a1 e5 68 0a 00 00 00 00 00 00 00 00 00 90 32 |A..h...........2|
[ ]: trapexit+0x0 (after trapagain+0x4)
013ed870 df 5e a9 30 00 10 08 f8 00 04 90 32 df 5e a9 30 |.^.0.......2.^.0|
013ed880 01 47 d3 60 00 00 00 00 7f a3 8e 84 00 00 00 00 |.G.`............|
013ed890 7f a3 8e 84 00 fd 98 7f 00 00 00 00 00 00 00 44 |...............D|
013ed8a0 01 fc a0 55 00 00 90 32 df 5d 0d 00 00 00 00 00 |...U...2.]......|
013ed8b0 00 d4 be 00 00 cb 98 98 00 c9 66 bc 00 c4 5e a8 |..........f...^.|
013ed8c0 00 c9 66 bc 00 d4 c5 4c df 5e a9 e0 00 eb a8 00 |..f....L.^......|
013ed8d0 00 c9 66 bc 01 47 d3 60 df 5e a9 8c 00 00 00 03 |..f..G.`.^......|
013ed8e0 00 00 00 03 00 eb af 00 00 00 00 00 00 8e 3c b8 |..............<.|
013ed8f0 00 d2 6c 04 df 5e a9 30 00 8e 3c d4 40 00 00 42 |..l..^.0..<. at ..B|
[ ]: cpu_idle_60x+0x88
013ed900 20 00 00 00 00 8e 3c b8 00 8e 3d 40 00 00 90 32 | .....<...=@...2|
[0x500 trap]
013ed910 00 00 05 00 41 a1 e5 68 0a 00 00 00 00 00 00 00 |....A..h........|
013ed920 0b 5c 71 7c 79 c0 d7 fc 00 00 00 00 00 00 00 04 |.\q|y...........|
[ignore? ] (see above trap frame)
013ed930 df 5e a9 50 00 00 00 03 00 00 00 03 00 eb af 00 |.^.P............|
013ed940 00 00 00 00 00 d4 ca 44 00 d2 6c 04 df 5e a9 50 |.......D..l..^.P|
[ ]: cpu_idle+0x58
013ed950 df 5e a9 70 00 8e 32 5c 00 00 00 02 00 eb af 00 |.^.p..2\........|
013ed960 00 f2 d6 7c 00 00 00 03 00 d1 ca ac df 5e a9 70 |...|.........^.p|
[ ]: sched_idletd+0x4d4
013ed970 df 5e aa 50 00 53 6e 7c df 5e a9 80 00 00 00 00 |.^.P.Sn|.^......|
013ed980 df 5e a9 b0 01 47 d3 60 df 5e a9 90 ff ff ff fd |.^...G.`.^......|
013ed990 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9a0 ff ff ff ff ff ff ff ff ff ff ff ff df 5e a9 b0 |.............^..|
013ed9b0 df 5e a9 d0 00 00 00 02 ff ff ff ff 00 00 01 e5 |.^..............|
013ed9c0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9e0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
013eda00 df 5e aa 20 00 f6 4a 00 00 00 00 00 00 00 00 00 |.^. ..J.........|
013eda10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
013eda30 00 00 00 00 00 53 69 a8 df 5e aa 98 00 00 00 00 |.....Si..^......|
013eda40 01 47 96 e0 01 47 d3 60 00 d1 b3 70 df 5e aa 50 |.G...G.`...p.^.P|
[ ]: fork_exit+0xb4
013eda50 df 5e aa 80 00 4a 3c b4 df 5e aa 60 df 5e aa 60 |.^...J<..^.`.^.`|
013eda60 df 5e aa 80 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
013eda70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ ]: fork_tramoline+0x10
013eda80 00 00 00 00 00 8f 19 90 00 53 69 a8 00 00 00 00 |.........Si.....|
013eda90 df 5e aa 98 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
013edaa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
From the vmcore.6:
[ ]: trapexit+0x0 (after trapagain+0x4)
013ed4d0 df 5e a5 90 00 10 08 f8 00 00 00 04 df 5e a5 90 |.^...........^..|
013ed4e0 01 47 d3 60 00 00 00 54 05 91 b0 00 00 00 00 00 |.G.`...T........|
013ed4f0 00 00 00 00 00 00 00 0f 00 00 00 00 00 d4 c0 50 |...............P|
013ed500 01 47 d3 60 df 5e a5 d0 00 00 00 00 00 00 00 00 |.G.`.^..........|
013ed510 00 d4 be 00 00 cb 98 98 00 d4 c4 6c 00 d4 c4 6c |...........l...l|
013ed520 00 11 11 97 00 11 12 16 00 00 11 11 05 91 b0 00 |................|
013ed530 00 56 64 30 00 00 01 14 00 00 00 00 00 00 00 00 |.Vd0............|
013ed540 00 00 00 01 00 00 00 00 00 eb af 00 01 47 d3 60 |.............G.`|
013ed550 00 d1 ca ac df 5e a5 90 00 53 5a d0 20 00 90 34 |.....^...SZ. ..4|
[ ]: sched_affinity+0x18
[ ]: From .hash section
013ed560 00 00 00 00 00 00 00 00 00 90 a0 f0 10 00 10 32 |...............2|
[0x400 trap]
013ed570 00 00 04 00 01 81 a4 7c 0a 00 00 00 05 91 b0 00 |.......|........|
013ed580 00 eb af 00 01 47 d3 60 00 d1 ca ac df 5e a5 90 |.....G.`.....^..|
[ ]: sched_add+0x1a0
013ed590 df 5e a5 d0 00 53 59 dc 00 00 00 01 00 d4 c5 4c |.^...SY........L|
013ed5a0 df 5e 00 00 00 00 00 40 df 5e a5 b0 00 00 00 04 |.^..... at .^......|
013ed5b0 df 5e a5 d0 00 00 00 00 00 00 00 01 00 00 00 00 |.^..............|
013ed5c0 05 91 b3 28 05 91 b0 00 00 d1 ca ac df 5e a5 d0 |...(.........^..|
[ ]: sched_wakeup+0xa8
013ed5d0 df 5e a5 f0 00 53 5c 18 00 00 00 00 00 00 00 00 |.^...S\.........|
013ed5e0 01 42 b0 80 05 91 b0 00 00 d1 c4 c4 df 5e a5 f0 |.B...........^..|
[ ]: setrunnable+0xa0
013ed5f0 df 5e a6 10 00 50 26 08 df 5e a6 00 00 cb 98 98 |.^...P&..^......|
013ed600 df 5e a6 40 00 d4 c4 6c 00 d1 d5 34 df 5e a6 10 |.^. at ...l...4.^..|
[ ]: sleepq_resume_thread+0x180
013ed610 df 5e a6 40 00 56 43 2c 00 56 64 30 00 00 01 14 |.^. at .VC,.Vd0....|
013ed620 df 5e a6 40 00 00 00 00 00 00 00 01 00 00 11 11 |.^. at ............|
013ed630 8a d3 94 2a 05 91 b0 00 00 d1 d5 34 df 5e a6 40 |...*.......4.^.@|
[ ]: sleepq_timeout+0xcc
013ed640 df 5e a6 80 00 56 64 fc 00 c9 66 bc 00 00 00 00 |.^...Vd...f.....|
013ed650 00 00 11 11 00 00 00 00 97 a0 fc 3d 80 96 c0 38 |...........=...8|
013ed660 df 5e a6 80 00 8e a5 04 00 d2 5b 10 05 91 b2 a0 |.^........[.....|
013ed670 00 e9 58 00 00 00 00 00 00 d1 c8 20 df 5e a6 80 |..X........ .^..|
[ ]: softclock_call_cc+0x1f4
013ed680 df 5e a6 f0 00 51 63 84 00 d2 5b 10 df 5e a6 90 |.^...Qc...[..^..|
013ed690 df 5e a6 f0 00 8a ca a8 df 5e a6 a0 00 00 00 0f |.^.......^......|
013ed6a0 df 5e a7 10 00 4c e2 f4 68 fc 88 02 00 00 00 04 |.^...L..h.......|
013ed6b0 df 5e a6 d0 00 00 00 02 00 11 11 97 00 11 12 16 |.^..............|
013ed6c0 00 00 11 11 d7 a0 9d 9d 00 11 11 8a 00 00 11 11 |................|
013ed6d0 97 a0 9d 9d 00 00 11 12 17 00 00 00 00 00 11 12 |................|
013ed6e0 17 00 00 00 00 e9 58 00 00 d1 c8 20 df 5e a6 f0 |......X.... .^..|
[ ]: callout_process+0x280
013ed6f0 df 5e a7 50 00 51 77 c0 df 5e a8 78 01 47 d3 60 |.^.P.Qw..^.x.G.`|
013ed700 01 47 d4 58 00 00 00 00 00 d1 ab 24 00 00 00 04 |.G.X.......$....|
013ed710 00 c9 66 bc 00 c4 5e a8 00 c9 66 bc 00 d4 c5 4c |..f...^...f....L|
013ed720 00 d0 53 00 00 eb a8 00 00 00 00 01 00 00 00 00 |..S.............|
013ed730 df 5e a9 8c 00 00 00 00 df 5e a8 78 00 00 11 11 |.^.......^.x....|
013ed740 97 a0 9d 9d df 5d 0d 00 00 d2 5b 10 df 5e a7 50 |.....]....[..^.P|
[ ]: handleevents+0x2ac
013ed750 df 5e a7 a0 00 8a b2 70 df 5e a7 60 df 5e a7 60 |.^.....p.^.`.^.`|
013ed760 df 5e a7 a0 00 53 49 dc 00 d2 5b 10 00 00 00 04 |.^...SI...[.....|
013ed770 df 5e a7 c0 05 9b d2 00 00 c9 66 bc 01 47 d3 60 |.^........f..G.`|
013ed780 df 5e a9 8c 00 f6 1d 90 00 00 11 11 97 a0 9d 9d |.^..............|
013ed790 df 5d 0d 00 df 5d 0d 30 00 d2 5b 10 df 5e a7 a0 |.]...].0..[..^..|
[ ]: timercb+0x4c4
013ed7a0 df 5e a8 20 00 8a d1 10 00 d2 6e 70 df 5e a7 b0 |.^. ......np.^..|
013ed7b0 df 5e a7 e0 00 4a 96 00 00 00 11 11 00 00 00 00 |.^...J..........|
013ed7c0 97 a0 9d 9d 53 27 aa d0 df 5e a8 78 05 86 37 00 |....S'...^.x..7.|
013ed7d0 df 5e a7 f0 05 86 37 80 00 d4 be 00 00 cb 98 98 |.^....7.........|
013ed7e0 00 c9 66 bc 00 c4 5e a8 00 c9 66 bc 00 d4 c5 4c |..f...^...f....L|
013ed7f0 df 5e a9 e0 00 eb a8 00 00 c9 66 bc 01 47 d3 60 |.^........f..G.`|
013ed800 df 5e a9 8c df 5e a8 78 01 47 d3 60 00 00 00 00 |.^...^.x.G.`....|
013ed810 00 f6 1d 90 00 00 00 01 00 d2 6b dc df 5e a8 20 |..........k..^. |
[ ]: decr_intr+0xf4
013ed820 df 5e a8 40 00 8e 1f 08 00 00 00 00 00 00 00 04 |.^. at ............|
013ed830 01 47 d4 34 00 00 00 01 00 d2 6e 60 df 5e a8 40 |.G.4......n`.^.@|
[ ]: powerpc_dispatch_intr+0xf8
013ed840 df 5e a8 70 00 8e 7d 5c 00 d1 ca ac df 5e a8 50 |.^.p..}\.....^.P|
013ed850 00 cd f0 74 00 00 00 03 00 00 00 03 00 eb af 00 |...t............|
013ed860 01 81 a4 7c 0a 00 00 00 00 00 00 00 00 00 90 32 |...|...........2|
[ ]: trapexit+0x0 (after trapagain+0x4)
013ed870 df 5e a9 30 00 10 08 f8 00 04 90 32 df 5e a9 30 |.^.0.......2.^.0|
013ed880 01 47 d3 60 00 00 00 00 0d 0a d2 89 00 00 00 00 |.G.`............|
013ed890 0d 0a d2 89 00 19 e9 a4 00 00 00 00 00 00 00 44 |...............D|
013ed8a0 01 fc a0 55 00 00 90 32 df 5d 0d 00 00 00 00 00 |...U...2.]......|
013ed8b0 00 d4 be 00 00 cb 98 98 00 c9 66 bc 00 c4 5e a8 |..........f...^.|
013ed8c0 00 c9 66 bc 00 d4 c5 4c df 5e a9 e0 00 eb a8 00 |..f....L.^......|
013ed8d0 00 c9 66 bc 01 47 d3 60 df 5e a9 8c 00 00 00 03 |..f..G.`.^......|
013ed8e0 00 00 00 03 00 eb af 00 00 00 00 00 00 8e 3c b8 |..............<.|
013ed8f0 00 d2 6c 04 df 5e a9 30 00 8e 3c d4 40 00 00 42 |..l..^.0..<. at ..B|
[ ]: cpu_idle_60x+0x88
013ed900 20 00 00 00 00 8e 3c b8 00 8e 3d 40 00 00 90 32 | .....<...=@...2|
[0x900 trap]
013ed910 00 00 09 00 01 81 a4 7c 0a 00 00 00 00 00 00 00 |.......|........|
013ed920 8a 95 8e 6d 80 4a 8c 8c 00 00 00 00 00 00 00 04 |...m.J..........|
[ignore? ] (see above trap frame)
013ed930 df 5e a9 50 00 00 00 03 00 00 00 03 00 eb af 00 |.^.P............|
013ed940 00 00 00 00 00 d4 ca 44 00 d2 6c 04 df 5e a9 50 |.......D..l..^.P|
[ ]: cpu_idle+0x58
013ed950 df 5e a9 70 00 8e 32 5c 00 00 00 02 00 eb af 00 |.^.p..2\........|
013ed960 00 f2 d6 7c 00 00 00 03 00 d1 ca ac df 5e a9 70 |...|.........^.p|
[ ]: sched_idletd+0x4d4
013ed970 df 5e aa 50 00 53 6e 7c df 5e a9 80 00 00 00 00 |.^.P.Sn|.^......|
013ed980 df 5e a9 b0 01 47 d3 60 00 d2 5b 10 ff ff ff fd |.^...G.`..[.....|
013ed990 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9a0 ff ff ff ff ff ff ff ff ff ff ff ff df 5e a9 b0 |.............^..|
013ed9b0 df 5e a9 d0 00 00 00 02 ff ff ff ff 00 00 01 e5 |.^..............|
013ed9c0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9e0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
013ed9f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
013eda00 df 5e aa 50 00 f6 4a 00 00 00 00 00 00 00 00 00 |.^.P..J.........|
013eda10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
013eda30 00 00 00 00 00 53 69 a8 df 5e aa 98 00 00 00 00 |.....Si..^......|
013eda40 01 47 96 e0 01 47 d3 60 00 d1 b3 70 df 5e aa 50 |.G...G.`...p.^.P|
[ ]: fork_exit+0xb4
013eda50 df 5e aa 80 00 4a 3c b4 df 5e aa 60 fa 50 05 af |.^...J<..^.`.P..|
013eda60 df 5e aa 80 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
013eda70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[ ]: fork_tramoline+0x10
013eda80 00 00 00 00 00 8f 19 90 00 53 69 a8 00 00 00 00 |.........Si.....|
013eda90 df 5e aa 98 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
013edaa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
FYI: The memory protection debugging hack in (and some
before):
void
moea64_kenter_attr(mmu_t mmu, vm_offset_t va, vm_paddr_t pa, vm_memattr_t ma)
is currently:
# svnlite diff /usr/src/sys/powerpc/aim/mmu_oea64.c Index: /usr/src/sys/powerpc/aim/mmu_oea64.c
===================================================================
--- /usr/src/sys/powerpc/aim/mmu_oea64.c (revision 317820)
+++ /usr/src/sys/powerpc/aim/mmu_oea64.c (working copy)
@@ -1752,6 +1752,18 @@
PV_PAGE_UNLOCK(m);
}
+#if defined(AIM) && !defined(__powerpc64__)
+//
+// Part of PowerMac G5 HACK FOR PROBLEM FINDING. . .
+// (G5 used via 32-bit FreeBSD.)
+//
+
+extern char _GOT_START_[]; // beginning of .got/.got.plt
+extern char _GOT_END_[]; // ending of .got/.got.plt
+
+extern vm_offset_t __startkernel, __endkernel;
+#endif
+
/*
* Map a wired page into kernel virtual address space.
*/
@@ -1762,6 +1774,52 @@
struct pvo_entry *pvo, *oldpvo;
pvo = alloc_pvo_entry(0);
+#if defined(AIM) && !defined(__powerpc64__)
+ //
+ // PowerMac G5 HACK FOR PROBLEM FINDING. . .
+ // (G5 used via 32-bit FreeBSD.)
+ //
+ // As a problem-finding-aid try to catch some examples of
+ // jumping to non-code in the kernel before it tries to
+ // execute that that code. Hopefully this will show where
+ // the bad jump into the likes of the .hash section is
+ // happening. (dbb bt and vmcore.*'s have not lead to
+ // that information so far.)
+ //
+ if (cpu_features & PPC_FEATURE_64)
+ {
+ // First deal with pages that should have the original
+ // VM_PROT_EXECUTE status for something on the page
+ // (most pages in the kernel area). So pages with some
+ // byte(s) from .text, .got, or .got.plt, along with
+ // any requested from before where __startkernel
+ // indicates. Also any va requested from a page
+ // containing where __endkernel indicates or later
+ // gets VM_PROT_EXECUTE if such a va is requested.
+ //
+ // So: have just the rest of the kernel area not have
+ // VM_PROT_EXECUTE status in hopes that it will report
+ // where the code is that is making bad jumps to
+ // non-code, such as jumping into the .hash section
+ // instead of reporting on illegal instructions
+ // from the incorrect traget area.
+ //
+ if ( va < ((vm_offset_t)(etext+(PAGE_SIZE-1)) & ~PAGE_MASK) )
+ pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
+
+ else if ( ((vm_offset_t)_GOT_START_ & ~PAGE_MASK) <= va
+ && va < ((vm_offset_t)(_GOT_END_+(PAGE_SIZE-1)) & ~PAGE_MASK)
+ )
+ pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
+
+ else if ( va < (__endkernel & ~PAGE_MASK) )
+ pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE;
+
+ else // Otherwise do as before the HACK:
+ pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
+ }
+ else
+#endif
pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
pvo->pvo_pte.pa = (pa & ~ADDR_POFF) | moea64_calc_wimg(pa, ma);
pvo->pvo_vaddr |= PVO_WIRED;
Being va based for when to avoid VM_PROT_EXECUTE
this way means that the openfirmware related
virtual addresses that go through this code still
get VM_PROT_EXECUTE --even if some had pa's in the
loaded kernel's address range (if such were
possible).
Note: While 32-bit powerpc FreeBSD uses a relocatable
kernel format it seems to not actually change the
code addresses on the G5 from what objdump reports
when looking at /boot/kernel/kernel .
===
Mark Millard
markmi at dsl-only.net
More information about the freebsd-hackers
mailing list