-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vi with no filename faults with access fault #17
Comments
Notes for debugging this: Weird the crash appears to be in
convert the address of Side-note: I can repro, but vi still generally works. Hmm |
In my case, there is no buildroot directory since I cheated and used your DownloadedImage. Happy to |
Correct. I guess I'm just saying I don't know if there's a quick avenue to solving this and it may be a bug in busybox or the kernel? |
The default buildroot configs do not appear to select vi. The configs/buildroot_config points at busybox-minimal.config. Wondering what the 'DownloadedImage' used for busybox config? There are several busybox config files in the source tree but guessing its the one in config/busybox_config. If so, the next step is to reconfigure buildroot with it to include vi, build it and see if it faults.. At least then all the addresses should match the source.. |
I'm also kinda interested in this problem... As vi has been crashing all the time in my attempts(no matter on early version kernel with manually patched flat binary loader, QEMU, or real hardware). |
Ok, in order to restore vi into the built image, I changed line 498 of configs/buildroot_config from: I then confirmed vi is now in the image and I get the same error (at a different address). 133.742286] Oops - load access fault [#1] At epc we see: 000e7ccc <.L754>: At ra, we see: which makes no sense to me since there is no jal near there. Does sp look ok? The kernel dump is here |
I'm glad that we are at least seeing consistent faults. |
I am wondering if we should make the kernel configurations non-relocatable, so that all the addresses will line up perfectly, like so no address translation has to be done between the |
I verified that vi initializes without a filename with -H option. That means it loads ok and thinking something with the filename parameter. So, did a quick look in buildroot/output/busybox-1.35.0/editors/vi.c to see whats different about initializing with a filename vs without one and thought there might be some tricky stuff associated with the option ENABLE_FEATURE_VI_ASK_TERMINAL owing to the comment #if ENABLE_FEATURE_VI_ASK_TERMINAL So, I disabled the corresponding FEATURE in busybox_config (which turns off this ENABLE) and recompiled but with no improvement. Sad face. A few lines later, a call is made to init_text_buffer(fn) where fn is presumably NULL. That function does a system call to "open" with first parameter null, but I think thats ok. It should just return with an error, which is tested. So nothing obvious by inspection. Otherwise, I'm trying to get my bearings on how to debug something like this. I'm guessing that busybox invocation is relocated into available memory (given no mmu) and that executable periodically calls into kernel functions, one of which is failing. So this fault is happening within a kernel call after busybox is loaded. Is there any way to predict where busybox is loading to so that the simulator can be edited to single step once it reaches that address? Maybe there is a known address when the shell finishes loading some executable (like another copy of busybox). From there, its fairly straightforward to get a busybox compile time assembly listing, but org'd at 0 of course. The alternative is to start dbg-printing within busybox to better isolate which function is causing the problem. Basically, do a better job than visual inspection. I personally dont think relocating the kernel helps so much since its not too hard to predict the address in either domain. |
I've located the location of the trap within the kernel function "strncpy_from_user" with the following call stack: do_se_sys_openat() 000f4e4c <strncpy_from_user>: 000f4e64 <.L19>: 000f4e68 <.L1>: 000f4e74 <.L3>: 000f4e84 <.L4>: 000f4ea4 <.L6>: 000f4eac <.L5>: 000f4eb0 <.L16>: 000f4ebc <.L15>: The technique for tracing this was: busybox function: file_insert() which calls c lib function open with fn=NULL It should be legal to do that but maybe some RISCV adaption of the open system call has a problem with this? But its hard to confirm since busybox is in userspace and we dont have gdb there. |
Added some traceback code to mini-rv32 and traced back from the fault into userspace. The fault is triggered starting inside busybox vi.c file_insert() function at the call to fopen: The problem is that the current nommu configuration of linux (with CONFIG_UACCESS_MEMCPY) does not check for invalid pointers. In this case, __get_user_fn() in linux-5.19/include/asm-generic/uaccess.h happily fetches from 0 which is causing the fault. This can easily be fixed by adding a line to the top of the function (after BUILD_BUG_ON line):
which is not a good solution for several reasons: (1) its not specific to this config, (2) it doesnt check any other invalid pointer range, (3) since its inline this adds for every instance of it, and I count 48 in the kernel and (4) there is a put version of this function that is unresolved. So its just a test hack. I reason that the 2nd point is maybe ok because one would need to purposefully override the char * type to send in a filename of value integer "1", for example, whereas setting a string to NULL is common practice. Anyway, noticed other problems while working thru this. For example, when I used vi to actually write a file x.x with a couple of test characters, it saved it with a file size of 34359738368 and hangs busybox if you attempt to 'cat' the file (for example). I'm double checking this happens with the unmodified version.. |
Do you know if there is a way of addressing this in the emulator? I.e. a different way to throw an access violation? |
After
$ make testdlimage
I login to Linux (amazing!) and then attempt to run vi:
~ # vi
11.662352] Oops - load access fault [#1]
[ 11.662595] CPU: 0 PID: 29 Comm: vi Not tainted 5.18.0 #7
[ 11.662919] Hardware name: riscv-minimal-nommu,qemu (DT)
[ 11.663180] epc : 0x800d9088
[ 11.663341] ra : 0x80081f20
[ 11.663496] epc : 800d9088 ra : 80081f20 sp : 807a1e90
[ 11.663860] gp : 802cf420 tp : 807aa000 t0 : 807a1dfc
[ 11.664181] t1 : 809af010 t2 : 80998c24 s0 : 807a1ea0
[ 11.664505] s1 : 809af000 a0 : 00000ff0 a1 : 00000000
[ 11.664808] a2 : 00000ff0 a3 : 00000000 a4 : 00000122
[ 11.665091] a5 : 00000ff0 a6 : 00000ff0 a7 : 00000000
[ 11.665374] s2 : 00000000 s3 : 807a1f38 s4 : 00000000
[ 11.665656] s5 : 00000000 s6 : 802d0000 s7 : 00001000
[ 11.665939] s8 : 00000000 s9 : 809aee78 s10: 0000000e
[ 11.666284] s11: 00000000 t3 : fefefeff t4 : 80808080
[ 11.666588] t5 : 00000800 t6 : 00000025
[ 11.666825] status: 00001880 badaddr: 00000001 cause: 00000005
[ 11.667207] ---[ end trace 0000000000000000 ]---
Segmentation fault
~ #
This does not happen if a filename is specified, e.g.
vi x.x
The text was updated successfully, but these errors were encountered: