[FAQ14614]如何用MMU保护buddy system?
[DESCRIPTION]
Memory corruption如何解决/预防?这种问题通常都很难debug,需要多次调试甚至借助jtag分析问题。
踩坏的当下,系统不一定发生崩溃,有可能踩坏的memory是别人用的,只有别人在使用那块memory时才有可能发生异常。
但如果踩的memory是不可访问的(比如被MMU设置为不可读写),那么直接就发生崩溃了。这样的问题就很轻易抓到。
可惜kernel除了vmalloc等基本都是一一映射,很少有空洞。
但实际上我们可以利用MMU包含buddy system未分配出去的内存,将其设置为不可读写,这样系统中就存在很多空洞,就更加容易抓到问题点。
[SOLUTION]
注意:该方法仅适合<=3.10和3.18的内核版本。
<=kernel-3.10的ARM32部分
1. 需打开CONFIG_DEBUG_RODATA(KK及之后版本默认打开了),修改low memory映射,使页表2级化:
1. 需打开CONFIG_DEBUG_RODATA(KK及之后版本默认打开了),修改low memory映射,使页表2级化:
alps/kernel/arch/arm/mm/mmu.c:
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
static
void
__init map_lowmem(
void
)
{
......
#ifdef CONFIG_DEBUG_RODATA
start = __pa(_stext) & PMD_MASK;
end = ALIGN(
/*__pa(__end_rodata)*/
arm_lowmem_limit
/* 3.4的kernel是lowmem_limit */
, PMD_SIZE);
// modify this line
map.pfn = __phys_to_pfn(start);
map.
virtual
= __phys_to_virt(start);
map.length = end - start;
map.type = MT_MEMORY;
create_mapping(&map,
true
);
#endif
|
2. 扩展mmu设置接口,在alps/kernel/arch/arm/mm/mmu.c添加以下代码:
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
int
pte_set_invalid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte_ext(ptep, pte_val(*ptep)&~L_PTE_PRESENT, 0);
return
0;
}
int
pte_set_valid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte_ext(ptep, pte_val(*ptep)|L_PTE_PRESENT, 0);
return
0;
}
int
pte_set_rdonly(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte_ext(ptep, pte_val(*ptep)|L_PTE_RDONLY, 0);
return
0;
}
|
kernel-3.18的ARM32部分
1. 需关闭CONFIG_DEBUG_RODATA,分裂页表,使页表2级化,添加如下代码到alps/kernel/arch/arm/mm/mmu.c:
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
static
void
split_pgtable(
void
)
{
const
unsigned
long
end = (unsigned
long
)__va(arm_lowmem_limit);
unsigned
long
virt = PAGE_OFFSET, pgd_end, pud_end;
phys_addr_t phys;
pgprot_t prot;
pgd_t *pgd;
pud_t *pud;
pmd_t *pmd;
pte_t *pte;
int
i;
pgd = pgd_offset_k(virt);
do
{
pgd_end = pgd_addr_end(virt, end);
if
(pgd_none(*pgd)) {
/* bypass */
virt = pgd_end;
continue
;
}
pud = pud_offset(pgd, virt);
do
{
pud_end = pud_addr_end(virt, pgd_end);
if
(pud_none(*pud)) {
/* bypass */
virt = pud_end;
continue
;
}
pmd = pmd_offset(pud, virt);
do
{
virt = pmd_addr_end(virt, pud_end);
if
((pmd_val(*pmd)&PMD_TYPE_MASK) != PMD_TYPE_SECT)
/* section */
continue
;
pte = __va(memblock_alloc(PTE_HWTABLE_OFF + PTE_HWTABLE_SIZE, PTE_HWTABLE_OFF + PTE_HWTABLE_SIZE));
phys = pmd_val(*pmd)&PMD_MASK&PHYS_MASK;
prot = mem_types[MT_MEMORY_RWX].prot_pte;
if
(pmd_val(*pmd)&PMD_SECT_XN)
prot |= L_PTE_XN;
for
(i = 0; i < PTRS_PER_PTE; phys += PAGE_SIZE, i++) {
set_pte_ext(&pte[i], __pte(phys|prot), 0);
}
__pmd_populate(pmd, __pa(pte), PMD_TYPE_TABLE|(pmd_val(*pmd)&(PMD_PROTECTION|PMD_DOMAIN(0xF))));
}
while
(pmd++, virt != pud_end);
}
while
(pud++, virt != pgd_end);
}
while
(pgd++, virt != end);
}
int
pte_set_invalid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte_ext(ptep, pte_val(*ptep)&~L_PTE_PRESENT, 0);
return
0;
}
int
pte_set_valid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte_ext(ptep, pte_val(*ptep)|L_PTE_PRESENT, 0);
return
0;
}
int
pte_set_rdonly(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte_ext(ptep, pte_val(*ptep)|L_PTE_RDONLY, 0);
return
0;
}
|
2. 在alps/kernel/arch/arm/mm/mmu.c的map_lowmem()
最后调用split_pgtable():
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
|
static
void
__init map_lowmem(
void
)
{
......
split_pgtable();
// add this line
}
|
3. 修改alps/kernel/init/main.c,使其调用mark_rodata_ro()函数:
[C/C++] hide
|
1
2
3
4
5
6
7
|
#ifndef CONFIG_DEBUG_RODATA
// static inline void mark_rodata_ro(void) {}/* mark this line */
extern
void
mark_rodata_ro(
void
);
// add this line
#endif
|
kernel-3.10和kernel-3.18的ARM64部分
1. 需打开CONFIG_DEBUG_RODATA(M0及之前版本则需关闭CONFIG_DEBUG_RODATA),分裂页表,使页表3级化,添加如下代码到alps/kernel/arch/arm64/mm/mmu.c:
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
static
void
split_pgtable(
void
)
{
const
unsigned
long
end = ~(unsigned
long
)0;
unsigned
long
virt = PAGE_OFFSET, pgd_end, pud_end;
phys_addr_t phys;
pgprot_t prot;
pgd_t *pgd;
pud_t *pud;
pmd_t *pmd;
pte_t *pte;
int
i;
pgd = pgd_offset_k(virt);
do
{
pgd_end = pgd_addr_end(virt, end);
if
(pgd_none(*pgd)) {
/* bypass */
virt = pgd_end;
continue
;
}
pud = pud_offset(pgd, virt);
do
{
pud_end = pud_addr_end(virt, pgd_end);
if
(pud_none(*pud)) {
/* bypass */
virt = pud_end;
continue
;
}
if
((pud_val(*pud)&3) == 1) {
/* section */
pmd = __va(memblock_alloc(PTRS_PER_PMD *
sizeof
(pmd_t), PTRS_PER_PMD *
sizeof
(pmd_t)));
phys = pud_val(*pud)&PUD_MASK&PHYS_MASK;
prot = __pgprot(pud_val(*pud)^phys);
for
(i = 0; i < PTRS_PER_PMD; phys += PMD_SIZE, i++) {
__pmd_populate(&pmd[i], phys, prot);
}
pud_populate(&init_mm, pud, pmd);
}
pmd = pmd_offset(pud, virt);
do
{
virt = pmd_addr_end(virt, pud_end);
if
((pmd_val(*pmd)&PMD_TYPE_MASK) != PMD_TYPE_SECT)
/* section */
continue
;
pte = __va(memblock_alloc(PTRS_PER_PTE *
sizeof
(pte_t), PTRS_PER_PTE *
sizeof
(pte_t)));
phys = pmd_val(*pmd)&PMD_MASK&PHYS_MASK;
prot = __pgprot(((pmd_val(*pmd)^phys)&~PMD_TYPE_MASK)|PTE_TYPE_PAGE);
for
(i = 0; i < PTRS_PER_PTE; phys += PAGE_SIZE, i++) {
set_pte(&pte[i], __pte(phys|prot));
}
__pmd_populate(pmd, __pa(pte), PMD_TYPE_TABLE);
}
while
(pmd++, virt != pud_end);
}
while
(pud++, virt != pgd_end);
}
while
(pgd++, virt != end);
}
int
pte_set_invalid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte(ptep, pte_val(*ptep)&~PTE_VALID);
return
0;
}
int
pte_set_valid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte(ptep, pte_val(*ptep)|PTE_VALID);
return
0;
}
int
pte_set_rdonly(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data)
{
set_pte(ptep, pte_val(*ptep)|PTE_RDONLY);
return
0;
}
|
2. 在alps/kernel/arch/arm64/mm/mmu.c的paging_init()里调用split_pgtable(),比如放在map_mem()及fixup_executable()之后:
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
void
__init paging_init(
void
)
{
void
*zero_page;
map_mem();
fixup_executable();
//3.10无此函数
split_pgtable();
// add this line
}
|
3. 修改alps/kernel/init/main.c,使其调用mark_rodata_ro()函数:
[C/C++] hide
|
1
2
3
4
5
6
7
|
#ifndef CONFIG_DEBUG_RODATA
// static inline void mark_rodata_ro(void) {}/* mark this line */
extern
void
mark_rodata_ro(
void
);
// add this line
#endif
|
通用部分
1. 在alps/kernel/mm/page_alloc.c文件里buddy system的分配和释放添加MMU设置api:
[C/C++] hide
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
#if 1 /* add this block */
int
set_memory_invalid(unsigned
long
addr,
int
numpages)
{
extern
int
pte_set_invalid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data);
const
unsigned
long
size = PAGE_SIZE * numpages;
apply_to_page_range(&init_mm, addr, size, pte_set_invalid, NULL);
flush_tlb_kernel_range(addr, addr + size);
return
0;
}
EXPORT_SYMBOL(set_memory_invalid);
int
set_memory_valid(unsigned
long
addr,
int
numpages)
{
extern
int
pte_set_valid(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data);
const
unsigned
long
size = PAGE_SIZE * numpages;
apply_to_page_range(&init_mm, addr, size, pte_set_valid, NULL);
flush_tlb_kernel_range(addr, addr + size);
return
0;
}
EXPORT_SYMBOL(set_memory_valid);
__weak
void
mark_rodata_ro(
void
)
{
extern
int
pte_set_rdonly(pte_t *ptep, pgtable_t token, unsigned
long
addr,
void
*data);
extern
char
_stext[], _etext[];
const
unsigned
long
start = PAGE_ALIGN((unsigned
long
)_stext);
const
unsigned
long
size = PAGE_ALIGN((unsigned
long
)_etext) - start;
apply_to_page_range(&init_mm, start, size, pte_set_rdonly, NULL);
|