userland tries to clone random (?) kernel areas

[ttcoder]

KERN: PANIC: attempting to clone kernel area "acpi_physical_mem_area" (281)!

• Just had another continuable "attempting to clone kernel area "acpi_physical_mem_area"
• Coming on the heels of "attempting to clone kernel area "dpc: normal priority_14_kstack" a few days ago in ticket:14266#comment:9

Second time I managed to reproduce this KDL, in 6 or 7 cold boots; so probably worth filing a ticket.

Steps that work for me:

• boot to a USB stick installed with hrev52539
• And then, as quickly as possible,
• right-click net replicant, select liveb net
• paste password, enter
• wait 2-3 seconds

This time I remembered to "dis" at the KDL prompt. Seems the first dis disassembled the commpage stuff, which is probably not that useful; so I looked for the media kit code instead. See below.

Not sure wether to file against kernel or wifi or hda?

[ttcoder]

Syslog tail:

KERN: [net/iprowifi4965/0] ieee80211_ref_node (ieee80211_send_mgmt:2245) 0xde7d0000<d0:ae:ec:3e:a9:b0> refcnt 3
KERN: /dev/net/iprowifi4965/0: media change, media 0x600a0 quality 1000 speed 1000000000
KERN: [net/iprowifi4965/0] ieee80211_new_state_locked: AUTH -> SCAN (nrunning 0 nscanning 0)
KERN: [net/iprowifi4965/0] ieee80211_newstate_cb: AUTH -> SCAN arg 1
KERN: [net/iprowifi4965/0] sta_newstate: AUTH -> SCAN (1)
KERN: cx23882: init_hardware()
KERN: PANIC: attempting to clone kernel area "acpi_physical_mem_area" (281)!
KERN: Welcome to Kernel Debugging Land...
KERN: Thread 766 "HD Audio control" running on CPU 2
KERN: stack trace for thread 766 "HD Audio control"
KERN:     kernel stack: 0x827f8000 to 0x827fc000
KERN:       user stack: 0x7986b000 to 0x798ab000
KERN: frame               caller     <image>:function + offset
KERN:  0 827fbd48 (+  32) 8014ea8e   <kernel_x86> arch_debug_stack_trace + 0x12
KERN:  1 827fbd68 (+  16) 800a900f   <kernel_x86> stack_trace_trampoline(NULL) + 0x0b
KERN:  2 827fbd78 (+  12) 80140222   <kernel_x86> arch_debug_call_with_fault_handler + 0x1b
KERN:  3 827fbd84 (+  48) 800aab37   <kernel_x86> debug_call_with_fault_handler + 0x5b
KERN:  4 827fbdb4 (+  64) 800a922b   <kernel_x86> kernel_debugger_loop([34m0x80192697[0m [36m"PANIC: "[0m, [34m0x801a7a80[0m [36m"attempting to clone kernel area "%s" (%ld)!"[0m, [34m0x827fbe60[0m [36...."[0m, int32: [34m2[0m) + 0x217
KERN:  5 827fbdf4 (+  48) 800a95a7   <kernel_x86> kernel_debugger_internal([34m0x80192697[0m [36m"PANIC: "[0m, [34m0x801a7a80[0m [36m"attempting to clone kernel area "%s" (%ld)!"[0m, [34m0x827fbe60[0m [36.....[0m, int32: [34m2[0m) + 0x53
KERN:  6 827fbe24 (+  48) 800aaec2   <kernel_x86> panic + 0x3a
KERN:  7 827fbe54 (+ 128) 8012106f   <kernel_x86> vm_clone_area + 0x1cb
KERN:  8 827fbed4 (+ 112) 80128d4b   <kernel_x86> _user_clone_area + 0xa3
KERN:  9 827fbf44 (+ 100) 80142def   <kernel_x86> handle_syscall + 0xdc
KERN: user iframe at 0x827fbfa8 (end = 0x827fc000)
KERN:  eax 0xc9          ebx 0x2070330      ecx 0x798a661c  edx 0x6128e114
KERN:  esi 0x798a66cc    edi 0x798a66f8     ebp 0x798a6658  esp 0x827fbfdc
KERN:  eip 0x6128e114 eflags 0x3202    user esp 0x798a661c
KERN:  vector: 0x63, error code: 0x0
KERN: 10 827fbfa8 (+   0) 6128e114   <commpage> commpage_syscall + 0x04
KERN: 11 798a6658 (+ 160) 024f29e0   <libmedia.so> __7BBufferRC17buffer_clone_info + 0x1bc
KERN: 12 798a66f8 (+ 128) 025265e7   <libmedia.so> BPrivate::BufferCache<[32m0x18700108[0m>::GetBuffer(int32: [34m1[0m) + 0xa7
KERN: 13 798a6778 (+ 640) 024f3d01   <libmedia.so> BBufferConsumer<[32m0x187245f8[0m>::HandleMessage(int32: [34m774[0m, [34m0x798a6a38[0m, uint32: [34m0xc8[0m ([34m200[0m)) + 0x1a5
KERN: 14 798a69f8 (+16448) 02504273   <libmedia.so> BMediaNode<[32m0x18724c74[0m>::WaitForMessage(int64: [34m9223372036854749042[0m, uint32: [34m0x0[0m ([34m0[0m), NULL) + 0x1e7
KERN: 15 798aaa38 (+ 208) 024feca4   <libmedia.so> BMediaEventLooper<[32m0x187246dc[0m>::ControlLoop() + 0x254
KERN: 16 798aab08 (+  64) 024ff0eb   <libmedia.so> BMediaEventLooper<[32m0x187246dc[0m>::_ControlThreadStart(NULL) + 0x37
KERN: 17 798aab48 (+  48) 01fc2a7f   <libroot.so> _get_next_team_info (nearest) + 0x5f
KERN: 18 798aab78 (+   0) 6128e258   <commpage> commpage_thread_exit + 0x00
KERN: kdebug> kdebug> dbusage: dl/dw/ds/db/string [-p|--physical] <address> [num]
KERN: 	dl - 8 bytes
KERN: 	dw - 4 bytes
KERN: 	ds - 2 bytes
KERN: 	db - 1 byte
KERN: 	string - a whole string
KERN:   -p or --physical only allows memory from a single page to be displayed.
KERN: kdebug> db -4usage: dl/dw/ds/db/string [-p|--physical] <address> [num]
KERN: 	dl - 8 bytes
KERN: 	dw - 4 bytes
KERN: 	ds - 2 bytes
KERN: 	db - 1 byte
KERN: 	string - a whole string
KERN:   -p or --physical only allows memory from a single page to be displayed.
KERN: kdebug> db -4[K[5D[Kd
KERN:   daemons       db            devfs_cookie  devfs_node    dis           dl            dm_tree       dma_buffer    drop          ds            dw          kdebug> dis[34m0x6128e114:               c3	ret 
KERN: [m0x6128e115:             0000	add %al, (%eax)
KERN: 0x6128e117:           005657	add %dl, 0x57(%esi)
KERN: 0x6128e11a:         8b7c240c	mov 0xc(%esp), %edi
KERN: 0x6128e11e:             89f8	mov %edi, %eax
KERN: 0x6128e120:         8b742410	mov 0x10(%esp), %esi
KERN: 0x6128e124:         8b4c2414	mov 0x14(%esp), %ecx
KERN: 0x6128e128:             85c9	test %ecx, %ecx
KERN: 
KERN: [*** READ FAULT at 0x0, pc: 0x8005f024 ***]
KERN: kdebug> dis[K h[1D[1D66[1D[1D[1D[1D--helpusage: dis [ -b <back count> ] [ <address>  [ <count> ] ]
KERN: Prints disassembly at address.
KERN:   <address>        - Address at which to start disassembling
KERN:                      (defaults to current PC).
KERN:   <count>          - Number of instructions to disassemble
KERN:                      starting at <address>.
KERN:   -b <back count>  - Number of instruction to disassemble before
KERN:                      <address>.
KERN: kdebug> dis 0x024f29e0[34m0x024f29e0:           8b5508	mov 0x8(%ebp), %edx
KERN: [m0x024f29e3:     8982c4000000	mov %eax, 0xc4(%edx)
KERN: 0x024f29e9:           83c420	add $0x20, %esp
KERN: 0x024f29ec:             85c0	test %eax, %eax
KERN: 0x024f29ee:             7d6c	jge __7BBufferRC17buffer_clone_info+568
KERN: 0x024f29f0:           83c4f8	add $0xfffffff8, %esp
KERN: 0x024f29f3:     8d8334a9fdff	lea -0x256cc(%ebx), %eax
KERN: 0x024f29f9:               50	push %eax
KERN: 0x024f29fa:     8b8380080000	mov 0x880(%ebx), %eax
KERN: 0x024f2a00:             8b00	mov (%eax), %eax
KERN: kdebug> co766: DEBUGGER: BufferCache::GetBuffer: IDs mismatch
KERN: wlan_control: 9234, 21
KERN: [net/iprowifi4965/0] [d0:ae:ec:3e:a9:b0] station deauth via MLME (reason: 3 (sending STA is leaving/has left IBSS or ESS))
KERN: [net/iprowifi4965/0] ieee80211_new_state_locked: SCAN -> INIT (nrunning 0 nscanning 0)
KERN: [net/iprowifi4965/0] ieee80211_newstate_cb: SCAN -> INIT arg 3
KERN: [net/iprowifi4965/0] sta_newstate: SCAN -> INIT (3)
KERN: [net/iprowifi4965/0] node_reclaim: remove 0xde7d0000<d0:ae:ec:3e:a9:b0> from station table, refcnt 1
KERN: [net/iprowifi4965/0] ieee80211_alloc_node 0xde2e4000<00:23:14:97:51:7c> in station table
KERN: [net/iprowifi4965/0] [00:23:14:97:51:7c] ieee80211_alloc_node: inact_reload 2
KERN: wlan_control: 9234, 25
KERN: wlan_control: 9234, 95
KERN: wlan_control: 9234, 17
KERN: wlan_control: 9234, 26
KERN: wlan_close(0x829f3800)
KERN: [net/iprowifi4965/0] stop running, 1 vaps running
KERN: [net/iprowifi4965/0] ieee80211_new_state_locked: INIT -> INIT (nrunning 0 nscanning 0)
KERN: [net/iprowifi4965/0] down parent 
KERN: [net/iprowifi4965/0] ieee80211_newstate_cb: INIT -> INIT arg -1
KERN: debug_server: Thread 766 entered the debugger: Debugger call: `BufferCache::GetBuffer: IDs mismatch'
KERN: [net/iprowifi4965/0] sta_newstate: INIT -> INIT (-1)
KERN: wlan_control: 9234, 95
KERN: wlan_control: 9234, 17
KERN: wlan_control: 9234, 26
KERN: wlan_control: 9234, 16
KERN: stack trace, current PC 0x6128e114  commpage_syscall + 0x4:
KERN:   (0x798a66f8)  0x2526688  GetBuffer__Q28BPrivate11BufferCachel + 0x148
KERN:   (0x798a6778)  0x24f3d01  HandleMessage__15BBufferConsumerlPCvUl + 0x1a5
KERN:   (0x798a69f8)  0x2504273  WaitForMessage__10BMediaNodexUlPv + 0x1e7
KERN:   (0x798aaa38)  0x24feca4  ControlLoop__17BMediaEventLooper + 0x254
KERN:   (0x798aab08)  0x24ff0eb  _ControlThreadStart__17BMediaEventLooperPv + 0x37
KERN:   (0x798aab48)  0x1fc2a7f  thread_entry + 0x23
KERN: debug_server: Killing team 655 (/boot/system/servers/media_addon_server)
KERN: hda: buffer_exchange: Error waiting for playback buffer to finish (Interrupted system call)!
KERN: hda_stream_stop()
Last message repeated 1 time
KERN: remove_memory_type_range(10319, 0xf2620000, 0x4000, 0)
KERN: set MTRRs to:
KERN:   mtrr:  0: base: 0xbb600000, size:   0x100000, type: 0
KERN:   mtrr:  1: base: 0xbb770000, size:    0x10000, type: 0
KERN:   mtrr:  2: base: 0xbb780000, size:    0x80000, type: 0
KERN:   mtrr:  3: base: 0xe0000000, size: 0x20000000, type: 0
KERN:   mtrr:  4: base: 0xc0000000, size: 0x40000000, type: 1
KERN: debug_server: TeamDebugHandler::Init(): Failed to get info for team 655: Operation on invalid team
KERN: debug_server: KillTeam(): Error getting info for team 655: Operation on invalid team
KERN: debug_server: Killing team 655 ()
KERN: usb_disk: operation 0x35 failed at the SCSI level
Last message repeated 1 time
KERN: wlan_control: 9235, 15
KERN: wlan_control: 9235, 76

[waddlesplash]

This is likely either a HDA driver or Media Kit bug. Somehow it's getting a bogus/random area_id and trying to clone it.

[leavengood]

This seems related to #12448. It is definitely not a kernel bug. Switching to media_addon_server for now.

ttcoder: does this system also have firewire?

[ttcoder]

@leavengood: Not sure how to determine that -- It's a hardware port that looks like a USB port, right ? My T410 has something like that on the left side. Or maybe I can grep the output of drivers from "listimage", or "listdev", or syslog ?

[ttcoder]

Thought I'd update this ticket for completeness' sake (what with my newfound knowledge about this laptop <g>). So the strange port on the left side is indeed a FireWire port @leavengood.

I don't remember reading about anyone using Haiku's firewire add-on.. What does it do exactly, can it corrupt kernel memory, or is it a pure user-space component.