Paging triple-fault

[Kaius]

Hello everyone. I've recently finished a bitmap kmalloc function, that will return a void pointer to a 4 KiB-aligned page for the process to use. I've decided to move on to paging and virtual memory, but my first few attempts have all resulted in a triple-fault.

As a test, I just wanted to create a sort of "passthrough", where the virtual address is the same as its corresponding physical address. My code is below, is there something I'm missing?

Code: Select all

#include <stdint.h>
#include <stddef.h>
#include <lib/mem.h>
#include <multiboot.h>
#include <drivers/vga.h>
#include <lib/panic.h>

typedef struct {
  unsigned int p    : 1;  //     0: Present
  unsigned int rw   : 1;  //     1: Read/Write
  unsigned int us   : 1;  //     2: User/Supervisor
  unsigned int pwt  : 1;  //     3: Write-Through
  unsigned int pcd  : 1;  //     4: Cache Disable
  unsigned int a    : 1;  //     5: Accessed
  unsigned int avl0 : 1;  //     6: AVAILABLE
  unsigned int ps   : 1;  //     7: Page Size (0)
  unsigned int avl1 : 4;  //  8-11: AVAILABLE
  unsigned int addr : 20; // 12-31: Address
} dir_entry;

typedef struct {
  unsigned int p    : 1;  //     0: Present
  unsigned int rw   : 1;  //     1: Read/Write
  unsigned int us   : 1;  //     2: User/Supervisor
  unsigned int pwt  : 1;  //     3: Write-Through
  unsigned int pcd  : 1;  //     4: Cache Disable
  unsigned int a    : 1;  //     5: Accessed
  unsigned int d    : 1;  //     6: Dirty
  unsigned int pat  : 1;  //     7: Page Attribute Table
  unsigned int g    : 1;  //     8: Global
  unsigned int avl0 : 3;  //  9-11: AVAILABLE
  unsigned int addr : 20; // 12-31: Address
} table_entry;

dir_entry *dir;
table_entry *table;

void create_passthrough() {
  dir = kmalloc();
  table = kmalloc();
  if (!dir || !table) panic("Not enough memory to inizialize paging.");

  size_t kernel_size = &_kernel_end - &_kernel_start;
  uint16_t kernel_pages = (kernel_size + PAGE_SIZE - 1) / PAGE_SIZE;

  for (uint16_t i = 0; i < 1024; i++) {
    dir[i].p = 0;
    table[i].p = 0;
  }

  // vidmem passthrough
  dir[0] = (dir_entry) {
    .p = 1,
    .rw = 1,
    .us = 0,
    .pwt = 0,
    .pcd = 1,
    .ps = 0,
    .addr = ((uintptr_t) table >> 12) & 0xfffff
  };
  table[0] = (table_entry) {
    .p = 1,
    .rw = 1,
    .us = 0,
    .pwt = 0,
    .pcd = 1,
    .pat = 0,
    .g = 1,
    .addr = 0xb8000
  };

  // kernel passthrough
  for (uint16_t i = 1; i <= kernel_pages; i++) {
    dir[i] = (dir_entry) {
      .p = 1,
      .rw = 1,
      .us = 0,
      .pwt = 0,
      .pcd = 0,
      .ps = 0,
      .addr = ((uintptr_t) table >> 12) & 0xfffff
    };
    table[i] = (table_entry) {
      .p = 1,
      .rw = 1,
      .us = 0,
      .pwt = 0,
      .pcd = 0,
      .pat = 0,
      .g = 1,
      .addr = (_kernel_start + (i * PAGE_SIZE)) & 0xfffff
    };
  }

  // enable paging
  asm volatile (
    "mov %0, %%cr3\n\t"         // load page directory address into CR3
    "mov %%cr0, %%eax\n\t"      // copy CR0 into EAX
    "or $0x80000000, %%eax\n\t" // set the PG bit (bit 31) in EAX
    "mov %%eax, %%cr0\n\t"      // write modified value back to CR0
    :
    : "r" (dir)                 // pass in dir pointer
    : "eax"                     // clobbers EAX register
  );

  printf("Test value: %d", dir[0].addr);
}

// when this is called, it causes the triple-fault
void vmalloc_init() {
  // test function
  create_passthrough();
}

I mapped the vidmem page, as well as the kernel memory, and my OS isn't using any other peripherals currently. Is there some address range I'm missing here that's causing the triple fault? Or is it something else that I didn't do properly?

[papst]

As a test, I just wanted to create a sort of "passthrough", where the virtual address is the same as its corresponding physical address. My code is below, is there something I'm missing?

This technique is called "identity-mapping", can also be found in the wiki https://wiki.osdev.org/Identity_Paging.

Where in the function create_passthrough do you fault exactly? Is it when you load the page directory into cr3?

I suppose you use 1 GB page table granularity (first setting up the PML4, then PDPT), do you set the "Large page" (bit 7) in the PDPTEs? Otherwise the MMU would try to walk further down the page table and encounter an invalid PFN.

If PAGE_SIZE is 0x1000 (4KiB), then you would have to setup all 4 levels in the page table. PML4 -> PDPT -> PD -> PT.

[Octocontrabass]

Code: Select all

      .addr = (_kernel_start + (i * PAGE_SIZE)) & 0xfffff

More information about the triple fault would be helpful, but this line jumped out at me. Did you forget a right-shift by 12?

I suppose you use 1 GB page table granularity

You can't use 1GB pages in 32-bit mode.

[papst]

I suppose you use 1 GB page table granularity

You can't use 1GB pages in 32-bit mode.

thanks for clarifying this, I also thought OP was running in 64-bit mode at first.

[sebihepp]

Also, your structures for page_dir and page_entry might not be 32bit in size. The compiler is free to align every member on a byte boundary.
To fix that in gcc you could use

Code: Select all

struct (...)
} page_dir __attribute__ (( packed ));

[MichaelPetch]

While you did post a Github repo at the bottom of your post it doesn't seem to have any paging code like you are quoting in your question. Can you commit your latest code that fails so we can take a look at it? The one issue I did see seems to also be noted by Octo earlier.

[Kaius]

While you did post a Github repo at the bottom of your post it doesn't seem to have any paging code like you are quoting in your question. Can you commit your latest code that fails so we can take a look at it? The one issue I did see seems to also be noted by Octo earlier.

I've added the suggested changes (the "packed" attribute and the ">> 12"), still triple-faulting. I've also pushed the current state of the project to the repository below.

In the meantime, I'll try to get more details about the machine state right up to when it crashes.


(In the Github repo, the file in question is at "lib/mem/vmalloc.c")

[MichaelPetch]

Looking at your code, I'm wondering - do you understand how page mapping works in 32-bit protected mode?

[Kaius]

Looking at your code, I'm wondering - do you understand how page mapping works in 32-bit protected mode?

I think I have a pretty good understanding of how it works, unless there's something big I'm missing. I did quite a bit of research, reading relevant parts of the wiki, a few tutorials, and even part of the Intel manual that explains paging for i386 architectures.

The code is definitely a bit messy, but really I'm just trying to get paging enabled and have a working example before I branch out and start working with virtual memory. Is there anything in particular that stood out to you?

[MichaelPetch]

Assume that this is your goal:

As a test, I just wanted to create a sort of "passthrough", where the virtual address is the same as its corresponding physical address.

This is called identity mapping as has been mentioned by others.

As a simple question from your code. Assuming that `dir[0]`(page directory entry 0) points to `table` (a page table) then can you explain how this is supposed to map virtual address 0xb8000 to physical address 0xb8000:

Code: Select all

  table[0] = (table_entry) {
    .p = 1,
    .rw = 1,
    .us = 0,
    .pwt = 0,
    .pcd = 1,
    .pat = 0,
    .g = 1,
    .addr = 0xb8000  >> 12 // Michael fixed original code by adding >> 12
  };

[Kaius]

Explain how this maps virtual address 0xb8000 to physical address 0xb8000:

Code: Select all

  table[0] = (table_entry) {
    .p = 1,
    .rw = 1,
    .us = 0,
    .pwt = 0,
    .pcd = 1,
    .pat = 0,
    .g = 1,
    .addr = 0xb8000  >> 12 // Michael fixed original code by adding >> 12
  };

I'm seeing my mistake here, can't believe I missed that. (Feel free to correct me if I'm wrong), this table entry should be at index 0xB8 (184), since the bits 12-21 of the virtual address dictate where in the table to look. (The kernel section would obviously need to be updated similarly, for both the table and the directory entries).

[MichaelPetch]

Bingo . I'm actually glad you were able to answer this question. It does tell me that you do understand, but this was coded improperly.
A couple other things. You set dir[0 to 1023] all to page table `table`. I assume you know that is incorrect. To map things in the first 4MiB you only need dir[0] to map to `table`. If you need to map 4Mib to 8MiB you'd need to kmalloc a new page table and assign it to `dir[1]` and fill in the new page table accordingly. Since you don't need memory above 4MiB to start this isn't something you have to handle. If you were to change to graphics mode and use the linear frame buffer then you'd have to map it into virtual memory and it is usually in the upper half of the physical address space well beyond the first 4MiB requiring entries in `dir` page directory entries above index 0. As it is your code only relied on access to virtual memory below 4MiB so you only need to populate dir[0] with a single page table at this time. This should be changed of course to handle arbitrary virtual memory addresses anywhere in virtual address space. Adding a virtual memory manager `map_page` function that takes any virtual address and a physical address and maps them. This function would compute an index into PD (page dir); if not present allocate a new page table; point the PD entry to the page table; and fill in the PT entry with the physical address. To have it work properly in all cases you'd also have to properly handle page privileges while updating PD and PT entries.

These macros can help:

Code: Select all

#define PD_IDX(virt)((virt) >> 22)
#define PT_IDX(virt)(((virt) >> 12) & 0x3FF)

. They take a virtual address and allow you to compute an entry in the page directory and index into a page table for a given virtual address. An example:

Code: Select all

   uintptr_t vid_mem = 0xb8000;
  table[PT_IDX(vid_mem)] = (table_entry) {
    .p = 1,
    .rw = 1,
    .us = 0,
    .pwt = 0,
    .pcd = 1,
    .pat = 0,
    .g = 1,
    .addr = vid_mem >> 12             // Fixed original code by adding >> 12
  };

PT_IDX(vid_mem) would compute to 0xb8.

Some other things. I think this is in error:

Code: Select all

.addr = ((_kernel_start + (i * PAGE_SIZE)) >> 12) & 0xfffff 

. You should be using `&_kernel_start`

You will also need to map your heap into virtual memory as well or future accesses to heap memory will page fault.

[Kaius]

Thanks for the guidance so far, I really appreciate it.

I added a lot of these suggestions, but it was still triple-faulting. I ran Qemu with interrupt logging, and this is the output where it fails:

Code: Select all

    22: v=0e e=0000 i=0 cpl=0 IP=0008:002029f5 pc=002029f5 SP=0010:00208f4c CR2=00208f4c
EAX=80000011 EBX=00000004 ECX=0000380c EDX=00000020
ESI=00002000 EDI=00003000 EBP=00208f58 ESP=00208f4c
EIP=002029f5 EFL=00000086 [--S--P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
CS =0008 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
DS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
FS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
GS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT=     00202a7c 00000017
IDT=     00209010 00003fff
CR0=80000011 CR2=00208f4c CR3=00002000 CR4=00000000
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 
DR6=ffff0ff0 DR7=00000400
CCS=00000004 CCD=80000011 CCO=LOGICL
EFER=0000000000000000
check_exception old: 0xe new 0xe
    23: v=08 e=0000 i=0 cpl=0 IP=0008:002029f5 pc=002029f5 SP=0010:00208f4c env->regs[R_EAX]=80000011
EAX=80000011 EBX=00000004 ECX=0000380c EDX=00000020
ESI=00002000 EDI=00003000 EBP=00208f58 ESP=00208f4c
EIP=002029f5 EFL=00000086 [--S--P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
CS =0008 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
SS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
DS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
FS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
GS =0010 00000000 ffffffff 00cf9300 DPL=0 DS   [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT=     00202a7c 00000017
IDT=     00209010 00003fff
CR0=80000011 CR2=00209080 CR3=00002000 CR4=00000000
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 
DR6=ffff0ff0 DR7=00000400
CCS=00000004 CCD=80000011 CCO=LOGICL
EFER=0000000000000000
check_exception old: 0x8 new 0xe
Triple fault

From what I understand:

A page fault is occurring when the CPU tries to access linear address 0x00208f4c (CR2). It just so happens that the stack pointer is also at 0x00208f4c (ESP). The disassembly shows that the instruction at 0x002029f5 (EIP) is `pop %ebx`. This is the first stack operation that occurs after paging is enabled (just two instructions earlier, "mov %eax,%cr0").

I think it's pretty obvious what's going wrong here. I haven't added any sort of paging for the stack, and that's causing a page fault. Now I have a few questions:

1. How can my kernel know where/how big the stack is? Is its starting address like the kernel's location, passed in by the linker or compiler, or is it set elsewhere?
2. Why did this still cause a triple-fault, instead of my IDT handling it and throwing a kernel panic? The IDT and IDTR itself falls within kernel memory, being right at 0x209000. Why would this lead to a double-, then triple-fault?
3. Are there other address ranges that I should be adding to a basic paging model that I'm forgetting?

[MichaelPetch]

First of all, thanks for actually trying to analyze the QEMU exception logs. You are correct in observing that it appears to be the stack. AFAIR in your code the stack is part of the BSS section which should be captured between `_kernel_start` and `_kernel_end`. Did you fix the bug I mentioned about having to use `&_kernel_start` instead of `_kernel_start` in the vmalloc code? There is a place where you didn't use `&`.

Something else that can help is getting a memory map and translation dumped. To QEMU add the `-no-shutdown -no-reboot -monitor stdio` to enable the QEMU monitor at the console where you are running commands from. When you reach the page fault you are seeing type `info mem` to see what regions of memory are mapped and `info tlb` to see each of the translations. Is the stack memory in the mapped region? Does it look like the entire kernel is mapped? You can also access the QEMU monitor by clicking on the window your OS is running in and hit control-alt-2 . You can switch back to the OS output by using control-alt-1 .

Your page fault handler may not be called because the CPU tried to push CS/EIP/Flags onto the stack as part of the page fault interrupt processing. A double fault would have occurred because the stack appears to not be mapped so throws a second exception and that cascades to a triple fault.

I previously mentioned you will have map your heap memory into virtual address space or you'll get a page fault on any heap data accesses.

[MichaelPetch]

I looked at your latest commits. I believe this:

Code: Select all

  size_t kernel_size = &_kernel_end - &_kernel_start;

should be:

Code: Select all

  size_t kernel_size = (uintptr_t)&_kernel_end - (uintptr_t)&_kernel_start;

Because of the way you are accessing the linker symbols and needing to use `&` you need to cast to something like `uintptr_t` otherwise pointer arithmetic will yield the wrong size. If you used QEMU and GDB to debug the code you would have found that `kernel_size` was wrong as a result of this bug. This caused the stack to not be mapped in because not enough pages were processed (kernel_size was smaller than what it really was).

As well:

Code: Select all

for (uint16_t i = 1; i <= kernel_pages; i++) {

should be:

Code: Select all

for (uint16_t i = 0; i < kernel_pages; i++) {

Note the change to `i=0` and `i < kernel_pages`.