請教一下
我要將test.bin讀出後寫入node,
load_bin_compare_name用malloc分配大小,然後用fread存在fwbin(全域變數),
在combin_binary_upgrade準備寫入剛讀出的binary,但會發生crash,後來我把底下mark掉又不會crash
write(fd, write_string, counts); //crash 點
或是我把DEBUG_PRINT打開然後把上面crash先mark掉,又可以正確印出整個test.bin內容,沒有crash.
請教一下我使用p_arr指到fwbin,然後每次累加p_arr的offset(2048 byte)依序寫入節點,是哪邊有問題?
非常感謝
code:(簡列出)
static char *fwbin;
unsigned char fw_upgrade(unsigned char type)
{
unsigned char u8_ret;
unsigned int u32_len = 0;
u32_len = load_bin_compare_name("test.bin");
combin_binary_upgrade(u8_type, u32_len);
return u8_ret;
}
void combin_binary_upgrade(unsigned char u8_type, unsigned int u32_len)
{
int fd, ret = 0, i = 0, loops = 0, leftcount = 0, counts = 0;
char write_string[2048], cmd_buf[20], str_sys_cmd_path[200];
unsigned char u8_cmd, u8_ret = SUCCESS;
int j = 0;
char *p_arr = NULL;
memset(cmd_buf, 0, sizeof(cmd_buf));
memset(str_sys_cmd_path, 0, sizeof(str_sys_cmd_path));
sprintf(str_sys_cmd_path, "%s%s", g_sysfs_location, "/receive_binary_node");
p_arr = fwbin;
fd = open_node(str_sys_cmd_path);
if (fd < 0) {
printf("open_node fail!\n");
return -1;
}
else
printf("open_node pass\n");//有印出
sprintf(cmd_buf, "%x,%x,%x", u8_cmd, u8_type, u32_len);
write(fd, cmd_buf, sizeof(cmd_buf));
loops = u32_len / 2048;
leftcount = u32_len % 2048;
for (i = 0; i <= loops; i++) {
if (i == loops)
counts = leftcount;
else
counts = FW_WRITE_SIZE;
memset(write_string, 0, sizeof(write_string));
memcpy(write_string, p_arr, counts);
write(fd, write_string, counts); //造成crash
#if DEBUG_PRINT for (j = 1; j <= counts; j++) {
printf("%5x ", write_string[j - 1]);
if (j % 16 == 0)
printf("\n");
}
#endif
p_arr += counts;
}
free(fwbin);
close(fd);
}
unsigned int load_bin_compare_name(char *filename)
{
FILE *pFile;
unsigned long lSize;
size_t result;
int len = 0, ret = 0, i = 0, checkfile_num = 0, burn = 0;
char burnfilename[100], *value, fwpath[100];
memset(burnfilename, 0, 100*sizeof(char));
len = strlen(g_path);
if (g_path[len - 1] != '/')
strcat(g_path, "/");
sprintf(fwpath, "%s%s", g_path, burnfilename);
pFile = fopen(fwpath, "rb");
if (pFile == NULL) {
printf("[touch] fopen %s error, please check your files or path\n",fwpath);
exit(1);
}
fseek(pFile , 0 , SEEK_END);
lSize = ftell(pFile);
rewind(pFile);
fwbin = (char *) malloc(sizeof(char) * lSize);
if (fwbin == NULL) {
printf("[touch] fwbin malloc fail\n");
}
result = fread(fwbin, 1, lSize, pFile);
if (result != lSize)
{
printf("[touch]fread error, result=%d, lSize=%ld\n", result, lSize);
}
fclose(pFile);
return lSize;
}
crash log:
[ 22.864884] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 22.878321] pgd = db524000
[ 22.880921] [00000000] *pgd=00000000
[ 22.884404] Internal error: Oops: 805 [#1] PREEMPT SMP ARM
[ 22.889769] Modules linked in: drmboot(P) mali_kbase
[ 22.894634] CPU: 0 PID: 1371 Comm: raydium_selftes Tainted: P 3.10.0 #3439
[ 22.902392] task: dc1bc980 ti: db4c4000 task.ti: db4c4000
[ 22.907684] PC is at memcpy+0x50/0x330
[ 22.911345] LR is at 0x0

memcpy(write_string, p_arr, counts); p_arr==null ?抱歉 忽視上面註解

FW_WRITE_SIZE是多少呢

2048大小

i==0時crash，還是i==loops時crashleftcount會等於0嗎

試著檢查write的回傳值？

跟CJacky想的一樣 如果u32_len剛好是2048倍數（最後一次leftcount為0）看起來會crash

log 已經告訴你了，看一下 pc在哪就知道了