This patch (hack) fixes the crash on armhf. diff --git a/linux-user/elfload.c b/linux-user/elfload.c index a26200d9f3..2efa981061 100644 --- a/linux-user/elfload.c +++ b/linux-user/elfload.c @@ -3674,7 +3685,7 @@ int load_elf_binary(struct linux_binprm *bprm, struct image_info *info) * The implementation of do_brk in syscalls.c expects to be able * to mmap pages in this space. */ - if (info->reserve_brk) { + if (0 && info->reserve_brk) { abi_ulong start_brk = HOST_PAGE_ALIGN(info->brk); abi_ulong end_brk = HOST_PAGE_ALIGN(info->brk + info->reserve_brk); target_munmap(start_brk, end_brk - start_brk);
Still wondering what the best fix is. Without the patch this is the memory layout: start end size prot 00010000-00011000 00001000 r-x 00011000-00020000 0000f000 --- 00020000-00021000 00001000 rw- 40000000-40001000 00001000 --- 40001000-40801000 00800000 rwx 40801000-40802000 00001000 r-x ffff0000-ffff1000 00001000 r-x start_brk 0x00000000 end_code 0x00010a73 start_code 0x00010000 start_data 0x00020a78 end_data 0x00020cd0 start_stack 0x407ffe50 brk 0x00020cd4 entry 0x003800f9 argv_start 0x407ffe54 env_start 0x407ffe60 auxv_start 0x407fff28 With the patch, this is the layout: start end size prot 00010000-00011000 00001000 r-x 00011000-00020000 0000f000 --- 00020000-00021000 00001000 rw- 00021000-00380000 0035f000 --- 00380000-0038d000 0000d000 r-x 0038d000-0039c000 0000f000 --- 0039c000-0039d000 00001000 rw- 0039d000-0039f000 00002000 rw- 0039f000-01021000 00c82000 --- 40000000-40001000 00001000 --- 40001000-40801000 00800000 rwx 40801000-40802000 00001000 r-x ffff0000-ffff1000 00001000 r-x start_brk 0x00000000 end_code 0x00010a73 start_code 0x00010000 start_data 0x00020a78 end_data 0x00020cd0 start_stack 0x407ffe50 brk 0x00020cd4 entry 0x003800f9 argv_start 0x407ffe54 env_start 0x407ffe60 auxv_start 0x407fff28 As can be seen, the memory segment of "entry" at 0x003800f9 has been unmapped when releasing the "reserve_brk" region. Since qemu can't then fetch the instructions, it crashes immediately.