Post not yet marked as solved
My company has been developing a DriverKit Extension for our ThunderBolt attached devices. Our testing has gone well on Intel based machines but it seems to be able to cause kernel panics on my M1/M2 Mac when click "Allow"
in Privacy & Security. It always crash immediately. Unfortunately it is " ApplePPMCPMS: Could not register client id 5. Error code 0xe00002bc " and I have no way to debug it. Has anyone deal with something like this?
panic(cpu 5 caller 0xfffffe002fd92b7c): "ApplePPM: virtual IOReturn ApplePPMCPMS::callPlatformFunction(const OSSymbol *, bool, void *, void *, void *, void *):2003 " "ApplePPMCPMS: Could not register client id 5. Error code 0xe00002bc\n" @ApplePPMCPMS.cpp:2003
Debugger message: panic
Memory ID: 0x6
OS release type: User
OS version: 22G90
Kernel version: Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:52 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T8103
Fileset Kernelcache UUID: 593DE91B6B9F1B49F8178C99AC56A8C2
Kernel UUID: CE831117-201E-35F6-A293-FCC0F02097A3
Boot session UUID: EB9DE635-C521-4672-9251-955CEC7BC487
iBoot version: iBoot-8422.141.2
secure boot?: YES
roots installed: 0
Paniclog version: 14
KernelCache slide: 0x00000000264e4000
KernelCache base: 0xfffffe002d4e8000
Kernel slide: 0x00000000264ec000
Kernel text base: 0xfffffe002d4f0000
Kernel text exec slide: 0x00000000278a4000
Kernel text exec base: 0xfffffe002e8a8000
mach_absolute_time: 0x3b74899144
Epoch Time: sec usec
Boot : 0x66176032 0x000c0192
Sleep : 0x00000000 0x00000000
Wake : 0x00000000 0x00000000
Calendar: 0x661789be 0x0006abb4
Zone info:
Zone map: 0xfffffe10002b4000 - 0xfffffe30002b4000
. VM : 0xfffffe10002b4000 - 0xfffffe14ccf80000
. RO : 0xfffffe14ccf80000 - 0xfffffe1666918000
. GEN0 : 0xfffffe1666918000 - 0xfffffe1b335e4000
. GEN1 : 0xfffffe1b335e4000 - 0xfffffe20002b0000
. GEN2 : 0xfffffe20002b0000 - 0xfffffe24ccf7c000
. GEN3 : 0xfffffe24ccf7c000 - 0xfffffe2999c48000
. DATA : 0xfffffe2999c48000 - 0xfffffe30002b4000
Metadata: 0xfffffe3efce64000 - 0xfffffe3f04e64000
Bitmaps : 0xfffffe3f04e64000 - 0xfffffe3f06478000
Extra : 0 - 0
CORE 0 recently retired instr at 0xfffffe002ea385fc
CORE 1 recently retired instr at 0xfffffe002ea385fc
CORE 2 recently retired instr at 0xfffffe002ea385fc
CORE 3 recently retired instr at 0xfffffe002ea385fc
CORE 4 recently retired instr at 0xfffffe002ea385fc
CORE 5 recently retired instr at 0xfffffe002ea36edc
CORE 6 recently retired instr at 0xfffffe002ea385fc
CORE 7 recently retired instr at 0xfffffe002ea385fc
TPIDRx_ELy = {1: 0xfffffe166798e020 0: 0x0000000000000005 0ro: 0x0000000000000000 }
CORE 0 PVH locks held: None
CORE 1 PVH locks held: None
CORE 2 PVH locks held: None
CORE 3 PVH locks held: None
CORE 4 PVH locks held: None
CORE 5 PVH locks held: None
CORE 6 PVH locks held: None
CORE 7 PVH locks held: None
CORE 0: PC=0xfffffe002e919618, LR=0xfffffe002e90f630, FP=0xfffffe5d6457bc00
CORE 1: PC=0xfffffe002e936000, LR=0xfffffe002e936000, FP=0xfffffe5d6429bef0
CORE 2: PC=0xfffffe002eaacaa8, LR=0xfffffe002eaacae8, FP=0xfffffe5d63fe3690
CORE 3: PC=0xfffffe002e936000, LR=0xfffffe002e936000, FP=0xfffffe5d64693ef0
CORE 4: PC=0xfffffe002e92fbac, LR=0xfffffe002e914b70, FP=0xfffffe5d65befc60
CORE 5 is the one that panicked. Check the full backtrace for details.
CORE 6: PC=0x0000000199b5b5b4, LR=0x000000018c06db24, FP=0x000000016f324ff0
CORE 7: PC=0xfffffe002ef4937c, LR=0xfffffe002ef492f0, FP=0xfffffe5d657e7de0
Compressor Info: 0% of compressed pages limit (OK) and 0% of segments limit (OK) with 0 swapfiles and OK swap space
Panicked task 0xfffffe24cd09a738: 0 pages, 970 threads: pid 0: kernel_task
Panicked thread: 0xfffffe166798e020, backtrace: 0xfffffe5d643735d0, tid: 62085
lr: 0xfffffe002e8fe5fc fp: 0xfffffe5d64373650
lr: 0xfffffe002ea3e6e4 fp: 0xfffffe5d64373670
lr: 0xfffffe002ea2fe4c fp: 0xfffffe5d643736e0
lr: 0xfffffe002ea2e518 fp: 0xfffffe5d643737a0
lr: 0xfffffe002e8af7f8 fp: 0xfffffe5d643737b0
lr: 0xfffffe002e8fdee4 fp: 0xfffffe5d64373b60
lr: 0xfffffe002f07a548 fp: 0xfffffe5d64373b80
lr: 0xfffffe002fd92b7c fp: 0xfffffe5d64373d30
lr: 0xfffffe002f13c88c fp: 0xfffffe5d64373d80
lr: 0xfffffe002ef44b08 fp: 0xfffffe5d64373de0
lr: 0xfffffe002ef4c3ac fp: 0xfffffe5d64373e50
lr: 0xfffffe002ef51cc8 fp: 0xfffffe5d64373f20
lr: 0xfffffe002e8b8e98 fp: 0x0000000000000000
Kernel Extensions in backtrace:
com.apple.AGXG13G(227.7.14)[9A593B36-8560-3700-B806-A6531D4F72EC]@0xfffffe002f0be6a0->0xfffffe002f15dbbf
dependency: com.apple.driver.AppleARMPlatform(1.0.2)[5478478E-CF49-3A40-9437-4298C08DC081]@0xfffffe002f2123d0->0xfffffe002f263173
dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[28D5832D-79F4-3C81-AA70-0775A365BA35]@0xfffffe002fca3580->0xfffffe002fccf587
dependency: com.apple.driver.RTBuddy(1.0.0)[8695C672-1FB4-3954-A525-C10AE1CE4E57]@0xfffffe0031348720->0xfffffe003138444b
dependency: com.apple.iokit.CoreAnalyticsFamily(1)[38EC9902-05F4-3412-8CB3-1B5001455BCA]@0xfffffe00303385f0->0xfffffe0030340407
dependency: com.apple.iokit.IOGPUFamily(65.60.1)[683A153B-7683-363B-B6E8-6DC60D57D55F]@0xfffffe0030a85180->0xfffffe0030abab17
dependency: com.apple.iokit.IOReportFamily(47)[FE904E47-8D35-3152-8035-2BFA7B69A77E]@0xfffffe0030d44820->0xfffffe0030d478bf
dependency: com.apple.iokit.IOSurface(336.60.1)[64104E9B-CF29-3BAC-ABF7-134DCEE9A195]@0xfffffe0030e15d20->0xfffffe0030e450e3
dependency: com.apple.kec.Libm(1)[BA66FD46-3E12-378D-A1A3-67C765DB2A21]@0xfffffe00313313c0->0xfffffe0031334e4b
com.apple.driver.ApplePassthroughPPM(3.0)[495FD94A-224A-3C8B-B377-925FF62F0257]@0xfffffe002fd7ac40->0xfffffe002fdbb7c3
dependency: com.apple.driver.AppleARMPlatform(1.0.2)[5478478E-CF49-3A40-9437-4298C08DC081]@0xfffffe002f2123d0->0xfffffe002f263173
dependency: com.apple.driver.ApplePMGR(1)[8202FFB5-EBDB-333D-9001-9A2582407585]@0xfffffe002fd26380->0xfffffe002fd6c30f
dependency: com.apple.iokit.IOReportFamily(47)[FE904E47-8D35-3152-8035-2BFA7B69A77E]@0xfffffe0030d44820->0xfffffe0030d478bf
dependency: com.apple.kec.Libm(1)[BA66FD46-3E12-378D-A1A3-67C765DB2A21]@0xfffffe00313313c0->0xfffffe0031334e4b
last started kext at 254801217669: com.apple.filesystems.exfat 1.4 (addr 0xfffffe002de1c690, size 6208)
last stopped kext at 252590757699: com.apple.filesystems.exfat 1.4 (addr 0xfffffe002de1c690, size 6208)
Post not yet marked as solved
Hardware and software configuration
MacBook Air M2 2022 16GB,
MacOS Ventura 13.2.1
Full description
This is a DriverKit that controls PCIE FPGA devices for low-latency data exchange.
This driver has been implemented on Iokit, and now it needs to be launched on Driverkit to adapt to newer Macs.
Driverkit lacks the IOMemoryDescriptor::withAddressRange(Iokit) function to convert the app's memory of any size to a Descriptor.
Currently, we use args->structureOutputDescriptor->CreateMapping to map the Descriptor passed by the application to the kernel layer.
// App
size_t ***::xxRead(long long addr, size_t size, void * buff){
std::lock_guard<std::mutex> guard(usrLock);
kern_return_t kr;
uint64_t info[2] = {(uint64_t)addr, (uint64_t)size};
kr = IOConnectCallMethod(
connect,
kUserReadIO,
info,
2,
NULL, NULL, NULL, NULL,
buff,
&size);
return size;
}
// Driverkit
const IOUserClientMethodDispatch sMethods[kNumMethods] = {
[kUserReadIO] =
{
(IOUserClientMethodFunction) &SmiPcieUc::sUserReadIo,
.checkCompletionExists = false,
.checkScalarInputCount = 2, // Read Addr, size
.checkStructureInputSize = 0,
.checkScalarOutputCount = 0,
.checkStructureOutputSize = kIOUserClientVariableStructureSize} // Read Data
};
kern_return_t SmiPcieUc::sUserReadIo (OSObject * target, void* reference, IOUserClientMethodArguments* args){
IOMemoryMap * memMap = nullptr;
uint32_t * buffKptr = nullptr;
kern_return_t rt = 0;
if(target == nullptr){
Log("***Err***: sUserReadIo Target is Null!");
return kIOReturnError;
}
if(args->structureOutputDescriptor){
rt = args->structureOutputDescriptor->CreateMapping(0,0,0,0,0, &memMap);
if(rt == kIOReturnSuccess){
buffKptr = reinterpret_cast<uint32_t *>(memMap->GetAddress());
}
else {
Log("***Err***: sUserReadIo Mapping Failed!");
return kIOReturnNoMemory;
}
} else {
buffKptr = (uint32_t *) args->structureOutput;
}
rt = ((SmiPcieUc *)target)->UserReadIo((uint64_t *)&args->scalarInput[0], (size_t *)&args->scalarInput[1], buffKptr);
OSSafeReleaseNULL(memMap);
return rt;
}
phenomenon
When StructureOutputSize is greater than 4096, args>structureOutputDescriptor exists, and when it is less than or equal to 4096, args->structureOutputDescriptor and args->structureOutput are both equal to nullptr, (in IOkit, args->structureOutput is not empty)。
How to properly convert any size of application memory into the kernel space of Driverkit?
Post not yet marked as solved
We have been doing a R&D work related to the NVMe controller on Mac platform, where we need to get control of the admin queues(submission as well as completion). From the spec of NVMe it’s very clear that what are all registers do we need to deal with to get access of the queues. We are accordingly following those registers to create our own queues. Also we have prepared and enqueued a sample admin command to the newly created submission queue. But surprisingly we can’t get any assurance whether the command got processed by the controller or not, because from the completion queue entry we can see all the entries are zero, which is not expected anyway. So here the question is, how to communicate with the controller properly ? We are also aware of the fact of existing NVMe driver(IONVMeFamily) on Mac platform, is this somehow crossing our way ? We have done all the proper setup for registers, DMAs and interrupt. Path is very ok if we use builtin driver with the XNVME user space application (we can trigger limited admin commands over there). But here we need to have our own created queues up and running with seamless admin command transaction. Here we must tell about our setup, we have one SSD which is connected via a thunderbolt cable to Mac laptop using type C usb port. We have tried to access pre-configured admin queues from IONVMeFamily driver but that is also a blocker for us, as we can’t see any valid data from submission/completion queues.
Request you to all please help us coming out of this trapped zone.
Post not yet marked as solved
Hi,I am trying to write Dext code for my existing Kext,How to convert this code to be compatible with Dext?
BufferMemoryDescriptorAME_Module = NULL;
IOMemoryMap *MemMap;
BufferMemoryDescriptorAME_Module= IOBufferMemoryDescriptor::inTaskWithPhysicalMask(kernel_task,kIOMemoryPhysicallyContiguous,otal_memory_size);
BufferMemoryDescriptorAME_Module->prepare(kIODirectionInOut);
MemMap = BufferMemoryDescriptorAME_Module->map(kIOMapInhibitCache);
logicalAddressAME_Module = (UInt8 *) MemMap->getVirtualAddress();
physicalAddressAME_Module = MemMap->getPhysicalAddress();
Thanks,
Frederic
Post not yet marked as solved
I'm looking for a fast and efficient way for user-space to send I/O to my driver. One way I'd have hoped to do this, was through a shared memory ring-buffer.
In the WWDC19 presentation on System Extensions and DriverKit, at roughly 17:00, they mention an IOSharedDataQueueDispatchSource. This doesn't exist in the DriverKit API. An IODataQueueDispatchSource is available, but doesn't seem to be meant to be shared.
In the old IOKit framework, there are similar IOSharedDataQueue and IODataQueue, but they are unavailable in DriverKit.
So, what are my options for implementing a fast, efficient I/O path to my driver?
Post not yet marked as solved
I'm currently working on developing a PCI driver using PCIDriverKit, but I'm encountering challenges, particularly with the driver's extension. I need some insights on the APIs and methods to follow the best practices in generating PCI drivers for retrieving PCI devices information and running NVMe commands on the devices.
Post not yet marked as solved
Hi,
I'm working on a project that requires porting my KEXT driver to DriverKit system extension ( DEXT ). I've managed to re-write most of functions using DriverKit but I couldn't found a function for cancelling a scheduled timer.
What I try to make is waiting for an interrupt with a timeout period. And if the interrupt arrives in certain time period I need to cancel timeout timer and send async response to the user app. I'm also open to the suggestions.
Here is the code fragment for IOKit that I need to convert to DriverKit
// ... initialization code fragment ( error handling parts deleted )
m_timeout_timer = IOTimerEventSource::timerEventSource(this, timer_fired_pc_recv);
IOReturn result = m_workLoop->addEventSource(timer);
// ... starting the timeout counter
m_timeout_timer->setTimeoutMS(timeout_in_ms);
// ... some time later (cancel part)
m_timeout_timer->cancelTimeout();
And equivalent code in DriverKit
// ... initialization code fragment ( error handling parts deleted )
ret = IOTimerDispatchSource::Create(ivars->default_dispatch_queue, &ivars->timer_dispatchSource);
// starting timer
timer_dispatchSource->WakeAtTime(kIOTimerClockMonotonicRaw, currentTime + fiveSecondsInNanoSeconds, twoSecondsInNanoSeconds);
// missing part here
I did see the member method Cancel in IOTimerDispatchSource but it is kind of termination to the lifetime of IOTimerDispatchSource
Post not yet marked as solved
I have applied for DriverKit for PCI transport entitlements.
Selected Additional Capabilities DriverKit PCI (PrimaryMatch) for the app ID,
then made a profile and download. Check the profile, which also includes com. apple. developer. driverkit. transport. pci.
But when install this driverkit, log show the error:Unsatisfied entitlements: com.apple.developer.driverkit.transport.pci
Post not yet marked as solved
Hi, I'm developing my own PCIe device driver, the log shows error message below when driver executing.
2023-07-31 13:43:47.031012+0800 0x1d41ce Error 0x0 12158 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.asix.dext.pciedevice: Unsatisfied entitlements: com.apple.developer.driverkit.transport.pci
2023-07-31 13:43:47.031048+0800 0x1d41ce Error 0x0 12158 0 taskgated-helper: (ConfigurationProfiles)
[com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.asix.dext.pciedevice
2023-07-31 13:43:47.062775+0800 0x1d436e Error 0x0 103 0 kernelmanagerd: Error occurred while handling request "DextLaunch(arguments: Optional(["Check In Token": 12087, "kOSBundleDextUniqueIdentifier": <04642bc8 90788071 c2a02259 c624ba81 3bebbf55 f9f2db7e f9fbbdd5 1f2ed99d>, "Driver Extension Server Tag": 4294982732, "DriverKit Reslide Shared Cache": 0, "Driver Extension Server Name": com.asix.dext.pciedevice, "CFBundleIdentifier": com.asix.dext.pciedevice]))": Error Domain=NSPOSIXErrorDomain Code=8 "Exec format error"
**How to match device's PID & VID to driver and make it work successfully?
Please help me, Thanks**
errorcode.txt
Post not yet marked as solved
My mac os 13.4 do not have PICDriverKit.framework, so I can not build pci driverkit, is that normal?
Post not yet marked as solved
Hi,
I am working in DriverKit(dext) environment with PCIDriverKit.
How to assign dma to pci device?
How to know the address to get the data recorded in the memory using dma in the pci device?
There are some information related to kext, but, i'm looking for information or sample code for dext.
Any little information would be helpful.
Post not yet marked as solved
Hi all,
I got the entiltlements for the DriverKit PCI (primary match). so I added it to my driver app ID.
so, I can show the ~~transport.pci entitlement item on my provision profile.
However, macOS system still block the my driver, and log show the " Unsatisfied entitlements: com.apple.developer.driverkit.transport.pci"
Post not yet marked as solved
Hello,
I am porting a PCI driver written with IOKit to the new PCIDriverKit framework.
I am able to perform DMA with a contiguous buffer allocated inside the dext (with IOBufferMemoryDescriptor::Create).
But I would also like to perform DMA to and from a buffer allocated by an application.
What I exactly want to do is:
Allocate an aligned buffer in the app (with e.g. posix_memalign)
Send the pointer to this buffer to the dext
In the dext, retrieve the list of pages descriptors to be able to perform DMA without copy into (or from) this buffer.
In IOKit, we can use methods such IOMemoryDescriptor::withAddressRange and IODMACommand::gen64IOVMSegments to map and retrieve the scatter gather list but I cannot find any information on how to do this in a dext with the PCIDriverKit framework.
Can anybody help me on how to do that?
Post not yet marked as solved
Hi,
We have PCI storage device for which we use Kernel Driver.
In kernel driver development we use getDeviceMemoryWithIndex to get IODeviceMemory and then we map it using IODeviceMemory->map then we fetch virtual memory using IOMemoryMap->getVirtualAddress.
So my query is what's alternative for this in PCIDriverKit for developing DEXT.
I found _CopyDeviceMemoryWithIndex api which seems similar to getDeviceMemoryWithIndex.
But when I used this api then this is failing with error: 0xe00002cd (Device Not Open.)
I'm doubting this failure because of IOPCIDevice->Open failure for which I have already created another thread [https://developer.apple.com/forums/thread/661711] to discuss this issue.
There is no sample code available so I'm just following WWDC2020 presentation for Modernize PCI and SCSI drivers with DriverKit.
My driver is loading and unloading on device connect/disconnect and able to fetch VID and DEVID from PCI registers. I'm using IOPCIDevice as provider and IOPCIMatch for driver matching.
Any help or suggestion is really appreciated.
Thanks