After mmap(), write to returned address is OK, but read cause system crash.Why?

Question

I want to share memory between two process.
After mmap(), I get a address mapStart, then I add offset to mapStart and get mapAddr, and make sure mapAddr will not exceed maped PAGE_SIZE.
When I write to mapAddr by

memcpy((void *)mapAddr, data, size);

everything is OK.

But when I read from mapAddr by

memcpy( &data, (void *)mapAddr, size);` 

that will case system crash.
Who know Why? The similar problem is here

Add some Info: @Tony Delroy, @J-16 SDiZ
mmap function is:

mapStart = (void volatile *)mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_LOCKED, memfd, pa_base);

system crash: have no any OS error message, Console print some MCA info

the detail described in here

Answer 1

Just some idea.

Is your mmap() spanning over memory regions with different attribute? This is illegal. Older kernel (you said 2.6.18) allowed this, but crash when you write to some of it.

See this post for some starting point. If it is possible, try a newer kernel.

Answer 2

There are at least two possible issues:

After mmap(), I get a address mapStart, then I add offset to mapStart and get mapAddr, and make sure mapAddr will not exceed maped PAGE_SIZE.

Not mapAddr must be made sure not to exceed the mapped size, but mapAddr+size. You are trying to touch size bytes, not just one.

memcpy((void *)mapAddr, data, size);
memcpy( &data, (void *)mapAddr, size);

Assuming data is not a array (which is a plausible assumption since you use it without address operator in the first line), the second line copies not from the location pointed to by data, but starting with data. This is quite possibly some unallocated memory, or some location on the stack, or whatever. If there is not a lot on the stack, it might as well read beyond the end of the stack into the text segment, or... something else.

(If data is indeed an array, it is of course equivalent, but then your code style would be inconsistent.)