use sock can api will crash in kernel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

use sock can api will crash in kernel

Jump to solution
6,200 Views
fatalfeel
Contributor V

in canutils/candump.c

...

...

socket(PF_CAN, SOCK_RAW, CAN_RAW);

...

...

nbytes = recvmsg(s[i], &msg, 0);

//

sometimes crash in linux kernel

[  250.778583] Unable to handle kernel paging request at virtual address 3ce84c10
[  250.779549] pgd = c0004000
[  250.779930] [3ce84c10] *pgd=00000000
[  250.780450] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[  250.781154] Modules linked in:
[  250.781607] CPU: 0 PID: 87 Comm: ci_otg Not tainted 4.1.27-svn1470 #2
[  250.782454] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[  250.783322] Workqueue: P� 0xc89befc4 (��1���1���1�)
[  250.784023] task: ca3d5140 ti: ca6dc000 task.ti: ca6dc000
[  250.784764] PC is at cpuacct_charge+0xcc/0x150
[  250.785371] LR is at cpuacct_charge+0x3c/0x150
[  250.785973] pc : [<c01e0cac>]    lr : [<c01e0c1c>]    psr: a00e0193
[  250.785973] sp : ca6ddf18  ip : ca6ddf18  fp : ca6ddf7c
[  250.787453] r10: ca277010  r9 : 00000000  r8 : 00000002
[  250.788149] r7 : 00000001  r6 : ca6df578  r5 : c1304c04  r4 : 00000000
[  250.789006] r3 : c1304a7c  r2 : 1eee0065  r1 : 00000000  r0 : ca4c7080
[  250.789864] Flags: NzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[  250.790829] Control: 10c53c7d  Table: 19b1804a  DAC: 00000015
[  250.791586]
[  250.791586] PC: 0xc01e0c2c:
[  250.792160] 0c2c  e3a03001 e50b3030 e3a03000 e50b3034 e51b302c e2833d16 e5933000 e50b3038
[  250.793436] 0c4c  e51b3038 e50b303c e51b303c e51b2030 e282200a e7933102 e50b3040 e51b3040
[  250.794703] 0c6c  e3530000 0a000003 e51b3040 e50b3044 e51b3044 ea000000 e3a03000 e50b3010
[  250.795972] 0c8c  e3a03000 e50b3018 e51b3010 e5933068 e50b301c e3043a7c e34c3130 e51b2014
[  250.797236] 0cac  e7932102 e51b301c e0823003 e50b3020 e51b3020 e1c300d0 e14b26d4 e0922000
[  250.798502] 0ccc  e0a33001 e51b1020 e1c120f0 e51b3010 e50b3048 e51b3048 e5933024 e50b304c
[  250.799768] 0cec  e51b304c e3530000 0a000003 e51b304c e50b3050 e51b3050 ea000000 e3a03000
[  250.801032] 0d0c  e50b3010 e51b3010 e3530000 1a000000 ea000000 eaffffd9 eb009e91 e24bd00c
[  250.802304]
[  250.802304] LR: 0xc01e0b9c:
[  250.802878] 0b9c  eb00e847 e1a02000 e1a03001 e14b21fc e30cc424 e34cc0e0 e14b21dc e1cd20f0
[  250.804149] 0bbc  e51b0060 e30c1434 e34c10e0 e1a0200c eb0646dd e3a03000 e1a00003 e24bd00c
[  250.805421] 0bdc  e89da800 e1a0c00d e92dd800 e24cb004 e24dd058 e52de004 e8bd4000 e50b0058
[  250.806687] 0bfc  e14b26f4 e51b3058 e50b3024 e51b3024 e5933004 e5933010 e50b3014 eb009ec7
[  250.807952] 0c1c  e51b3058 e50b3028 e51b3028 e50b302c e3a03001 e50b3030 e3a03000 e50b3034
[  250.809216] 0c3c  e51b302c e2833d16 e5933000 e50b3038 e51b3038 e50b303c e51b303c e51b2030
[  250.810480] 0c5c  e282200a e7933102 e50b3040 e51b3040 e3530000 0a000003 e51b3040 e50b3044
[  250.811746] 0c7c  e51b3044 ea000000 e3a03000 e50b3010 e3a03000 e50b3018 e51b3010 e5933068
[  250.813016]
[  250.813016] SP: 0xca6dde98:
[  250.813589] de98  60000113 c12e4c40 00000000 c0d6d5f0 00000002 ca3d5140 c01e0cac a00e0193
[  250.814860] deb8  ffffffff ca6ddf04 ca6ddf7c ca6dded0 c0114518 c01011e0 ca4c7080 00000000
[  250.816125] ded8  1eee0065 c1304a7c 00000000 c1304c04 ca6df578 00000001 00000002 00000000
[  250.817392] def8  ca277010 ca6ddf7c ca6ddf18 ca6ddf18 c01e0c1c c01e0cac a00e0193 ffffffff
[  250.818657] df18  0001dddd 00000000 ca6ddfac ca4c7080 c018b3d0 cd6f9c80 0001dddd 00000000
[  250.819921] df38  c13179e8 c13179e8 c131a1b8 c131a1b8 00000000 00000001 ca4c7080 ca4c7080
[  250.821194] df58  ca4c7080 ca6ddf5c c12e0348 00000000 1eee0065 c13179e8 ca6de074 ca6ddf80
[  250.822464] df78  c01b4450 c01e0bec 00000000 ca6ddf44 ca6ddf54 cd6f9c80 001e8c50 00000000
[  250.823732]
[  250.823732] IP: 0xca6dde98:
[  250.824306] de98  60000113 c12e4c40 00000000 c0d6d5f0 00000002 ca3d5140 c01e0cac a00e0193
[  250.825571] deb8  ffffffff ca6ddf04 ca6ddf7c ca6dded0 c0114518 c01011e0 ca4c7080 00000000
[  250.826837] ded8  1eee0065 c1304a7c 00000000 c1304c04 ca6df578 00000001 00000002 00000000
[  250.828103] def8  ca277010 ca6ddf7c ca6ddf18 ca6ddf18 c01e0c1c c01e0cac a00e0193 ffffffff
[  250.829369] df18  0001dddd 00000000 ca6ddfac ca4c7080 c018b3d0 cd6f9c80 0001dddd 00000000
[  250.830631] df38  c13179e8 c13179e8 c131a1b8 c131a1b8 00000000 00000001 ca4c7080 ca4c7080
[  250.831903] df58  ca4c7080 ca6ddf5c c12e0348 00000000 1eee0065 c13179e8 ca6de074 ca6ddf80
[  250.833172] df78  c01b4450 c01e0bec 00000000 ca6ddf44 ca6ddf54 cd6f9c80 001e8c50 00000000
[  250.834440]
[  250.834440] FP: 0xca6ddefc:
[  250.835015] defc  ca6ddf7c ca6ddf18 ca6ddf18 c01e0c1c c01e0cac a00e0193 ffffffff 0001dddd
[  250.836282] df1c  00000000 ca6ddfac ca4c7080 c018b3d0 cd6f9c80 0001dddd 00000000 c13179e8
[  250.837553] df3c  c13179e8 c131a1b8 c131a1b8 00000000 00000001 ca4c7080 ca4c7080 ca4c7080
[  250.838825] df5c  ca6ddf5c c12e0348 00000000 1eee0065 c13179e8 ca6de074 ca6ddf80 c01b4450
[  250.840096] df7c  c01e0bec 00000000 ca6ddf44 ca6ddf54 cd6f9c80 001e8c50 00000000 0001dddd
[  250.841363] df9c  00000000 00000000 ca6ddfb0 c0109288 c018b18c 00000000 00000000 00000000
[  250.842630] dfbc  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.843897] dfdc  00000000 00000000 00000000 00000000 00000000 00000013 00000000 00000000
[  250.845163]
[  250.845163] R0: 0xca4c7000:
[  250.845737] 7000  ca4c6ffc c0d6d5f0 00000000 00000000 00000000 00000000 00000000 00000000
[  250.847009] 7020  00000020 00000000 0000c350 0000c350 ffffffff 00000000 00000000 00000000
[  250.848275] 7040  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.849542] 7060  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.850805] 7080  00000000 ca6de000 00000002 04208060 00000000 00000000 00000001 c960d780
[  250.852075] 70a0  0000007e 00000000 00000000 00000001 00000078 00000078 00000078 00000000
[  250.853341] 70c0  c0e0a838 00000000 00000400 00400000 00000001 00000000 00000000 cd6fa170
[  250.854612] 70e0  cd6fa170 00000001 6390fe19 0000003a 9b60ba39 00000000 1eee0065 00000035
[  250.855880]
[  250.855880] R3: 0xc13049fc:
[  250.856455] 49fc  000009c4 00000019 00000000 0003d983 00001980 00001980 01ffffff 00000000
[  250.857725] 4a1c  00000001 00000001 00000001 00000001 00000001 00018000 00000064 00000000
[  250.858987] 4a3c  cdfff400 0000000d cdfff3c0 00000001 0000d000 0000000f cdfff340 00000044
[  250.860253] 4a5c  cdfff900 cdfff440 00000001 00001000 00000002 00000000 00000001 cd6f5000
[  250.861520] 4a7c  0c415000 0c422000 00000000 00000000 00000001 00019600 00000002 0001df37
[  250.862786] 4a9c  00010000 0004ffff 00007a4a 00002000 00000001 0000fffa 00000000 00000000
[  250.864049] 4abc  00000032 00000001 ca001e00 ca25f910 00000000 00000000 ca001a00 cd671000
[  250.865320] 4adc  00000011 ca001380 ca001b80 0001ffff 00000064 00000010 0000ffff ca001300
[  250.866590]
[  250.866590] R5: 0xc1304b84:
[  250.867164] 4b84  00000000 ca001400 00000001 c10d4240 00000000 00000004 c10d424c 00000000
[  250.868433] 4ba4  00000010 c10d4258 ca001e00 00000040 c10d4264 ca1bd100 00000080 c10d4270
[  250.869700] 4bc4  ca1bd180 00000100 c10d427c ca1bd200 00000100 00000000 0000003f 00000fff
[  250.870966] 4be4  0003ffff 00ffffff 3fffffff ffffffff 00000002 00000000 00000000 00000020
[  250.872237] 4c04  e6800000 f4a00100 00000000 00000000 00000000 00000000 00000000 00000000
[  250.873501] 4c24  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.874762] 4c44  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.876029] 4c64  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.877295]
[  250.877295] R6: 0xca6df4f8:
[  250.877870] f4f8  cd6fa0d8 00000000 638e9784 c01bad3c ca4c70c8 cd6f9c80 0c415000 c12e2d10
[  250.879136] f518  00000000 00000000 00000000 00000000 0c415000 c12e2d10 00000000 00000000
[  250.880400] f538  ca6df578 00000000 00000000 0000001f ca6df574 ca6df558 c01015e4 c01f74e0
[  250.881664] f558  c01a1ec0 800e0013 ffffffff ca6df5ac ca6df5ec ca6df578 c0114580 c01015a0
[  250.882928] f578  00000001 c109b7e6 00000002 00000001 c0d6d5f0 ca277010 ca277238 ca6dfa7c
[  250.884191] f598  00000002 00000000 ca277010 ca6df5ec ca6df5f0 ca6df5c0 c0d76d20 c01a1ec0
[  250.885462] f5b8  800e0013 ffffffff 00000004 00000001 c1319c40 00000000 00000000 00000000
[  250.886724] f5d8  00000000 00000000 ca6df624 ca6df5f0 c0d76d20 c01a1db8 c01c1450 cd6f9c40
[  250.888002]
[  250.888002] R10: 0xca276f90:
[  250.888585] 6f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.889857] 6fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.891121] 6fd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.892388] 6ff0  00000000 00000000 00000000 00000000 ca28d4c0 ca28d400 c0690e64 00000000
[  250.893655] 7010  00000000 00000000 c13760e4 00000000 12b912b9 00000000 00000000 ca4c7080
[  250.894923] 7030  00000064 00000003 ca21c210 ca28ca00 ca28d600 ca28282c ca275c6c ca21c218
[  250.896188] 7050  ca14b840 c135fc08 ca28bf50 0000000f 00000007 00000000 c13754f4 00000001
[  250.897454] 7070  00000000 ca277074 ca277074 00000000 00000000 c137550c 00000000 00000000
[  250.898730] Process ci_otg (pid: 87, stack limit = 0xca6dc210)
[  250.899502] Stack: (0xca6ddf18 to 0xca6de000)
[  250.900092] df00:                                                       0001dddd 00000000
[  250.901164] df20: ca6ddfac ca4c7080 c018b3d0 cd6f9c80 0001dddd 00000000 c13179e8 c13179e8
[  250.902237] df40: c131a1b8 c131a1b8 00000000 00000001 ca4c7080 ca4c7080 ca4c7080 ca6ddf5c
[  250.903310] df60: c12e0348 00000000 1eee0065 c13179e8 ca6de074 ca6ddf80 c01b4450 c01e0bec
[  250.904383] df80: 00000000 ca6ddf44 ca6ddf54 cd6f9c80 001e8c50 00000000 0001dddd 00000000
[  250.905453] dfa0: 00000000 ca6ddfb0 c0109288 c018b18c 00000000 00000000 00000000 00000000
[  250.906522] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  250.907591] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[  250.908647] Backtrace:
[  250.909045] [<c01e0be0>] (cpuacct_charge) from [<c01b4450>] (update_curr+0x4b8/0x5a0)
[  250.910088] [<c01b3f98>] (update_curr) from [<c01b78d0>] (enqueue_entity+0x6c/0x1a70)
[  250.911131] [<c01b7864>] (enqueue_entity) from [<c01bc31c>] (enqueue_task_fair+0x6c/0x13f4)
[  250.912214]  r9:00000000 r8:00000002 r7:00000001 r6:ca6df578 r5:c1304c04 r4:00000000
[  250.913371] [<c01bc2b0>] (enqueue_task_fair) from [<c019b9fc>] (enqueue_task+0xa8/0xb0)
[  250.914410]  r9:00000000 r8:00000002 r7:00000001 r6:ca6df578 r5:c1304c04 r4:00000000
[  250.915564] [<c019b954>] (enqueue_task) from [<c019bbc8>] (activate_task+0x70/0x78)
[  250.916580] [<c019bb58>] (activate_task) from [<c019df1c>] (ttwu_activate+0x34/0x78)
[  250.917607] [<c019dee8>] (ttwu_activate) from [<c019e320>] (ttwu_do_activate+0x60/0x78)
[  250.918666] [<c019e2c0>] (ttwu_do_activate) from [<c019f2a4>] (ttwu_queue+0xc4/0xd8)
[  250.919693] [<c019f1e0>] (ttwu_queue) from [<c019f5d4>] (try_to_wake_up+0x31c/0x350)
[  250.920723] [<c019f2b8>] (try_to_wake_up) from [<c01a2120>] (default_wake_function+0x40/0x54)
[  250.921860] [<c01a20e0>] (default_wake_function) from [<c03615a0>] (pollwake+0x74/0x80)
[  250.922924] [<c036152c>] (pollwake) from [<c01d7110>] (__wake_up_common+0x84/0xfc)
[  250.923930] [<c01d708c>] (__wake_up_common) from [<c01d7344>] (__wake_up_sync_key+0xa8/0xd0)
[  250.925052] [<c01d729c>] (__wake_up_sync_key) from [<c0a536ec>] (sock_def_readable+0x118/0x1d4)
[  250.926203] [<c0a535d4>] (sock_def_readable) from [<c0a4b710>] (sock_queue_rcv_skb+0x950/0x968)
[  250.927361] [<c0a4adc0>] (sock_queue_rcv_skb) from [<c0bf8a6c>] (raw_rcv+0x3b4/0x3d0)
[  250.928407] [<c0bf86b8>] (raw_rcv) from [<c0bf5da8>] (can_rcv_filter+0x1f4/0x6e4)
[  250.929406] [<c0bf5bb4>] (can_rcv_filter) from [<c0bf63c0>] (can_receive+0x128/0x190)
[  250.930448] [<c0bf6298>] (can_receive) from [<c0bf65d8>] (can_rcv+0x1b0/0x1d0)
[  250.931389]  r4:c015635c
[  250.931805] [<c0bf6428>] (can_rcv) from [<c0a80c44>] (__netif_receive_skb_core+0x15c8/0x1660)
[  250.932943] [<c0a7f67c>] (__netif_receive_skb_core) from [<c0a80e4c>] (__netif_receive_skb+0x170/0x184)
[  250.934189] [<c0a80cdc>] (__netif_receive_skb) from [<c0a83578>] (process_backlog+0x88/0x354)
[  250.935317] [<c0a834f0>] (process_backlog) from [<c0a845a0>] (napi_poll+0x10c/0x5c8)
[  250.936339] [<c0a84494>] (napi_poll) from [<c0a84c54>] (net_rx_action+0x1f8/0x510)
[  250.937346] [<c0a84a5c>] (net_rx_action) from [<c0155acc>] (__do_softirq+0x3f0/0x99c)
[  250.938386] [<c01556dc>] (__do_softirq) from [<c015635c>] (irq_exit+0x178/0x27c)
[  250.939350]  r4:f4a00100
[  250.939758] [<c01561e4>] (irq_exit) from [<c01f7670>] (__handle_domain_irq+0x19c/0x250)
[  250.940823] [<c01f74d4>] (__handle_domain_irq) from [<c01015e4>] (gic_handle_irq+0x50/0x74)
[  250.941926] [<c0101594>] (gic_handle_irq) from [<c0114580>] (__irq_svc+0x40/0x74)
[  250.942902] Exception stack(0xca6df578 to 0xca6df5c0)

///

its crash in void __rcu_read_lock(void)

because task is NULL

normally sock_def_readable is call by SYS_writev

but use socket(PF_CAN, SOCK_RAW, CAN_RAW) with recvmsg or read will call by irq handle as my attachment

Labels (2)
0 Kudos
1 Solution
4,847 Views
fatalfeel
Contributor V

modify here

1.
~myandroid/kernel_imx/arch/arm/include/asm/uaccess.h

static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
{
    if (access_ok(VERIFY_READ, from, n))
    {
        /*** begin: issue #: avoid arg crash in copy_from_user ***/
        if ( from )
            n = __copy_from_user(to, from, n);
        /*** end: issue #: avoid arg crash in copy_from_user ***/
    }
    else /* security hole - plug it */
    {
        memset(to, 0, n);
    }

    return n;
}

2.

~myandroid/kernel_imx/arch/arm/lib/copy_from_user.S
ENDPROC(__copy_from_user)
    /*** begin: issue #5404: socket can ***/
    /*.pushsection .fixup,"ax"*/
    .pushsection .text.fixup,"ax"
    /*** end: issue #5404 ***/
    .align 0
    copy_abort_preamble
    ldmfd    sp!, {r1, r2}
    sub    r3, r0, r1
    rsb    r1, r3, r2
    str    r1, [sp]
    bl    __memzero
    ldr    r0, [sp], #4
    copy_abort_end
    .popsection

3.

~myandroid/kernel_imx/drivers/scsi/mac_scsi.c

search all .fixup

change to

.text.fixup

View solution in original post

0 Kudos
23 Replies
4,799 Views
fatalfeel
Contributor V

//new link dup fd, ASHMEM_GET_SIZE=0x7704 arg = NULL;
//will cause kernel crash

case BINDER_TYPE_FD:
{
    if (outAshmemSize != NULL)
    {
        if (obj.cookie != 0)
        {
            int size = ashmem_get_size_region(obj.handle); //here crash
            if (size > 0)
            {
                *outAshmemSize -= size;
            }
            else
            {
                ALOGE("release_object: sock= 0x%x", obj.handle);
            }


            close(obj.handle);
        }
    }
    return;
}

int ashmem_get_size_region(int fd)
{
  return ioctl(fd, ASHMEM_GET_SIZE, NULL);
}

d0.pngd1.pngd2.pngd3.pngd4.png

0 Kudos
4,799 Views
fatalfeel
Contributor V
0 Kudos
4,799 Views
fatalfeel
Contributor V

myandroid/frameworks/native/libs/binder/Parcel.cpp
status_t Parcel::writeDupFileDescriptor(int fd)
{
    int dupFd = dup(fd); //call dup.S
    ...
}

//~myandroid/bionic/libc/arch-arm/syscalls/dup.S
ENTRY(dup)
    mov        ip, r7            /*ip=r12*/
    ldr        r7, =__NR_dup     /*__NR_dup=41*/
    swi        #0
    mov         r7, ip
    cmn        r0, #(MAX_ERRNO + 1)
    bxls        lr
    neg         r0, r0
    b           __set_errno_internal
END(dup)

//disassembly to c
unsigned int __fastcall dup(unsigned int a1)
{
  unsigned int result;        //result use r0

  result = sys_dup(a1);    //__NR_dup=sys_dup
  if ( result > 0xFFFFF000 )
    result = _set_errno_internal(-result);

  return result;
}

//~myandroid/kernel_imx/fs/file.c
SYSCALL_DEFINE1(dup, unsigned int, fildes)
{
    int ret = -EBADF;
    struct file *file = fget_raw(fildes);

    if (file)
    {
        ret = get_unused_fd_flags(0);
        if (ret >= 0)
            fd_install(ret, file);
        else
            fput(file);
    }
    return ret;
}

sys_dup

1.use fildes to get the struct [file]
2.get unused file desc assign to [ret]
3.[ret] link to [file]

0 Kudos
4,799 Views
fatalfeel
Contributor V

the [fd] of int ashmem_get_size_region(int fd)

should come from fd = open(ASHMEM_DEVICE, O_RDWR);

if the [fd] of int ashmem_get_size_region(int fd)

from the socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sockets) //sockets[fd1] sockets[fd2]

when meet BINDER_TYPE_FD -> int size = ashmem_get_size_region(obj.handle);  will be wrong

0 Kudos
4,800 Views
fatalfeel
Contributor V

//in system_server process the andorid [binder] bug

//the socketpair fd should not use ashmem_get_size_region with arg=Null

InputTransport.h
inline int getFd() const { return mFd; }

InputTransport.cpp
InputChannel::InputChannel(const String8& name, int fd) :
mName(name), mFd(fd)

{
#if DEBUG_CHANNEL_LIFECYCLE
    ALOGD("Input channel constructed: name='%s', fd=%d",
            mName.string(), fd);
#endif

    int result = fcntl(mFd, F_SETFL, O_NONBLOCK);
    LOG_ALWAYS_FATAL_IF(result != 0, "channel '%s' ~ Could not make socket "
            "non-blocking.  errno=%d", mName.string(), errno);
}

status_t InputChannel::openInputChannelPair(    const String8& name,
                                                                                    sp<InputChannel>& outServerChannel,
                                                                                    sp<InputChannel>& outClientChannel)
{
    int sockets[2];
    if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sockets)) //here
    {
        status_t result = -errno;
        ALOGE("channel '%s' ~ Could not create socket pair.  errno=%d", name.string(), errno);
        outServerChannel.clear();
        outClientChannel.clear();
        return result;
    }

    int bufferSize = SOCKET_BUFFER_SIZE;
    setsockopt(sockets[0], SOL_SOCKET, SO_SNDBUF, &bufferSize, sizeof(bufferSize));
    setsockopt(sockets[0], SOL_SOCKET, SO_RCVBUF, &bufferSize, sizeof(bufferSize));
    setsockopt(sockets[1], SOL_SOCKET, SO_SNDBUF, &bufferSize, sizeof(bufferSize));
    setsockopt(sockets[1], SOL_SOCKET, SO_RCVBUF, &bufferSize, sizeof(bufferSize));

    String8 serverChannelName = name;
    serverChannelName.append(" (server)");
    outServerChannel = new InputChannel(serverChannelName, sockets[0]);

    String8 clientChannelName = name;
    clientChannelName.append(" (client)");
    outClientChannel = new InputChannel(clientChannelName, sockets[1]); //here
    return OK;
}

android_view_InputChannel.cpp
static void android_view_InputChannel_nativeWriteToParcel(JNIEnv* env, jobject obj, jobject parcelObj)
{
    Parcel* parcel = parcelForJavaObject(env, parcelObj);
    if (parcel)
    {
        NativeInputChannel* nativeInputChannel = android_view_InputChannel_getNativeInputChannel(env, obj);
        if (nativeInputChannel)
        {
            sp<InputChannel> inputChannel = nativeInputChannel->getInputChannel();

            parcel->writeInt32(1);
            parcel->writeString8(inputChannel->getName());
            parcel->writeDupFileDescriptor(inputChannel->getFd()); //here save fd
        }
        else
        {
            parcel->writeInt32(0);
        }
    }
}

Parcel.cpp
status_t Parcel::writeFileDescriptor(int fd, bool takeOwnership)
{
    flat_binder_object obj;
    obj.type = BINDER_TYPE_FD;
    obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
    obj.binder = 0;
    obj.handle = fd; //here save fd
    obj.cookie = takeOwnership ? 1 : 0;

    return writeObject(obj, true);
}

status_t Parcel::writeDupFileDescriptor(int fd)
{
    int dupFd = dup(fd);
    if (dupFd < 0)
    {
        return -errno;
    }
    status_t err = writeFileDescriptor(dupFd, true); //here save fd
    if (err)
    {
        close(dupFd);
    }
    return err;
}
static void release_object(const sp<ProcessState>& proc,
                                                 const flat_binder_object& obj,
                                                 const void* who,
                                                 size_t* outAshmemSize)
{
...
...

        case BINDER_TYPE_FD:
        {
            if (outAshmemSize != NULL)
            {
                if (obj.cookie != 0)
                {
                    int size = ashmem_get_size_region(obj.handle); //here
                    if (size > 0)
                    {
                        *outAshmemSize -= size;
                    }

                    close(obj.handle);
                }
            }
            return;
        }
}

ashmem-dev.c
int ashmem_get_size_region(int fd)
{
  return ioctl(fd, ASHMEM_GET_SIZE, NULL); //use socketpair fd call kernel with arg = NULL so kernel crash
}

0 Kudos
4,801 Views
fatalfeel
Contributor V

how android create fd and use arg = 0

k1.pngk2.pngk3.pnga1.png

a2.png

0 Kudos
4,802 Views
fatalfeel
Contributor V

android open socket to kernel socketpair -> __sock_create AF_UNIX, SOCK_SEQPACKET, 0

and use this fd to ioctl and arg = 0; so it crash
socketopen.png

0 Kudos
4,802 Views
fatalfeel
Contributor V

android wrong fd call arg = NULL
ashmem_get_size_region call ioctl(int fd, int request, ...)
~myandroid/bionic/libc/bionic/ioctl.c

kernel should go sync_fence_ioctl
~myandroid/kernel_imx/drivers/staging/android/sync.c

but go wrong to sock_ioctl
~myandroid/kernel_imx/net/socket.c

k1.pngk2.pnga3.png

~myandroid/frameworks/native/libs/binder/Parcel.cpp

Line 178:

int size = ashmem_get_size_region(obj.handle);

case BINDER_TYPE_FD: {
            if (outAshmemSize != NULL) {
                if (obj.cookie != 0) {
                    int size = ashmem_get_size_region(obj.handle);  //->here
                    if (size > 0) {
                        *outAshmemSize -= size;
                    }

                    close(obj.handle);
                }
            }
            return;
        }

0 Kudos
4,802 Views
fatalfeel
Contributor V

the system_server call socket ioctl(fd, 0x7704, NULL)

so the kernel crash

tgid.png

system_server.png

0 Kudos
4,802 Views
fatalfeel
Contributor V

linux developer reponse

linux.PNG

0 Kudos
4,848 Views
fatalfeel
Contributor V

modify here

1.
~myandroid/kernel_imx/arch/arm/include/asm/uaccess.h

static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
{
    if (access_ok(VERIFY_READ, from, n))
    {
        /*** begin: issue #: avoid arg crash in copy_from_user ***/
        if ( from )
            n = __copy_from_user(to, from, n);
        /*** end: issue #: avoid arg crash in copy_from_user ***/
    }
    else /* security hole - plug it */
    {
        memset(to, 0, n);
    }

    return n;
}

2.

~myandroid/kernel_imx/arch/arm/lib/copy_from_user.S
ENDPROC(__copy_from_user)
    /*** begin: issue #5404: socket can ***/
    /*.pushsection .fixup,"ax"*/
    .pushsection .text.fixup,"ax"
    /*** end: issue #5404 ***/
    .align 0
    copy_abort_preamble
    ldmfd    sp!, {r1, r2}
    sub    r3, r0, r1
    rsb    r1, r3, r2
    str    r1, [sp]
    bl    __memzero
    ldr    r0, [sp], #4
    copy_abort_end
    .popsection

3.

~myandroid/kernel_imx/drivers/scsi/mac_scsi.c

search all .fixup

change to

.text.fixup

0 Kudos
4,802 Views
fatalfeel
Contributor V

// how to make __ex_table with .text.fixup table

.config
#CONFIG_THUMB2_KERNEL is not set

//get [usracc] define
~myandroid/kernel_imx/arch/arm/include/asm/assembler.h
.macro    usracc, instr, reg, ptr, inc, cond, rept, abort, t=TUSER()
    .rept    \rept
9999:
    .if    \inc == 1
    \instr\cond\()b\()\t \reg, [\ptr], #\inc
    .elseif    \inc == 4
    \instr\cond\()\t \reg, [\ptr], #\inc
    .else
    .error    "Unsupported inc macro argument"
    .endif

    .pushsection __ex_table,"a"
    .align    3
    .long    9999b, \abort
    .popsection
    .endr
    .endm

labelf = label forward
labelb = label backward
9999b - >
9999:


///get [ldrusr] define
~myandroid/kernel_imx/arch/arm/include/asm/assembler.h
    .macro    ldrusr, reg, ptr, inc, cond=al, rept=1, abort=9001f
    usracc    ldr, \reg, \ptr, \inc, \cond, \rept, \abort
    .endm


The 'abort' argument is used for fixup tables

///get [ldr8w] define
~myandroid/kernel_imx/arch/arm/lib/copy_from_user.S
    .macro ldr8w ptr reg1 reg2 reg3 reg4 reg5 reg6 reg7 reg8 abort
    ldr4w \ptr, \reg1, \reg2, \reg3, \reg4, \abort
    ldr4w \ptr, \reg5, \reg6, \reg7, \reg8, \abort
    .endm

    .macro ldr4w ptr reg1 reg2 reg3 reg4 abort
    ldr1w \ptr, \reg1, \abort
    ldr1w \ptr, \reg2, \abort
    ldr1w \ptr, \reg3, \abort
    ldr1w \ptr, \reg4, \abort
    .endm

    .macro ldr1w ptr reg abort
    ldrusr    \reg, \ptr, 4, abort=\abort
    .endm

The 'abort' argument is used for fixup tables


///get [copy_abort_preamble]
19:    ldmfd    sp!, {r5 - r9}
    b    21f
20:    ldmfd    sp!, {r5 - r8}
21:

//get [copy_abort_end]
ldmfd    sp!, {r4, pc}

///
~myandroid/kernel_imx/arch/arm/lib/copy_template.S
ldr8w    r1, r3, r4, r5, r6, r7, r8, ip, lr, abort=20f

expand ldr8w command:
c05d0034:   ldr r3, [r1], #4
c05d0038:   ldr r4, [r1], #4
c05d003c:   ldr r5, [r1], #4
c05d0040:   ldr r6, [r1], #4
c05d0044:   ldr r7, [r1], #4
c05d0048:   ldr r8, [r1], #4
c05d004c:   ldr r12, [r1], #4
c05d0050:   ldr lr, [r1], #4

labelf = label forward
labelb = label backward
abort = 20f

///
~myandroid/kernel_imx/arch/arm/lib/copy_from_user.S
ENTRY(__copy_from_user)
 #include "copy_template.S"
ENDPROC(__copy_from_user)

    .pushsection .text.fixup,"ax"
    .align 0
    copy_abort_preamble
    ldmfd    sp!, {r1, r2}
    sub    r3, r0, r1
    rsb    r1, r3, r2
    str    r1, [sp]
    bl    __memzero
    ldr    r0, [sp], #4
    copy_abort_end
    .popsection

///.pushsection .text.fixup,"ax" translate to ->

    .pushsection .text.fixup,"ax"
    .align 0
19:    ldmfd    sp!, {r5 - r9}
    b    21f
20:    ldmfd    sp!, {r5 - r8}
21:
    ldmfd    sp!, {r1, r2}
    sub    r3, r0, r1
    rsb    r1, r3, r2
    str    r1, [sp]
    bl    __memzero
    ldr    r0, [sp], #4

    ldmfd    sp!, {r4, pc}

    .popsection

0 Kudos
4,802 Views
fatalfeel
Contributor V

//how to search .text.fixup

refer to https://www.ibm.com/developerworks/cn/linux/kernel/l-page/index.html

////
 
 /mnt/projects/marsh_mnt/myandroid/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9/bin/arm-linux-androideabi-objdump --full-contents --section=__ex_table /mnt/projects/marsh_mnt/out/matrix_io/kernel/vmlinux
 c11ea000 d03910c0 a874d4c0 dc3910c0 b074d4c0  .9...t...9...t..
 c11ea010 e83910c0 b874d4c0 f43910c0 c074d4c0  .9...t...9...t..
 c11ea020 683a10c0 c874d4c0 743a10c0 d474d4c0  h:...t..t:...t..
 c11ea030 883a10c0 e074d4c0 943a10c0 ec74d4c0  .:...t...:...t..
 c11ea040 7c0911c0 f874d4c0 a80911c0 0075d4c0  |....t.......u..
 c11ea050 2c0a11c0 0875d4c0 580a11c0 1475d4c0  ,....u..X....u..
 c11ea060 4c0b11c0 2075d4c0 7c0b11c0 2c75d4c0  L... u..|...,u..
 c11ea070 ac0b11c0 3875d4c0 dc0b11c0 4475d4c0  ....8u......Du..
 c11ea080 0c0c11c0 5075d4c0 3c0c11c0 5c75d4c0  ....Pu..<...\u..
 c11ea090 6c0c11c0 6875d4c0 9c0c11c0 7475d4c0  l...hu......tu..
 c11ea0a0 cc0c11c0 8075d4c0 fc0c11c0 8c75d4c0  .....u.......u..
 c11ea0b0 2c0d11c0 9875d4c0 5c0d11c0 a475d4c0  ,....u..\....u..
 c11ea0c0 8c0d11c0 b075d4c0 bc0d11c0 bc75d4c0  .....u.......u..
 c11ea0d0 ec0d11c0 c875d4c0 1c0e11c0 d475d4c0  .....u.......u..
 c11ea0e0 4c0e11c0 e075d4c0 481211c0 ec75d4c0  L....u..H....u..
 c11ea0f0 781211c0 f475d4c0 a81211c0 fc75d4c0  x....u.......u..
 c11ea100 d81211c0 0476d4c0 081311c0 0c76d4c0  .....v.......v..
 c11ea110 381311c0 1476d4c0 681311c0 1c76d4c0  8....v..h....v..
 c11ea120 981311c0 2476d4c0 c81311c0 2c76d4c0  ....$v......,v..
 c11ea130 f81311c0 3476d4c0 281411c0 3c76d4c0  ....4v..(...<v..
 c11ea140 581411c0 4476d4c0 881411c0 4c76d4c0  X...Dv......Lv..
 c11ea150 b81411c0 5476d4c0 e81411c0 5c76d4c0  ....Tv......\v..
 c11ea160 181511c0 6476d4c0 481511c0 6c76d4c0  ....dv..H...lv..
 c11ea170 a01511c0 7476d4c0 f81511c0 7c76d4c0  ....tv......|v..
 c11ea180 501611c0 8476d4c0 801611c0 8c76d4c0  P....v.......v..
 c11ea190 081711c0 9476d4c0 741811c0 9c76d4c0  .....v..t....v..
 c11ea1a0 c41811c0 a476d4c0 741c11c0 ac76d4c0  .....v..t....v..
 c11ea1b0 a01f11c0 b476d4c0 cc1f11c0 bc76d4c0  .....v.......v..
 c11ea1c0 f03211c0 c476d4c0 043511c0 d076d4c0  .2...v...5...v..
 c11ea1d0 1c3511c0 dc76d4c0 7c3511c0 e876d4c0  .5...v..|5...v..
 c11ea1e0 d45011c0 f476d4c0 e45011c0 f476d4c0  .P...v...P...v..
 c11ea1f0 f05011c0 f476d4c0 44f012c0 fc76d4c0  .P...v..D....v..
 c11ea200 64f012c0 0477d4c0 f8f012c0 0c77d4c0  d....w.......w..
 c11ea210 00f112c0 0c77d4c0 40f112c0 1477d4c0  .....w..@....w..
 c11ea220 60f112c0 1c77d4c0 f4f112c0 2477d4c0  `....w......$w..
 c11ea230 fcf112c0 2477d4c0 54f312c0 2c77d4c0  ....$w..T...,w..
 c11ea240 74f312c0 3477d4c0 a0f312c0 3c77d4c0  t...4w......<w..
 c11ea250 ccf312c0 4477d4c0 2cf412c0 4c77d4c0  ....Dw..,...Lw..
 c11ea260 4cf412c0 5477d4c0 78f412c0 5c77d4c0  L...Tw..x...\w..
 c11ea270 a4f412c0 6477d4c0 18f512c0 6c77d4c0  ....dw......lw..
 c11ea280 20f512c0 6c77d4c0 28f512c0 6c77d4c0   ...lw..(...lw..
 c11ea290 30f512c0 6c77d4c0 80f512c0 7477d4c0  0...lw......tw..
 c11ea2a0 88f512c0 7477d4c0 90f512c0 7477d4c0  ....tw......tw..
 c11ea2b0 98f512c0 7477d4c0 d8f512c0 7c77d4c0  ....tw......|w..
 c11ea2c0 f8f512c0 8477d4c0 24f612c0 8c77d4c0  .....w..$....w..
 c11ea2d0 50f612c0 9477d4c0 b0f612c0 9c77d4c0  P....w.......w..
 c11ea2e0 d0f612c0 a477d4c0 fcf612c0 ac77d4c0  .....w.......w..
 c11ea2f0 28f712c0 b477d4c0 9cf712c0 bc77d4c0  (....w.......w..
 c11ea300 a4f712c0 bc77d4c0 acf712c0 bc77d4c0  .....w.......w..
 c11ea310 b4f712c0 bc77d4c0 04f812c0 c477d4c0  .....w.......w..
 c11ea320 0cf812c0 c477d4c0 14f812c0 c477d4c0  .....w.......w..
 c11ea330 1cf812c0 c477d4c0 08f912c0 cc77d4c0  .....w.......w..
 c11ea340 28f912c0 d477d4c0 54f912c0 dc77d4c0  (....w..T....w..
 c11ea350 80f912c0 e477d4c0 f4f912c0 ec77d4c0  .....w.......w..
 c11ea360 fcf912c0 ec77d4c0 04fa12c0 ec77d4c0  .....w.......w..
 c11ea370 0cfa12c0 ec77d4c0 5cfa12c0 f477d4c0  .....w..\....w..
 c11ea380 7cfa12c0 fc77d4c0 a8fa12c0 0478d4c0  |....w.......x..
 c11ea390 d4fa12c0 0c78d4c0 48fb12c0 1478d4c0  .....x..H....x..
 c11ea3a0 50fb12c0 1478d4c0 58fb12c0 1478d4c0  P....x..X....x..
 c11ea3b0 60fb12c0 1478d4c0 78fd12c0 1c78d4c0  `....x..x....x..
 c11ea3c0 98fd12c0 2478d4c0 c4fd12c0 2c78d4c0  ....$x......,x..
 c11ea3d0 f0fd12c0 3478d4c0 64fe12c0 3c78d4c0  ....4x..d...<x..
 c11ea3e0 6cfe12c0 3c78d4c0 74fe12c0 3c78d4c0  l...<x..t...<x..
 c11ea3f0 7cfe12c0 3c78d4c0 20ff12c0 4478d4c0  |...<x.. ...Dx..
 c11ea400 40ff12c0 4c78d4c0 6cff12c0 5478d4c0  @...Lx..l...Tx..
 c11ea410 98ff12c0 5c78d4c0 0c0013c0 6478d4c0  ....\x......dx..
 c11ea420 140013c0 6478d4c0 1c0013c0 6478d4c0  ....dx......dx..
 c11ea430 240013c0 6478d4c0 781f13c0 c81f13c0  $...dx..x.......
 c11ea440 a41f13c0 c81f13c0 d8a916c0 6c78d4c0  ............lx..
 c11ea450 90b816c0 7478d4c0 d0b816c0 8078d4c0  ....tx.......x..
 c11ea460 48b916c0 8c78d4c0 2c6217c0 9478d4c0  H....x..,b...x..
 c11ea470 6c6217c0 9c78d4c0 bc6217c0 a478d4c0  lb...x...b...x..
 c11ea480 706317c0 ac78d4c0 b86317c0 b478d4c0  pc...x...c...x..
 c11ea490 046417c0 bc78d4c0 4c6417c0 c478d4c0  .d...x..Ld...x..
 c11ea4a0 946417c0 cc78d4c0 e06417c0 d478d4c0  .d...x...d...x..
 c11ea4b0 286517c0 dc78d4c0 746517c0 e478d4c0  (e...x..te...x..
 c11ea4c0 046617c0 ec78d4c0 206617c0 f478d4c0  .f...x.. f...x..
 c11ea4d0 906617c0 fc78d4c0 d86617c0 0479d4c0  .f...x...f...y..
 c11ea4e0 286717c0 0c79d4c0 706717c0 1479d4c0  (g...y..pg...y..
 c11ea4f0 b86717c0 1c79d4c0 006817c0 2479d4c0  .g...y...h..$y..
 c11ea500 486817c0 2c79d4c0 946817c0 3479d4c0  Hh..,y...h..4y..
 c11ea510 dc6817c0 3c79d4c0 246917c0 4479d4c0  .h..<y..$i..Dy..
 c11ea520 706917c0 4c79d4c0 b86917c0 5479d4c0  pi..Ly...i..Ty..
 c11ea530 006a17c0 5c79d4c0 4c6a17c0 6479d4c0  .j..\y..Lj..dy..
 c11ea540 946a17c0 6c79d4c0 448117c0 7479d4c0  .j..ly..D...ty..
 c11ea550 7c8117c0 8079d4c0 b88117c0 8c79d4c0  |....y.......y..
 c11ea560 088417c0 9879d4c0 408417c0 a079d4c0  .....y..@....y..
 c11ea570 7c8417c0 a879d4c0 048617c0 b079d4c0  |....y.......y..
 c11ea580 508717c0 b879d4c0 908717c0 c079d4c0  P....y.......y..
 c11ea590 148d17c0 c879d4c0 508d17c0 d479d4c0  .....y..P....y..
 c11ea5a0 8c8d17c0 e079d4c0 c88d17c0 ec79d4c0  .....y.......y..
 c11ea5b0 d08e17c0 f879d4c0 0c8f17c0 007ad4c0  .....y.......z..
 c11ea5c0 488f17c0 087ad4c0 848f17c0 107ad4c0  H....z.......z..
 c11ea5d0 bc5e25c0 187ad4c0 c45e25c0 187ad4c0  .^%..z...^%..z..
 c11ea5e0 f87d25c0 207ad4c0 007e25c0 207ad4c0  .}%. z...~%. z..
 c11ea5f0 407e25c0 287ad4c0 487e25c0 287ad4c0  @~%.(z..H~%.(z..
 c11ea600 887e25c0 307ad4c0 907e25c0 307ad4c0  .~%.0z...~%.0z..
 c11ea610 d47e25c0 387ad4c0 dc7e25c0 387ad4c0  .~%.8z...~%.8z..
 c11ea620 1c7f25c0 407ad4c0 247f25c0 407ad4c0  ..%.@z..$.%.@z..
 c11ea630 e47d36c0 487ad4c0 a0b136c0 607ad4c0  .}6.Hz....6.`z..
 c11ea640 1c1c37c0 787ad4c0 301c37c0 807ad4c0  ..7.xz..0.7..z..
 c11ea650 4c1c37c0 887ad4c0 581c37c0 907ad4c0  L.7..z..X.7..z..
 c11ea660 b41c37c0 987ad4c0 cc1c37c0 a07ad4c0  ..7..z....7..z..
 c11ea670 5c1d37c0 a87ad4c0 601d37c0 a87ad4c0  \.7..z..`.7..z..
 c11ea680 7c1d37c0 b07ad4c0 801d37c0 b07ad4c0  |.7..z....7..z..
 c11ea690 9c1d37c0 b87ad4c0 a01d37c0 b87ad4c0  ..7..z....7..z..
 c11ea6a0 c01d37c0 c07ad4c0 cc1d37c0 c87ad4c0  ..7..z....7..z..
 c11ea6b0 e01d37c0 d07ad4c0 3c1e37c0 d87ad4c0  ..7..z..<.7..z..
 c11ea6c0 202037c0 e07ad4c0 242037c0 e07ad4c0    7..z..$ 7..z..
 c11ea6d0 483237c0 e87ad4c0 583237c0 f47ad4c0  H27..z..X27..z..
 c11ea6e0 443937c0 007bd4c0 503937c0 087bd4c0  D97..{..P97..{..
 c11ea6f0 f46237c0 107bd4c0 307237c0 287bd4c0  .b7..{..0r7.({..
 c11ea700 987337c0 407bd4c0 240938c0 587bd4c0  .s7.@{..$.8.X{..
 c11ea710 440938c0 647bd4c0 002b3ac0 707bd4c0  D.8.d{...+:.p{..
 c11ea720 182b3ac0 787bd4c0 1c2b3ac0 787bd4c0  .+:.x{...+:.x{..
 c11ea730 5c4d3ac0 807bd4c0 6c4d3ac0 887bd4c0  \M:..{..lM:..{..
 c11ea740 804d3ac0 907bd4c0 e44d3ac0 987bd4c0  .M:..{...M:..{..
 c11ea750 f04d3ac0 a07bd4c0 0c4e3ac0 a87bd4c0  .M:..{...N:..{..
 c11ea760 1c4e3ac0 b07bd4c0 3c4e3ac0 b87bd4c0  .N:..{..<N:..{..
 c11ea770 404e3ac0 b87bd4c0 504e3ac0 c07bd4c0  @N:..{..PN:..{..
 c11ea780 684e3ac0 c87bd4c0 784e3ac0 d07bd4c0  hN:..{..xN:..{..
 c11ea790 984e3ac0 d87bd4c0 9c4e3ac0 d87bd4c0  .N:..{...N:..{..
 c11ea7a0 c84e3ac0 e07bd4c0 d44e3ac0 e87bd4c0  .N:..{...N:..{..
 c11ea7b0 e84e3ac0 f07bd4c0 f44e3ac0 f87bd4c0  .N:..{...N:..{..
 c11ea7c0 0c4f3ac0 007cd4c0 244f3ac0 087cd4c0  .O:..|..$O:..|..
 c11ea7d0 284f3ac0 087cd4c0 404f3ac0 107cd4c0  (O:..|..@O:..|..
 c11ea7e0 444f3ac0 107cd4c0 584f3ac0 187cd4c0  DO:..|..XO:..|..
 c11ea7f0 644f3ac0 207cd4c0 844f3ac0 287cd4c0  dO:. |...O:.(|..
 c11ea800 884f3ac0 287cd4c0 984f3ac0 307cd4c0  .O:.(|...O:.0|..
 c11ea810 ac4f3ac0 387cd4c0 b84f3ac0 407cd4c0  .O:.8|...O:.@|..
 c11ea820 d84f3ac0 487cd4c0 dc4f3ac0 487cd4c0  .O:.H|...O:.H|..
 c11ea830 ec4f3ac0 507cd4c0 e88e3ac0 587cd4c0  .O:.P|....:.X|..
 c11ea840 38953ac0 647cd4c0 cc0b3bc0 707cd4c0  8.:.d|....;.p|..
 c11ea850 300c3bc0 787cd4c0 880c3bc0 807cd4c0  0.;.x|....;..|..
 c11ea860 e00c3bc0 887cd4c0 340d3bc0 907cd4c0  ..;..|..4.;..|..
 c11ea870 acfd5cc0 20fe5cc0 b0fd5cc0 20fe5cc0  ..\. .\...\. .\.
 c11ea880 bcfd5cc0 20fe5cc0 f8fd5cc0 20fe5cc0  ..\. .\...\. .\.
 c11ea890 68ff5cc0 987cd4c0 6cff5cc0 987cd4c0  h.\..|..l.\..|..
 c11ea8a0 70ff5cc0 987cd4c0 80ff5cc0 987cd4c0  p.\..|....\..|..
 c11ea8b0 84ff5cc0 987cd4c0 90ff5cc0 987cd4c0  ..\..|....\..|..
 c11ea8c0 98ff5cc0 987cd4c0 9cff5cc0 987cd4c0  ..\..|....\..|..
 c11ea8d0 a4ff5cc0 987cd4c0 34005dc0 a47cd4c0  ..\..|..4.]..|..
                            <here-> 34005dc0:a47cd4c0>  
 c11ea8e0 38005dc0 a47cd4c0 3c005dc0 a47cd4c0  8.]..|..<.]..|..
 c11ea8f0 40005dc0 a47cd4c0 44005dc0 a47cd4c0  @.]..|..D.]..|..
 c11ea900 48005dc0 a47cd4c0 4c005dc0 a47cd4c0  H.]..|..L.]..|..
 c11ea910 50005dc0 a47cd4c0 7c005dc0 a47cd4c0  P.]..|..|.]..|..
 c11ea920 80005dc0 a47cd4c0 84005dc0 a47cd4c0  ..]..|....]..|..
 c11ea930 88005dc0 a47cd4c0 8c005dc0 a47cd4c0  ..]..|....]..|..
 c11ea940 90005dc0 a47cd4c0 94005dc0 a47cd4c0  ..]..|....]..|..
root@stone-linux:~#


 ~myandroid/kernel_imx/arch/arm/lib/copy_template.S
 line 116: ldr8w    r1, r3, r4, r5, r6, r7, r8, ip, lr, abort=20f  in  0xc05d0034
 
 0xc05d0034 -> to data is 34005dc0
 find 34005dc0 and next data a47cd4c0
 
 a47cd4c0 to address is 0xc0d47ca4
 ~myandroid/kernel_imx/arch/arm/lib/copy_from_user.S
 0xc0d47ca4 in line 102: copy_abort_preamble
 
 when run into myandroid/kernel_imx/arch/arm/mm/extable.c
 int fixup_exception(struct pt_regs *regs)
 {
 ...
 }
 
search_exception_tables will input 0xc05d0034
and find fixup section 0xc0d47ca4
then  regs->eip = 0xc0d47ca4

0 Kudos
4,802 Views
fatalfeel
Contributor V

arg = 0 then r1 = 0 will go .text.fixup

    if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
        return -EFAULT;

and  can not find .text.fixup go crash

0 Kudos
4,802 Views
fatalfeel
Contributor V

refert to http://visualgdb.com/gdbreference/commands/disassemble
make sure enable CONFIG_DEBUG_INFO=y CONFIG_FRAME_POINTER=y in config

in myandroid/kernel_imx/arch/arm/mm/fault.c
static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr, struct pt_regs *regs)
{
printlog(regs->uregs14); //get LR last function call
printlog(regs->uregs15); //get PC last crash address

if (fixup_exception(regs))
      return;

.

.
.

}

get
LR = reg14= 0xc0a8bba0

PC = reg15= 0xc05c7634

//use arm gdb in console

/mnt/projects/marsh_mnt/myandroid/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.9/bin/arm-linux-androideabi-gdb /mnt/projects/marsh_mnt/out/matrix_io/kernel/vmlinux

(gdb) disassemble /m 0xc0a8bba0,0xc0a8bba0+0x32
Dump of assembler code from 0xc0a8bba0 to 0xc0a8bbd2:
413 if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
0xc0a8bba0 <dev_ioctl+652>: cmp r0, #0
0xc0a8bba4 <dev_ioctl+656>: beq 0xc0a8bbc0 <dev_ioctl+684>
0xc0a8bba8 <dev_ioctl+660>: b 0xc0a8c244 <dev_ioctl+2352>

414 return -EFAULT;
0xc0a8bbb8 <dev_ioctl+676>: mvn r4, #13
0xc0a8bbbc <dev_ioctl+680>: b 0xc0a8c28c <dev_ioctl+2424>

415
416 ifr.ifr_name[IFNAMSIZ-1] = 0;
0xc0a8bbc0 <dev_ioctl+684>: mov r3, #0
0xc0a8bbc4 <dev_ioctl+688>: strb r3, [r11, #-61] ; 0x3d

417
418 colon = strchr(ifr.ifr_name, ':');
0xc0a8bbc8 <dev_ioctl+692>: sub r0, r11, #76 ; 0x4c
0xc0a8bbcc <dev_ioctl+696>: mov r1, #58 ; 0x3a
0xc0a8bbd0 <dev_ioctl+700>: bl 0xc05c9de0 <strchr>

and
(gdb) disassemble /m 0xc05c7634,0xc05c7634+0x32
Dump of assembler code from 0xc05c7634 to 0xc05c7666:
135 4: ldr8w r1, r3, r4, r5, r6, r7, r8, ip, lr, abort=20f
0xc05c7634 <__copy_from_user+76>: ldr r3, [r1], #4
0xc05c7638 <__copy_from_user+80>: ldr r4, [r1], #4
0xc05c763c <__copy_from_user+84>: ldr r5, [r1], #4
0xc05c7640 <__copy_from_user+88>: ldr r6, [r1], #4
0xc05c7644 <__copy_from_user+92>: ldr r7, [r1], #4
0xc05c7648 <__copy_from_user+96>: ldr r8, [r1], #4
0xc05c764c <__copy_from_user+100>: ldr r12, [r1], #4
0xc05c7650 <__copy_from_user+104>: ldr lr, [r1], #4

136 subs r2, r2, #32
0xc05c7654 <__copy_from_user+108>: subs r2, r2, #32

137 str8w r0, r3, r4, r5, r6, r7, r8, ip, lr, abort=20f
0xc05c7658 <__copy_from_user+112>: stmia r0!, {r3, r4, r5, r6, r7, r8, r12, lr}

138 bge 3b
0xc05c765c <__copy_from_user+116>: bge 0xc05c7630 <__copy_from_user+72>

139 r2, #96 ">PLD
0xc05c7660 <__copy_from_user+120>: cmn r2, #96 ; 0x60

140 PLD
0xc05c7664 <__copy_from_user+124>: bge 0xc05c7634 <__copy_from_user+76>


*(gdb) disassemble /m address,address+0x32
*If dump empty then change [0x32] to any other value like 0x16 0x64 0x128

////

(gdb) info line *0xc0a8bba0
Line 413 of "/mnt/projects/marsh_mnt/myandroid/kernel_imx/net/core/dev_ioctl.c"
   starts at address 0xc0a8bba0 <dev_ioctl+652>
   and ends at 0xc0a8bbac <dev_ioctl+664>.

//and

(gdb) info line *0xc05c7634
Line 135 of "/mnt/projects/marsh_mnt/myandroid/kernel_imx/arch/arm/lib/copy_from_user.S" starts at address 0xc05c7634 <__copy_from_user+76>
   and ends at 0xc05c7654 <__copy_from_user+108>.

////

find source dev_ioctl.c -> if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))        is last call
find source copy_template.S -> ldr8w r1, r3, r4, r5, r6, r7, r8, ip, lr, abort=20f                is last crash

https://fatalfeel.blogspot.tw/2013/09/use-gdb-find-crash-source-line.html#more

0 Kudos
4,802 Views
fatalfeel
Contributor V

break at copy_from_user -> copy crash.png

copy crash.png

myandroid/kernel_imx/arch/arm/lib/copy_from_user.S + myandroid/kernel_imx/arch/arm/lib/copy_template.S

4:        ldr8w    r1, r3, r4, r5, r6, r7, r8, ip, lr, abort=20f  --> this line error and go find text.fixup

r0    0xcbaabea8    
r1    0x0    
r2    0xffffffa0    
r3    0x0    
r4    0x7704    
r5    0xc13bc840    
r6    0x0    
r7    0x0    
r8    0x7704    
r9    0xa8    
r10    0x0    
r11    0xcbaabef4    
r12    0x0    
sp    0xcbaabe5c    
lr    0xc0a8bba0    
pc    0xc05c7634    

0 Kudos
4,802 Views
fatalfeel
Contributor V

i am so sure it's a kernel bug!!!

~myandroid/kernel_imx/arch/arm/include/uapi/asm/ptrace.h

#ifndef __KERNEL__
struct pt_regs {
    long uregs[18];
};
#endif /* __KERNEL__ */

#define ARM_cpsr    uregs[16]
#define ARM_pc        uregs[15]
#define ARM_lr        uregs[14]
#define ARM_sp        uregs[13]
#define ARM_ip        uregs[12]
#define ARM_fp        uregs[11]
#define ARM_r10        uregs[10]
#define ARM_r9        uregs[9]
#define ARM_r8        uregs[8]
#define ARM_r7        uregs[7]
#define ARM_r6        uregs[6]
#define ARM_r5        uregs[5]
#define ARM_r4        uregs[4]
#define ARM_r3        uregs[3]
#define ARM_r2        uregs[2]
#define ARM_r1        uregs[1]
#define ARM_r0        uregs[0]
#define ARM_ORIG_r0    uregs[17]

ureg[14]=lr=0xc0a8bba0 lr1.png
backtrace 0xc0a8bba0 lr2.png
int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
{
...
...
if (copy_from_user(&ifr, arg, sizeof(struct ifreq)))
        return -EFAULT;
...
...
}

/////////////////////
0xc0d3f294 fixaddress fix1.png
0xc0d3f294 fix2.png
{
...
...
/*** begin: issue #5404: socket can ***/
    /*.pushsection .fixup,"ax"*/
    .pushsection .text.fixup,"ax"
    /*** end: issue #5404 ***/
    .align 0
    copy_abort_preamble
    ldmfd    sp!, {r1, r2}
    sub    r3, r0, r1
    rsb    r1, r3, r2
    str    r1, [sp]
    bl    __memzero
    ldr    r0, [sp], #4
    copy_abort_end
    .popsection
...
...
}

lr1.pnglr2.pngfix1.pngfix2.png

0 Kudos
4,802 Views
fatalfeel
Contributor V

if  CONFIG_ARM_UNWIND=n

and

CONFIG_FRAME_POINTER=y

and

use error section .pushsection .fixup,"ax"

the kernel will crash in random and often in SCHED and LOCK code

//can do this and i test pass and ok

1.

For full backtrace and jtag call stack view

CONFIG_ARM_UNWIND=n in default config

and

~/myandroid/kernel_imx/arch/arm/Kconfig.debug

config ARM_UNWIND
    bool "Enable stack unwinding support (EXPERIMENTAL)"
    depends on AEABI
### begin: issue : aviod warning: unwinding may not work because EXIDX ###    
    # default y
    default n
### end: issue  ###   

 aviod warning: unwinding may not work because EXIDX  in build code

https://lists.linaro.org/pipermail/linaro-dev/2014-December/017686.html

2.

myandroid/kernel_imx/include/asm-generic/vmlinux.lds.h

#define TEXT_TEXT               \
        ALIGN_FUNCTION();       \
        *(.text.hot)                      \
        /* *(.text .text.fixup) */  \  /* modify here */

        *(.text)                         \  /* keep .text */
        *(.ref.text)                       \
    MEM_KEEP(init.text)           \
    MEM_KEEP(exit.text)           \
        *(.text.unlikely)

kernel_imx/arch/arm/kernel/vmlinux.lds.S

.text : {            /* Real text segment        */
        _stext = .;        /* Text and read-only data    */
            IDMAP_TEXT
            __exception_text_start = .;
            *(.exception.text)
            __exception_text_end = .;
            IRQENTRY_TEXT
            TEXT_TEXT
            SCHED_TEXT
            LOCK_TEXT
            KPROBES_TEXT
/*** begin: issue #add this: why use align refer to TEXT_TEXT of vmlinux.lds.h ***/

#ifdef CONFIG_MMU
            ALIGN_FUNCTION(); \
            *(.text.fixup)
#endif
/*** end: issue #add this ***/
            *(.gnu.warning)
            *(.glue_7)
            *(.glue_7t)
        . = ALIGN(4);
        *(.got)            /* Global offset table        */
            ARM_CPU_KEEP(PROC_INFO)
    }

myandroid/kernel_imx/arch/arm/lib/copy_from_user.S

ENDPROC(__copy_from_user)

    /*.pushsection .fixup,"ax"*/     /*section error*/
    .pushsection .text.fixup,"ax"  /*change .fixup to .text.fixup*/
    .align 0
    copy_abort_preamble
    ldmfd    sp!, {r1, r2}
    sub    r3, r0, r1
    rsb    r1, r3, r2
    str    r1, [sp]
    bl    __memzero
    ldr    r0, [sp], #4
    copy_abort_end
    .popsection

/////////////////////////////////////////////////

3.

~myandroid/kernel_imx/include/asm-generic/current.h

/* #define get_current() (current_thread_info()->task) */

//to
static inline struct task_struct* current_task_info(void)
{
    struct thread_info* curr_thread = current_thread_info();
    if( curr_thread )
        return curr_thread->task;
    return NULL;
}
#define get_current() current_task_info()

 

/////////////////////////////////////////////////

4.

~myandroid/kernel_imx/net/core/sock.c

static void sock_def_readable(struct sock* sk)
{
    struct socket_wq* wq;

 

    rcu_read_lock();

 

    if( sk )
    {
        if( sk->sk_wq )
        {
            wq = rcu_dereference(sk->sk_wq); //wq = sk->sk_wq

 

            if (wq_has_sleeper(wq))
                wake_up_interruptible_sync_poll(&wq->wait, POLLIN | POLLPRI | POLLRDNORM | POLLRDBAND);
        }
        sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN);
    }

 

    rcu_read_unlock();
}

5. option if you need backtrace for crash log then enable them in default config

CONFIG_CC_OPTIMIZE_FOR_SIZE = n
CONFIG_DEBUG_INFO = y

CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_TRACING_SUPPORT=y
CONFIG_FTRACE=y
CONFIG_FUNCTION_TRACER=y

CONFIG_DYNAMIC_FTRACE=y

CONFIG_FRAME_POINTER=y //this is for backtrace key

it's effect to /mnt/projects/marsh_mnt/myandroid/kernel_imx/Makefile
ifdef CONFIG_FRAME_POINTER
KBUILD_CFLAGS    += -fno-omit-frame-pointer -fno-optimize-sibling-calls

//////////////////////

refer to

use .fixup
http://elixir.free-electrons.com/linux/v4.0.9/source/arch/arm/kernel/vmlinux.lds.S
http://elixir.free-electrons.com/linux/v4.0.9/source/arch/arm/lib/csumpartialcopyuser.S

use .text.fixup
http://elixir.free-electrons.com/linux/v4.1.48/source/arch/arm/kernel/vmlinux.lds.S
http://elixir.free-electrons.com/linux/v4.1.48/source/arch/arm/lib/csumpartialcopyuser.S

0 Kudos
4,802 Views
fatalfeel
Contributor V

service  media and zygote re

initzy error.png

0 Kudos
4,801 Views
fatalfeel
Contributor V

//crash message 2

[   60.909217] Unable to handle kernel NULL pointer dereference at virtual address 000002d0
[   60.910295] pgd = c0004000
[   60.910677] [000002d0] *pgd=00000000
[   60.911201] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[   60.911906] Modules linked in:
[   60.912363] CPU: 0 PID: 87 Comm: ci_otg Not tainted 4.1.27-svn1470 #12
[   60.913219] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[   60.914094] Workqueue:  0x7265746e (handle kernel %s at vir)
[   60.914898] task: ca3c5140 ti: ca714000 task.ti: ca714000
[   60.915645] PC is at do_page_fault+0x3c/0x368
[   60.916248] LR is at do_translation_fault+0x20/0xa8
[   60.916906] pc : [<c0128190>]    lr : [<c0128584>]    psr: a00f0193
[   60.916906] sp : ca7160f0  ip : ca716140  fp : ca71613c
[   60.918387] r10: ca283010  r9 : 00000000  r8 : 00000002
[   60.919081] r7 : 00000005  r6 : ca716208  r5 : ca716208  r4 : ca716000
[   60.919936] r3 : ca7160f0  r2 : ca716208  r1 : 00000005  r0 : 000002d4
[   60.920796] Flags: NzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[   60.921764] Control: 10c53c7d  Table: 1b7a004a  DAC: 00000015
[   60.922522]
[   60.922522] PC: 0xc0128110:
[   60.923098] 8110  e34c0109 e3550a01 21a01003 e1a02005 eb03412e e1a00007 e1a01005 ebffff9b
[   60.924389] 8130  e30d0300 e34c0109 e1a01004 e1a02006 ebffaeff e3a00000 eb12bff1 e3a00009
[   60.925675] 8150  eb00a76a e1a0c00d e92ddff0 e24cb004 e24dd024 e52de004 e8bd4000 e50b0030
[   60.926956] 8170  e1a07001 e1a05002 e1a0300d e3c34d7f e3c4403f e3540000 1594900c 03a09000
[   60.928241] 8190  e59962d0 e5923040 e3130080 1a000000 f1080080 e5943004 e3d33602 1a0000b4
[   60.929526] 81b0  e10f3000 e7e033d3 e3560000 03833001 e3530000 1a0000ae e5953040 e203300f
[   60.930809] 81d0  e3530000 13a08014 03a08054 e2173b02 e50b3038 13888001 e2863038 e50b3034
[   60.932090] 81f0  e1a00003 eb02f64b e3500000 1a000008 e5953040 e313000f 0a000003 e595003c
[   60.933374]
[   60.933374] LR: 0xc0128504:
[   60.933949] 8504  1a000009 e3a02001 e3402003 e58d2000 e58d3004 e1a0000c e1a01004 e1a0200e
[   60.935233] 8524  e3a0300b ebfffe85 ea000002 e1a01004 e1a0200e ebfffee0 e24bd010 e89da810
[   60.936512] 8544  e1a0c00d e92dd800 e24cb004 e52de004 e8bd4000 ebffffd7 e3a00000 e89da800
[   60.937794] 8564  e1a0c00d e92dd878 e24cb004 e52de004 e8bd4000 e35004bf 2a000001 ebfffef3
[   60.939085] 8584  e89da878 e5923040 e313000f 0a00001a ee123f10 e3c33dff e3c3303f e2433450
[   60.940367] 85a4  e1a04aa0 e1a0e184 e302caa0 e34cc132 e59c5020 e085c00e e7e06a50 e79c6106
[   60.941650] 85c4  e3560000 0a00000c e083e00e e7952184 e7832184 e59c3004 e58e3004 e303398c
[   60.942930] 85e4  e34c3130 e5933008 e3130101 1e07ef3a f57ff04a e3a00000 e89da878 ebffffad
[   60.944215]
[   60.944215] SP: 0xca716070:
[   60.944790] 6070  c13db2e4 c13db2e4 0beacd36 00000000 cb3b2580 00000001 c0128190 a00f0193
[   60.946069] 6090  ffffffff ca7160dc ca71613c ca7160a8 c0114c98 c01011d4 000002d4 00000005
[   60.947351] 60b0  ca716208 ca7160f0 ca716000 ca716208 ca716208 00000005 00000002 00000000
[   60.948633] 60d0  ca283010 ca71613c ca716140 ca7160f0 c0128584 c0128190 a00f0193 ffffffff
[   60.949914] 60f0  00000000 00000000 000000be 00000000 0002fc00 00000000 00000000 000002d4
[   60.951194] 6110  00000000 00000005 000002d4 ca716208 c130e014 00000002 ffffa293 ca283010
[   60.952478] 6130  ca71615c ca716140 c0128584 c0128160 00000000 00000005 000002d4 ca716208
[   60.953757] 6150  ca716204 ca716160 c0101210 c0128570 00000000 00000000 00000000 00000000
[   60.955043]
[   60.955043] IP: 0xca7160c0:
[   60.955619] 60c0  ca716208 00000005 00000002 00000000 ca283010 ca71613c ca716140 ca7160f0
[   60.956901] 60e0  c0128584 c0128190 a00f0193 ffffffff 00000000 00000000 000000be 00000000
[   60.958181] 6100  0002fc00 00000000 00000000 000002d4 00000000 00000005 000002d4 ca716208
[   60.959462] 6120  c130e014 00000002 ffffa293 ca283010 ca71615c ca716140 c0128584 c0128160
[   60.960744] 6140  00000000 00000005 000002d4 ca716208 ca716204 ca716160 c0101210 c0128570
[   60.962025] 6160  00000000 00000000 00000000 00000000 000005e0 00000000 00000008 00000000
[   60.963305] 6180  00000008 00000000 00000000 00000005 cb3b25c8 cd6f9c80 00000000 00000000
[   60.964590] 61a0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   60.965873]
[   60.965873] FP: 0xca7160bc:
[   60.966448] 60bc  ca716208 ca716208 00000005 00000002 00000000 ca283010 ca71613c ca716140
[   60.967731] 60dc  ca7160f0 c0128584 c0128190 a00f0193 ffffffff 00000000 00000000 000000be
[   60.969014] 60fc  00000000 0002fc00 00000000 00000000 000002d4 00000000 00000005 000002d4
[   60.970292] 611c  ca716208 c130e014 00000002 ffffa293 ca283010 ca71615c ca716140 c0128584
[   60.971575] 613c  c0128160 00000000 00000005 000002d4 ca716208 ca716204 ca716160 c0101210
[   60.972862] 615c  c0128570 00000000 00000000 00000000 00000000 000005e0 00000000 00000008
[   60.974144] 617c  00000000 00000008 00000000 00000000 00000005 cb3b25c8 cd6f9c80 00000000
[   60.975425] 619c  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   60.976707]
[   60.976707] R2: 0xca716188:
[   60.977282] 6188  00000000 00000005 cb3b25c8 cd6f9c80 00000000 00000000 00000000 00000000
[   60.978561] 61a8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   60.979842] 61c8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   60.981121] 61e8  c01284f8 a00f0193 ffffffff ca71623c ca71626c ca716208 c0114c98 c01011d4
[   60.982405] 6208  f6eebc7c 00000005 ca716250 ca716338 f6eebc7c c0004000 00000000 c130e014
[   60.983688] 6228  00000002 ffffa293 ca283010 ca71626c 00000000 ca716250 00000005 c01284f8
[   60.984969] 6248  a00f0193 ffffffff 00000000 00000000 00000000 000007b7 ca71628c ca716270
[   60.986248] 6268  c0128604 c01284c8 00000000 00000005 f6eebc7c ca716338 ca716334 ca716290
[   60.987531]
[   60.987531] R3: 0xca716070:
[   60.988105] 6070  c13db2e4 c13db2e4 0beacd36 00000000 cb3b2580 00000001 c0128190 a00f0193
[   60.989397] 6090  ffffffff ca7160dc ca71613c ca7160a8 c0114c98 c01011d4 000002d4 00000005
[   60.990682] 60b0  ca716208 ca7160f0 ca716000 ca716208 ca716208 00000005 00000002 00000000
[   60.991962] 60d0  ca283010 ca71613c ca716140 ca7160f0 c0128584 c0128190 a00f0193 ffffffff
[   60.993244] 60f0  00000000 00000000 000000be 00000000 0002fc00 00000000 00000000 000002d4
[   60.994526] 6110  00000000 00000005 000002d4 ca716208 c130e014 00000002 ffffa293 ca283010
[   60.995805] 6130  ca71615c ca716140 c0128584 c0128160 00000000 00000005 000002d4 ca716208
[   60.997088] 6150  ca716204 ca716160 c0101210 c0128570 00000000 00000000 00000000 00000000
[   60.998373]
[   60.998373] R4: 0xca715f80:
[   60.998947] 5f80  ca715fdc ca715f90 c0128498 c01280cc c13179e8 c13179e8 c13179e8 c131a1b8
[   61.000229] 5fa0  c131a1b8 00000000 00000001 000002d0 ca4b7080 00000005 000002d0 ca7160a8
[   61.001511] 5fc0  c130e014 00000002 00000000 ca283010 ca715ffc ca715fe0 c0128584 c0128160
[   61.002794] 5fe0  00000000 00000005 000002d0 ca7160a8 ca7160a4 ca716000 c0101210 c0128570
[   61.004074] 6000  00000003 cd6f9c80 0003e800 00000000 cd6f9c80 ca4d6ad0 ca4b7080 ca4d6ad0
[   61.005360] 6020  0003e800 00000000 ca4b7080 00000000 00000000 00000000 c1405718 00000001
[   61.006643] 6040  cd6f9c80 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.007925] 6060  584c76b6 00000000 00000000 00000000 c13db2e4 c13db2e4 0beacd36 00000000
[   61.009210]
[   61.009210] R5: 0xca716188:
[   61.009786] 6188  00000000 00000005 cb3b25c8 cd6f9c80 00000000 00000000 00000000 00000000
[   61.011067] 61a8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.012348] 61c8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.013629] 61e8  c01284f8 a00f0193 ffffffff ca71623c ca71626c ca716208 c0114c98 c01011d4
[   61.014913] 6208  f6eebc7c 00000005 ca716250 ca716338 f6eebc7c c0004000 00000000 c130e014
[   61.016195] 6228  00000002 ffffa293 ca283010 ca71626c 00000000 ca716250 00000005 c01284f8
[   61.017475] 6248  a00f0193 ffffffff 00000000 00000000 00000000 000007b7 ca71628c ca716270
[   61.018759] 6268  c0128604 c01284c8 00000000 00000005 f6eebc7c ca716338 ca716334 ca716290
[   61.020042]
[   61.020042] R6: 0xca716188:
[   61.020617] 6188  00000000 00000005 cb3b25c8 cd6f9c80 00000000 00000000 00000000 00000000
[   61.021903] 61a8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.023188] 61c8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.024469] 61e8  c01284f8 a00f0193 ffffffff ca71623c ca71626c ca716208 c0114c98 c01011d4
[   61.025755] 6208  f6eebc7c 00000005 ca716250 ca716338 f6eebc7c c0004000 00000000 c130e014
[   61.027032] 6228  00000002 ffffa293 ca283010 ca71626c 00000000 ca716250 00000005 c01284f8
[   61.028313] 6248  a00f0193 ffffffff 00000000 00000000 00000000 000007b7 ca71628c ca716270
[   61.029597] 6268  c0128604 c01284c8 00000000 00000005 f6eebc7c ca716338 ca716334 ca716290
[   61.030880]
[   61.030880] R10: 0xca282f90:
[   61.031466] 2f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.032745] 2fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.034021] 2fd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   61.035299] 2ff0  00000000 00000000 00000000 00000000 ca28e500 ca28e440 c0699b8c 00000000
[   61.036580] 3010  00000000 00000000 c13760e4 00000000 01d301d3 00000000 00000000 ca4b7080
[   61.037861] 3030  00000064 00000003 ca21e210 ca28da00 ca28e640 ca28482c ca281c6c ca21e218
[   61.039152] 3050  ca14c880 c135fc08 ca28cf50 0000000f 00000007 00000000 c13754f4 00000001
[   61.040435] 3070  00000000 ca283074 ca283074 00000000 00000000 c137550c 00000000 00000000
[   61.041724] Process ci_otg (pid: 87, stack limit = 0xca714210)
[   61.042494] Stack: (0xca7160f0 to 0xca716000)
[   61.043075] Backtrace:
[   61.043481] [<c0128154>] (do_page_fault) from [<c0128584>] (do_translation_fault+0x20/0xa8)
[   61.044565]  r10:ca283010 r9:ffffa293 r8:00000002 r7:c130e014 r6:ca716208 r5:000002d4
[   61.045721]  r4:00000005
[   61.046124] [<c0128564>] (do_translation_fault) from [<c0101210>] (do_DataAbort+0x48/0xcc)
[   61.047197]  r6:ca716208 r5:000002d4 r4:00000005 r3:00000000
[   61.048069] [<c01011c8>] (do_DataAbort) from [<c0114c98>] (__dabt_svc+0x38/0x60)
[   61.049036] Exception stack(0xca716208 to 0xca716250)
[   61.049717] 6200:                   f6eebc7c 00000005 ca716250 ca716338 f6eebc7c c0004000
[   61.050789] 6220: 00000000 c130e014 00000002 ffffa293 ca283010 ca71626c 00000000 ca716250
[   61.051856] 6240: 00000005 c01284f8 a00f0193 ffffffff
[   61.052524]  r7:ca71623c r6:ffffffff r5:a00f0193 r4:c01284f8
[   61.053410] [<c01284bc>] (do_bad_area) from [<c0128604>] (do_translation_fault+0xa0/0xa8)
[   61.054470]  r4:000007b7
[   61.054873] [<c0128564>] (do_translation_fault) from [<c0101210>] (do_DataAbort+0x48/0xcc)
[   61.055945]  r6:ca716338 r5:f6eebc7c r4:00000005 r3:00000000
[   61.056814] [<c01011c8>] (do_DataAbort) from [<c0114c98>] (__dabt_svc+0x38/0x60)
[   61.057780] Exception stack(0xca716338 to 0xca716380)
[   61.058456] 6320:                                                       cd6f9c80 c109c9e6
[   61.059529] 6340: cd6f9c80 c1304a7c 00000000 c0157988 ca717660 c0e06f00 00000002 ffffa293
[   61.060602] 6360: ca283010 ca7163c4 ca716370 ca716380 c05e48d4 c01f8638 a00f0193 ffffffff
[   61.061661]  r7:ca71636c r6:ffffffff r5:a00f0193 r4:c01f8638
[   61.062551] [<c01f85e4>] (printk) from [<c014dfe0>] (warn_slowpath_common+0x38/0x104)
[   61.063569]  r3:00000000 r2:c01a5354 r1:00000a18 r0:c0e06c90
[   61.064441] [<c014dfa8>] (warn_slowpath_common) from [<c014e0fc>] (warn_slowpath_fmt+0x50/0x58)
[   61.065566]  r4:00000000
[   61.065975] [<c014e0b0>] (warn_slowpath_fmt) from [<c01a5354>] (preempt_count_add+0xbc/0x220)
[   61.067079]  r3:c0e09c4c r2:c0e09c34
[   61.067649] [<c01a5298>] (preempt_count_add) from [<c0d7f400>] (_raw_spin_lock_irqsave+0x40/0xd4)
[   61.068839] [<c0d7f3c0>] (_raw_spin_lock_irqsave) from [<c05f91a0>] (gic_raise_softirq+0x28/0xa0)
[   61.070022] [<c05f9178>] (gic_raise_softirq) from [<c0119248>] (smp_cross_call+0x264/0x274)
[   61.071107]  r9:ffffa293 r8:c1302100 r7:00000001 r6:ca717660 r5:c0157988 r4:00000000
[   61.072284] [<c0118fe4>] (smp_cross_call) from [<c011a164>] (smp_send_reschedule+0x70/0x78)
[   61.073393] [<c011a0f4>] (smp_send_reschedule) from [<c019e460>] (resched_curr+0x13c/0x364)
[   61.074510] [<c019e324>] (resched_curr) from [<c01c46e4>] (check_preempt_wakeup+0x2d4/0x364)
[   61.075603]  r4:00000000
[   61.076007] [<c01c4410>] (check_preempt_wakeup) from [<c019f614>] (check_preempt_curr+0x60/0x1d4)
[   61.077180] [<c019f5b4>] (check_preempt_curr) from [<c01a1604>] (ttwu_do_wakeup+0x34/0x350)
[   61.078286] [<c01a15d0>] (ttwu_do_wakeup) from [<c01a1990>] (ttwu_do_activate+0x70/0x78)
[   61.079357] [<c01a1920>] (ttwu_do_activate) from [<c01a28d8>] (ttwu_queue+0xc4/0xd8)
[   61.080388] [<c01a2814>] (ttwu_queue) from [<c01a2c54>] (try_to_wake_up+0x368/0x39c)
[   61.081422] [<c01a28ec>] (try_to_wake_up) from [<c01a582c>] (default_wake_function+0x40/0x54)
[   61.082557] [<c01a57ec>] (default_wake_function) from [<c0368b64>] (pollwake+0x74/0x80)
[   61.083628] [<c0368af0>] (pollwake) from [<c01daad0>] (__wake_up_common+0x84/0xfc)
[   61.084638] [<c01daa4c>] (__wake_up_common) from [<c01dad04>] (__wake_up_sync_key+0xa8/0xd0)
[   61.085758] [<c01dac5c>] (__wake_up_sync_key) from [<c0a5c5b4>] (sock_def_readable+0x134/0x1e8)
[   61.086905] [<c0a5c480>] (sock_def_readable) from [<c0a54594>] (sock_queue_rcv_skb+0x940/0x958)
[   61.088062] [<c0a53c54>] (sock_queue_rcv_skb) from [<c0c022a4>] (raw_rcv+0x3b4/0x3d0)
[   61.089110] [<c0c01ef0>] (raw_rcv) from [<c0bff544>] (can_rcv_filter+0x1f4/0x6e4)
[   61.090109] [<c0bff350>] (can_rcv_filter) from [<c0bffb5c>] (can_receive+0x128/0x190)
[   61.091151] [<c0bffa34>] (can_receive) from [<c0bffdc0>] (can_rcv+0x1fc/0x21c)
[   61.092091]  r4:ca4b7080
[   61.092503] [<c0bffbc4>] (can_rcv) from [<c0a89d34>] (__netif_receive_skb_core+0x15b8/0x1650)
[   61.093637] [<c0a8877c>] (__netif_receive_skb_core) from [<c0a89f8c>] (__netif_receive_skb+0x1c0/0x1d4)
[   61.094880] [<c0a89dcc>] (__netif_receive_skb) from [<c0a8c688>] (process_backlog+0x88/0x354)
[   61.095984]  r4:ca4b7080
[   61.096391] [<c0a8c600>] (process_backlog) from [<c0a8d6fc>] (napi_poll+0x158/0x604)
[   61.097428] [<c0a8d5a4>] (napi_poll) from [<c0a8ddec>] (net_rx_action+0x244/0x55c)
[   61.098444] [<c0a8dba8>] (net_rx_action) from [<c01570c4>] (__do_softirq+0x478/0xa28)
[   61.099486] [<c0156c4c>] (__do_softirq) from [<c0157988>] (irq_exit+0x188/0x284)
[   61.100449]  r5:c1304c04 r4:f4a00100
[   61.101009] [<c0157800>] (irq_exit) from [<c01fb6e0>] (__handle_domain_irq+0x19c/0x250)
[   61.102069] [<c01fb544>] (__handle_domain_irq) from [<c01015dc>] (gic_handle_irq+0x50/0x74)
[   61.103172] [<c010158c>] (gic_handle_irq) from [<c0114d00>] (__irq_svc+0x40/0x74)
[   61.104147] Exception stack(0xca717660 to 0xca7176a8)
[   61.104829] 7660: 00000000 c109c9e6 00020bad 00000000 c0d75c4c 00000080 c13761f8 00000000
[   61.105901] 7680: c1302100 ffffa293 ca283010 ca7178ec ca717698 ca7176a8 c05e48d4 c0d74e64
[   61.106965] 76a0: 600f0013 ffffffff
[   61.107438]  r7:ca717694 r6:ffffffff r5:600f0013 r4:c0d74e64
[   61.108315] [<c0d74cf8>] (__schedule) from [<c0d75c4c>] (schedule+0x178/0x204)
[   61.109258]  r4:ca717970
[   61.109660] [<c0d75ad4>] (schedule) from [<c0d7e9e8>] (schedule_hrtimeout_range_clock+0x22c/0x294)
[   61.110847] [<c0d7e7bc>] (schedule_hrtimeout_range_clock) from [<c0d7ea88>] (schedule_hrtimeout_range+0x38/0x4c)
[   61.112159]  r4:ca283010
[   61.112561] [<c0d7ea50>] (schedule_hrtimeout_range) from [<c0d7e300>] (do_usleep_range+0xb4/0xc8)
[   61.113739] [<c0d7e24c>] (do_usleep_range) from [<c0226598>] (usleep_range+0x58/0x60)
[   61.114781] [<c0226540>] (usleep_range) from [<c082bfbc>] (i2c_imx_start+0x1c0/0x2d8)
[   61.115818] [<c082bdfc>] (i2c_imx_start) from [<c082c590>] (i2c_imx_xfer+0x88/0x11bc)
[   61.116835]  r6:00000000 r5:00000000 r4:ca717ba0 r3:00000000
[   61.117717] [<c082c508>] (i2c_imx_xfer) from [<c08264c0>] (__i2c_transfer+0x424/0x6c0)
[   61.118747]  r10:ca717c46 r9:ffffa293 r8:c1302100 r7:00000000 r6:00000002 r5:00000000
[   61.119899]  r4:ca283010
[   61.120306] [<c082609c>] (__i2c_transfer) from [<c08267d8>] (i2c_transfer+0x7c/0xd8)
[   61.121312]  r10:ca717c46 r9:00000000 r8:00000002 r7:00000008 r6:ca717ba0 r5:00000002
[   61.122469]  r4:ca283010
[   61.122874] [<c082675c>] (i2c_transfer) from [<c0826f84>] (i2c_smbus_xfer+0x694/0xa68)
[   61.123903]  r6:ca721700 r5:00000002 r4:ca283010 r3:00000001
[   61.124784] [<c08268f0>] (i2c_smbus_xfer) from [<c0827af4>] (i2c_smbus_read_i2c_block_data+0x58/0x80)
[   61.125976]  r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:ca721700 r5:ca717c92
[   61.127128]  r4:00000010
[   61.127536] [<c0827a9c>] (i2c_smbus_read_i2c_block_data) from [<c080f93c>] (bma2x2_smbus_read_byte_block+0x24/0x2c)
[   61.128879]  r5:c14731e0 r4:c14731e0
[   61.129438] [<c080f918>] (bma2x2_smbus_read_byte_block) from [<c0810554>] (bma2x2_read_accel_xyz+0x34/0xbc)
[   61.130715] [<c0810520>] (bma2x2_read_accel_xyz) from [<c0810670>] (bma2x2_work_func+0x3c/0xcc)
[   61.131841]  r7:00000005 r6:00000000 r5:c14731e0 r4:ca721778
[   61.132715] [<c0810634>] (bma2x2_work_func) from [<c017f4cc>] (process_one_work+0x6a8/0xc7c)
[   61.133807]  r7:00000000 r6:00000000 r5:c018e100 r4:ca4b7080
[   61.134681] [<c017ee24>] (process_one_work) from [<c0180010>] (worker_thread+0x4f4/0x750)
[   61.135741]  r5:c018e100 r4:ca4b7080
[   61.136295] [<c017fb1c>] (worker_thread) from [<c018e38c>] (kthread+0x28c/0x298)
[   61.137257]  r4:ca70dd00
[   61.137663] [<c018e100>] (kthread) from [<c0109448>] (ret_from_fork+0x14/0x2c)
[   61.138621] Code: e3c4403f e3540000 1594900c 03a09000 (e59962d0)
[   61.139432] ---[ end trace 016c58075fa7ca08 ]---
[   61.182836] Kernel panic - not syncing: Fatal exception
[   61.183585] CPU1: stopping
[   61.183997] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G      D         4.1.27-svn1470 #12
[   61.185031] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[   61.185885] Backtrace:
[   61.186288] [<c01136ac>] (dump_backtrace) from [<c011387c>] (show_stack+0x2c/0x34)
[   61.187297] [<c0113850>] (show_stack) from [<c05c8d40>] (dump_stack+0x88/0xa4)
[   61.188269] [<c05c8cb8>] (dump_stack) from [<c0119644>] (ipi_cpu_stop+0x64/0x88)
[   61.189234]  r6:ca159cd8 r5:c1304c04 r4:f4a00100 r3:0000000e
[   61.190114] [<c01195e0>] (ipi_cpu_stop) from [<c0119dac>] (handle_IPI+0x3cc/0x714)
[   61.191123] [<c01199e0>] (handle_IPI) from [<c01015fc>] (gic_handle_irq+0x70/0x74)
[   61.192127] [<c010158c>] (gic_handle_irq) from [<c0114d00>] (__irq_svc+0x40/0x74)
[   61.193104] Exception stack(0xca159cd8 to 0xca159d20)
[   61.193781] 9cc0:                                                       00000000 00000002
[   61.194854] 9ce0: 00000000 00000000 cd706030 00000001 c130ee6c 00000001 1000406a 00000001
[   61.195927] 9d00: 00000000 ca159d64 ca159c38 ca159d20 c0d7f674 c08ef440 600f0013 ffffffff
[   61.196987]  r7:ca159d0c r6:ffffffff r5:600f0013 r4:c08ef440
[   61.197883] [<c08ef1c4>] (cpuidle_enter_state) from [<c08ef578>] (cpuidle_enter+0x24/0x28)
[   61.198956]  r10:00000000 r9:412fc09a r8:1000406a r7:c1402310 r6:10c03c7d r5:00000015
[   61.200114]  r4:1a12c06a
[   61.200526] [<c08ef554>] (cpuidle_enter) from [<c01dc7b8>] (cpuidle_idle_call+0x2d8/0x4d0)
[   61.201626] [<c01dc4e0>] (cpuidle_idle_call) from [<c01dd008>] (cpu_idle_loop+0x658/0x704)
[   61.202724] [<c01dc9b0>] (cpu_idle_loop) from [<c01dd0d8>] (cpu_startup_entry+0x24/0x2c)
[   61.203803] [<c01dd0b4>] (cpu_startup_entry) from [<c0118fdc>] (secondary_start_kernel+0x2c8/0x2d0)
[   61.204994] [<c0118d14>] (secondary_start_kernel) from [<1010168c>] (0x1010168c)
[   61.250057] Rebooting in 5 seconds..
[   66.251491] Restarting Linux version 4.1.27-svn1470 (root@stone-linux) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #12 SMP PREEMPT Fri Dec 1 16:04:49 CST 2017
[   66.251491]
[   66.253637] imx restart mode: 0x20

0 Kudos