On 2017-01-03 07:19, Greg KH wrote:
On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote:
Hi All,
Device has crashed due to memory access after free while
pending_fw_head
list accessed. Kernel 4.4 stable version is used to reproduce this use
after
free.
------------------------------------------------------------------------------------------
[ 9031.178428] Unable to handle kernel paging request at virtual
address
6b6b6b6b6b6b6b6b
[ 9031.178508] pgd = ffffffc0de9d2000
[ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000,
*pud=0000000000000000
[ 9031.253045] ------------[ cut here ]------------
[ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info
unavailable]
[ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
[ 9031.263539] Modules linked in:
[ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G
W L
4.4.16+ #1
[ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti:
ffffffc0d1a2c000
[ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
[ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
[ 9031.511559] [] fw_pm_notify+0x84/0x19c
[ 9031.519355] [] notifier_call_chain+0x58/0x8c
[ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
[ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
[ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
[ 9031.543662] [] pm_suspend+0x278/0x674
[ 9031.549906] [] state_store+0x58/0x90
[ 9031.554942] [] kobj_attr_store+0x18/0x28
[ 9031.560154] [] sysfs_kf_write+0x5c/0x68
[ 9031.565620] [] kernfs_fop_write+0x114/0x16c
[ 9031.571092] [] __vfs_write+0x48/0xf0
[ 9031.576816] [] vfs_write+0xb8/0x150
[ 9031.581848] [] SyS_write+0x58/0x94
[ 9031.586973] [] el0_svc_naked+0x24/0x28
-----------------------------------------------------------------------------------------------
Kernel panic is observed during device suspend/resume path in the
kill_requests_without_uevent() called from fw_pm_notify().
when pending_list of a firmware_buf is accessed 0x6b(free pattern)
pattern
observed. Based on this firmware_buf is freed even if firmware_buf is
part
of
pending_fw_head list.
What are you doing in userspace to trigger this problem? What kernel
driver is this happening with?
Device continuous suspend and resume is happening here. I think, echo
mem > /sys/power/state issued here.
It is not clear what driver involved here, because after firmware_buf is
freed all memory gets filled with 0x6b pattern.
And 4.4.16 is pretty old, can you try 4.9?
We don't have system which runs on new kernels. Looking for possible
reasons/path, how firmware_buf can get freed when that in
pending_fw_head list.
thanks,
greg k-h
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora
Forum,
Linux Foundation Collaborative Project