From: Greg KH <gregkh@linuxfoundation.org>
To: Sodagudi Prasad <psodagud@codeaurora.org>
Cc: ming.lei@canonical.com, linux-kernel@vger.kernel.org
Subject: Re: Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head
Date: Tue, 3 Jan 2017 16:19:27 +0100 [thread overview]
Message-ID: <20170103151927.GA25147@kroah.com> (raw)
In-Reply-To: <51ff19ddfe540f7b1886e4b1025ac391@codeaurora.org>
On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote:
>
> Hi All,
>
> Device has crashed due to memory access after free while pending_fw_head
> list accessed. Kernel 4.4 stable version is used to reproduce this use after
> free.
> ------------------------------------------------------------------------------------------
> [ 9031.178428] Unable to handle kernel paging request at virtual address
> 6b6b6b6b6b6b6b6b
> [ 9031.178508] pgd = ffffffc0de9d2000
> [ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000,
> *pud=0000000000000000
> [ 9031.253045] ------------[ cut here ]------------
> [ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info
> unavailable]
> [ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
> [ 9031.263539] Modules linked in:
> [ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G W L
> 4.4.16+ #1
> [ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti:
> ffffffc0d1a2c000
> [ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
> [ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
> [ 9031.511559] [] fw_pm_notify+0x84/0x19c
> [ 9031.519355] [] notifier_call_chain+0x58/0x8c
> [ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
> [ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
> [ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
> [ 9031.543662] [] pm_suspend+0x278/0x674
> [ 9031.549906] [] state_store+0x58/0x90
> [ 9031.554942] [] kobj_attr_store+0x18/0x28
> [ 9031.560154] [] sysfs_kf_write+0x5c/0x68
> [ 9031.565620] [] kernfs_fop_write+0x114/0x16c
> [ 9031.571092] [] __vfs_write+0x48/0xf0
> [ 9031.576816] [] vfs_write+0xb8/0x150
> [ 9031.581848] [] SyS_write+0x58/0x94
> [ 9031.586973] [] el0_svc_naked+0x24/0x28
> -----------------------------------------------------------------------------------------------
>
> Kernel panic is observed during device suspend/resume path in the
> kill_requests_without_uevent() called from fw_pm_notify().
> when pending_list of a firmware_buf is accessed 0x6b(free pattern) pattern
> observed. Based on this firmware_buf is freed even if firmware_buf is part
> of
> pending_fw_head list.
What are you doing in userspace to trigger this problem? What kernel
driver is this happening with?
And 4.4.16 is pretty old, can you try 4.9?
thanks,
greg k-h
next prev parent reply other threads:[~2017-01-03 15:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-03 14:44 Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head Sodagudi Prasad
2017-01-03 15:19 ` Greg KH [this message]
2017-02-22 2:59 ` Sodagudi Prasad
2017-03-15 0:53 ` Luis R. Rodriguez
2017-04-01 0:53 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170103151927.GA25147@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=psodagud@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.