From: Sodagudi Prasad <psodagud@codeaurora.org>
To: Greg KH <gregkh@linuxfoundation.org>,
mcgrof@kernel.org, ming.lei@canonical.com
Cc: ming.lei@canonical.com, linux-kernel@vger.kernel.org
Subject: Re: Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head
Date: Tue, 21 Feb 2017 18:59:12 -0800 [thread overview]
Message-ID: <80b8347c53856cc81a37f1d8ea30ad0a@codeaurora.org> (raw)
In-Reply-To: <20170103151927.GA25147@kroah.com>
On 2017-01-03 07:19, Greg KH wrote:
> On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote:
>>
>> Hi All,
>>
>> Device has crashed due to memory access after free while
>> pending_fw_head
>> list accessed. Kernel 4.4 stable version is used to reproduce this use
>> after
>> free.
>> ------------------------------------------------------------------------------------------
>> [ 9031.178428] Unable to handle kernel paging request at virtual
>> address
>> 6b6b6b6b6b6b6b6b
>> [ 9031.178508] pgd = ffffffc0de9d2000
>> [ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000,
>> *pud=0000000000000000
>> [ 9031.253045] ------------[ cut here ]------------
>> [ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info
>> unavailable]
>> [ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
>> [ 9031.263539] Modules linked in:
>> [ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G
>> W L
>> 4.4.16+ #1
>> [ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti:
>> ffffffc0d1a2c000
>> [ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
>> [ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
>> [ 9031.511559] [] fw_pm_notify+0x84/0x19c
>> [ 9031.519355] [] notifier_call_chain+0x58/0x8c
>> [ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
>> [ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
>> [ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
>> [ 9031.543662] [] pm_suspend+0x278/0x674
>> [ 9031.549906] [] state_store+0x58/0x90
>> [ 9031.554942] [] kobj_attr_store+0x18/0x28
>> [ 9031.560154] [] sysfs_kf_write+0x5c/0x68
>> [ 9031.565620] [] kernfs_fop_write+0x114/0x16c
>> [ 9031.571092] [] __vfs_write+0x48/0xf0
>> [ 9031.576816] [] vfs_write+0xb8/0x150
>> [ 9031.581848] [] SyS_write+0x58/0x94
>> [ 9031.586973] [] el0_svc_naked+0x24/0x28
>> -----------------------------------------------------------------------------------------------
>>
>> Kernel panic is observed during device suspend/resume path in the
>> kill_requests_without_uevent() called from fw_pm_notify().
>> when pending_list of a firmware_buf is accessed 0x6b(free pattern)
>> pattern
>> observed. Based on this firmware_buf is freed even if firmware_buf is
>> part
>> of
>> pending_fw_head list.
>
> What are you doing in userspace to trigger this problem? What kernel
> driver is this happening with?
Device continuous suspend and resume is happening here. I think, echo
mem > /sys/power/state issued here.
It is not clear what driver involved here, because after firmware_buf is
freed all memory gets filled with 0x6b pattern.
>
> And 4.4.16 is pretty old, can you try 4.9?
We don't have system which runs on new kernels. Looking for possible
reasons/path, how firmware_buf can get freed when that in
pending_fw_head list.
>
> thanks,
>
> greg k-h
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora
Forum,
Linux Foundation Collaborative Project
next prev parent reply other threads:[~2017-02-22 2:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-03 14:44 Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head Sodagudi Prasad
2017-01-03 15:19 ` Greg KH
2017-02-22 2:59 ` Sodagudi Prasad [this message]
2017-03-15 0:53 ` Luis R. Rodriguez
2017-04-01 0:53 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80b8347c53856cc81a37f1d8ea30ad0a@codeaurora.org \
--to=psodagud@codeaurora.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=ming.lei@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.