From: Greg KH <gregkh@linuxfoundation.org>
To: Sodagudi Prasad <psodagud@codeaurora.org>
Cc: ming.lei@canonical.com, linux-kernel@vger.kernel.org
Subject: Re: Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head
Date: Tue, 3 Jan 2017 16:19:27 +0100 [thread overview]
Message-ID: <20170103151927.GA25147@kroah.com> (raw)
In-Reply-To: <51ff19ddfe540f7b1886e4b1025ac391@codeaurora.org>
On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote:
>
> Hi All,
>
> Device has crashed due to memory access after free while pending_fw_head
> list accessed. Kernel 4.4 stable version is used to reproduce this use after
> free.
> ------------------------------------------------------------------------------------------
> [ 9031.178428] Unable to handle kernel paging request at virtual address
> 6b6b6b6b6b6b6b6b
> [ 9031.178508] pgd = ffffffc0de9d2000
> [ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000,
> *pud=0000000000000000
> [ 9031.253045] ------------[ cut here ]------------
> [ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info
> unavailable]
> [ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
> [ 9031.263539] Modules linked in:
> [ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G W L
> 4.4.16+ #1
> [ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti:
> ffffffc0d1a2c000
> [ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
> [ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
> [ 9031.511559] [] fw_pm_notify+0x84/0x19c
> [ 9031.519355] [] notifier_call_chain+0x58/0x8c
> [ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
> [ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
> [ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
> [ 9031.543662] [] pm_suspend+0x278/0x674
> [ 9031.549906] [] state_store+0x58/0x90
> [ 9031.554942] [] kobj_attr_store+0x18/0x28
> [ 9031.560154] [] sysfs_kf_write+0x5c/0x68
> [ 9031.565620] [] kernfs_fop_write+0x114/0x16c
> [ 9031.571092] [] __vfs_write+0x48/0xf0
> [ 9031.576816] [] vfs_write+0xb8/0x150
> [ 9031.581848] [] SyS_write+0x58/0x94
> [ 9031.586973] [] el0_svc_naked+0x24/0x28
> -----------------------------------------------------------------------------------------------
>
> Kernel panic is observed during device suspend/resume path in the
> kill_requests_without_uevent() called from fw_pm_notify().
> when pending_list of a firmware_buf is accessed 0x6b(free pattern) pattern
> observed. Based on this firmware_buf is freed even if firmware_buf is part
> of
> pending_fw_head list.
What are you doing in userspace to trigger this problem? What kernel
driver is this happening with?
And 4.4.16 is pretty old, can you try 4.9?
thanks,
greg k-h
next prev parent reply other threads:[~2017-01-03 15:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-03 14:44 Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head Sodagudi Prasad
2017-01-03 15:19 ` Greg KH [this message]
2017-02-22 2:59 ` Sodagudi Prasad
2017-03-15 0:53 ` Luis R. Rodriguez
2017-04-01 0:53 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170103151927.GA25147@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@canonical.com \
--cc=psodagud@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox