From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754133AbdBVC7U (ORCPT ); Tue, 21 Feb 2017 21:59:20 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:59864 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752865AbdBVC7N (ORCPT ); Tue, 21 Feb 2017 21:59:13 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 21 Feb 2017 18:59:12 -0800 From: Sodagudi Prasad To: Greg KH , mcgrof@kernel.org, ming.lei@canonical.com Cc: ming.lei@canonical.com, linux-kernel@vger.kernel.org Subject: Re: Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head In-Reply-To: <20170103151927.GA25147@kroah.com> References: <51ff19ddfe540f7b1886e4b1025ac391@codeaurora.org> <20170103151927.GA25147@kroah.com> Message-ID: <80b8347c53856cc81a37f1d8ea30ad0a@codeaurora.org> User-Agent: Roundcube Webmail/1.2.1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017-01-03 07:19, Greg KH wrote: > On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote: >> >> Hi All, >> >> Device has crashed due to memory access after free while >> pending_fw_head >> list accessed. Kernel 4.4 stable version is used to reproduce this use >> after >> free. >> ------------------------------------------------------------------------------------------ >> [ 9031.178428] Unable to handle kernel paging request at virtual >> address >> 6b6b6b6b6b6b6b6b >> [ 9031.178508] pgd = ffffffc0de9d2000 >> [ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000, >> *pud=0000000000000000 >> [ 9031.253045] ------------[ cut here ]------------ >> [ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info >> unavailable] >> [ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP >> [ 9031.263539] Modules linked in: >> [ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G >> W L >> 4.4.16+ #1 >> [ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti: >> ffffffc0d1a2c000 >> [ 9031.287776] PC is at fw_pm_notify+0x84/0x19c >> [ 9031.295215] LR is at fw_pm_notify+0x60/0x19c >> [ 9031.511559] [] fw_pm_notify+0x84/0x19c >> [ 9031.519355] [] notifier_call_chain+0x58/0x8c >> [ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70 >> [ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44 >> [ 9031.537243] [] pm_notifier_call_chain+0x28/0x48 >> [ 9031.543662] [] pm_suspend+0x278/0x674 >> [ 9031.549906] [] state_store+0x58/0x90 >> [ 9031.554942] [] kobj_attr_store+0x18/0x28 >> [ 9031.560154] [] sysfs_kf_write+0x5c/0x68 >> [ 9031.565620] [] kernfs_fop_write+0x114/0x16c >> [ 9031.571092] [] __vfs_write+0x48/0xf0 >> [ 9031.576816] [] vfs_write+0xb8/0x150 >> [ 9031.581848] [] SyS_write+0x58/0x94 >> [ 9031.586973] [] el0_svc_naked+0x24/0x28 >> ----------------------------------------------------------------------------------------------- >> >> Kernel panic is observed during device suspend/resume path in the >> kill_requests_without_uevent() called from fw_pm_notify(). >> when pending_list of a firmware_buf is accessed 0x6b(free pattern) >> pattern >> observed. Based on this firmware_buf is freed even if firmware_buf is >> part >> of >> pending_fw_head list. > > What are you doing in userspace to trigger this problem? What kernel > driver is this happening with? Device continuous suspend and resume is happening here. I think, echo mem > /sys/power/state issued here. It is not clear what driver involved here, because after firmware_buf is freed all memory gets filled with 0x6b pattern. > > And 4.4.16 is pretty old, can you try 4.9? We don't have system which runs on new kernels. Looking for possible reasons/path, how firmware_buf can get freed when that in pending_fw_head list. > > thanks, > > greg k-h -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, Linux Foundation Collaborative Project