Re: Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head

From: Sodagudi Prasad
Date: Tue Feb 21 2017 - 21:59:37 EST

Next message: Xin Long: "Re: Problem on SCTP"
Previous message: Elaine Zhang: "[PATCH v1] clk: rockchip: add pll_wait_lock for pll_enable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2017-01-03 07:19, Greg KH wrote:

On Tue, Jan 03, 2017 at 06:44:03AM -0800, Sodagudi Prasad wrote:

Hi All,

Device has crashed due to memory access after free while pending_fw_head
list accessed. Kernel 4.4 stable version is used to reproduce this use after
free.
------------------------------------------------------------------------------------------
[ 9031.178428] Unable to handle kernel paging request at virtual address
6b6b6b6b6b6b6b6b
[ 9031.178508] pgd = ffffffc0de9d2000
[ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000,
*pud=0000000000000000
[ 9031.253045] ------------[ cut here ]------------
[ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info
unavailable]
[ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
[ 9031.263539] Modules linked in:
[ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G W L
4.4.16+ #1
[ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti:
ffffffc0d1a2c000
[ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
[ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
[ 9031.511559] [] fw_pm_notify+0x84/0x19c
[ 9031.519355] [] notifier_call_chain+0x58/0x8c
[ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
[ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
[ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
[ 9031.543662] [] pm_suspend+0x278/0x674
[ 9031.549906] [] state_store+0x58/0x90
[ 9031.554942] [] kobj_attr_store+0x18/0x28
[ 9031.560154] [] sysfs_kf_write+0x5c/0x68
[ 9031.565620] [] kernfs_fop_write+0x114/0x16c
[ 9031.571092] [] __vfs_write+0x48/0xf0
[ 9031.576816] [] vfs_write+0xb8/0x150
[ 9031.581848] [] SyS_write+0x58/0x94
[ 9031.586973] [] el0_svc_naked+0x24/0x28
-----------------------------------------------------------------------------------------------

Kernel panic is observed during device suspend/resume path in the
kill_requests_without_uevent() called from fw_pm_notify().
when pending_list of a firmware_buf is accessed 0x6b(free pattern) pattern
observed. Based on this firmware_buf is freed even if firmware_buf is part
of
pending_fw_head list.

What are you doing in userspace to trigger this problem? What kernel
driver is this happening with?

Device continuous suspend and resume is happening here. I think, echo mem > /sys/power/state issued here.
It is not clear what driver involved here, because after firmware_buf is freed all memory gets filled with 0x6b pattern.

And 4.4.16 is pretty old, can you try 4.9?

We don't have system which runs on new kernels. Looking for possible reasons/path, how firmware_buf can get freed when that in pending_fw_head list.

thanks,

greg k-h

--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
Linux Foundation Collaborative Project

Next message: Xin Long: "Re: Problem on SCTP"
Previous message: Elaine Zhang: "[PATCH v1] clk: rockchip: add pll_wait_lock for pll_enable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]