rk3568 ubuntu20.04 oop问题分析
点击桌面图标,串口打印如下错误,而且每次死机的错误都不太一样
[ 92.839866] Unable to handle kernel paging request at virtual address dead000000000100
[ 92.840575] Mem abort info:
[ 92.840832] ESR = 0x96000004
[ 92.841110] Exception class = DABT (current EL), IL = 32 bits
[ 92.841636] SET = 0, FnV = 0
[ 92.841939] EA = 0, S1PTW = 0
[ 92.842267] Data abort info:
[ 92.842529] ISV = 0, ISS = 0x00000004
[ 92.842876] CM = 0, WnR = 0
[ 92.843144] [dead000000000100] address between user and kernel address ranges
[ 92.843873] Internal error: Oops: 96000004 [#1] SMP
[ 92.844321] Modules linked in:
[ 92.844606] Process kworker/0:1 (pid: 13, stack limit = 0x000000004f5c3f8a)
[ 92.845228] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 4.19.232 #6
[ 92.845792] Hardware name: rk3568-bl-metro-SDK140-2512050935 tpcl_edp_boe_M116B30 (V2) beta-(V31) (DT)
[ 92.846625] Workqueue: events rockchip_drm_atomic_work
[ 92.847089] pstate: a0c00009 (NzCv daif +PAN +UAO)
[ 92.847520] pc : __kmalloc+0x210/0x25c
[ 92.847859] lr : __kmalloc+0xc0/0x25c
[ 92.848182] sp : ffffff80097e3bb0
[ 92.848481] x29: ffffff80097e3bb0 x28: 0000000000000000
[ 92.848952] x27: ffffffc07d6610c8 x26: 0000000000000000
[ 92.849423] x25: 0000000000000001 x24: ffffff800868bd0c
[ 92.849894] x23: ffffff800868bd0c x22: 0000000000000080
[ 92.850364] x21: 00000000006000c0 x20: ffffffc000203c80
[ 92.850834] x19: dead000000000100 x18: 0000000000000000
[ 92.851304] x17: 0000000000000000 x16: 0000000000000000
[ 92.851775] x15: ffffff800ca3bcc8 x14: 0000048300000441
[ 92.852245] x13: 0000043b00000483 x12: 0000043800000438
[ 92.852715] x11: 0000000000000854 x10: 000007d0000007b0
[ 92.853185] x9 : 0000085400000780 x8 : 0000000000000000
[ 92.853656] x7 : 0000000000000000 x6 : ffffffc07aad89a8
[ 92.854126] x5 : 0000000000003862 x4 : 0000000000fe6525
[ 92.854596] x3 : ffffffc07feff4b0 x2 : 0000004076a44000
[ 92.855066] x1 : 000000000002f8c7 x0 : 0000000000000000
[ 92.855536] Call trace:
[ 92.855762] __kmalloc+0x210/0x25c
[ 92.856067] vop2_crtc_atomic_begin+0x7c/0x1f0c
[ 92.856474] drm_atomic_helper_commit_planes+0xdc/0x200
[ 92.856935] rockchip_atomic_commit_complete+0xc0/0x138
[ 92.857397] rockchip_drm_atomic_work+0x24/0x34
[ 92.857803] process_one_work+0x1fc/0x330
[ 92.858162] worker_thread+0x22c/0x30c
[ 92.858497] kthread+0x128/0x138
[ 92.858789] ret_from_fork+0x10/0x18
[ 92.859112]
[ 92.859112] PC: 0xffffff80081fd900:
内核开KASAN功能,复现打印信息如下
[ 59.883501] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 59.883514]
[ 59.883802]
[ 59.883817] Allocated by task 1313:
[ 59.884010]
[ 59.884022] Freed by task 28:
[ 59.884136]
[ 59.884152] The buggy address belongs to the object at ffffffc068985a00
[ 59.884152] which belongs to the cache kmalloc-128 of size 128
[ 59.884170] The buggy address is located 0 bytes inside of
[ 59.884170] 128-byte region [ffffffc068985a00, ffffffc068985a80)
[ 59.884185] The buggy address belongs to the page:
[ 59.884201] page:ffffffbf01a26140 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 59.884217] flags: 0x200(slab)
[ 59.884239] raw: 0000000000000200 ffffffbf00c1e1c0 0000000200000002 ffffffc000203c80
[ 59.884257] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 59.884268] page dumped because: kasan: bad access detected
[ 59.884278]
[ 59.884287] Memory state around the buggy address:
[ 59.884302] ffffffc068985900: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 59.884317] ffffffc068985980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.884333] >ffffffc068985a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.884343] ^
[ 59.884357] ffffffc068985a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.884372] ffffffc068985b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 59.884383] ==================================================================
[ 60.216109] ==================================================================
[ 60.216182] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 60.216194]
[ 60.216479]
[ 60.216494] Allocated by task 1313:
[ 60.216682]
[ 60.216694] Freed by task 13:
[ 60.216804]
[ 60.216819] The buggy address belongs to the object at ffffffc02cb48100
[ 60.216819] which belongs to the cache kmalloc-128 of size 128
[ 60.216838] The buggy address is located 0 bytes inside of
[ 60.216838] 128-byte region [ffffffc02cb48100, ffffffc02cb48180)
[ 60.216852] The buggy address belongs to the page:
[ 60.216868] page:ffffffbf00b2d200 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 60.216884] flags: 0x200(slab)
[ 60.216904] raw: 0000000000000200 dead000000000100 dead000000000200 ffffffc000203c80
[ 60.216922] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 60.216934] page dumped because: kasan: bad access detected
[ 60.216943]
[ 60.216952] Memory state around the buggy address:
[ 60.216968] ffffffc02cb48000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 60.216983] ffffffc02cb48080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.216999] >ffffffc02cb48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.217011] ^
[ 60.217025] ffffffc02cb48180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.217039] ffffffc02cb48200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.217050] ==================================================================
[ 62.233526] ==================================================================
[ 62.233589] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 62.233602]
[ 62.233885]
[ 62.233900] Allocated by task 1313:
[ 62.234096]
[ 62.234108] Freed by task 47:
[ 62.234222]
[ 62.234237] The buggy address belongs to the object at ffffffc038234e00
[ 62.234237] which belongs to the cache kmalloc-128 of size 128
[ 62.234256] The buggy address is located 0 bytes inside of
[ 62.234256] 128-byte region [ffffffc038234e00, ffffffc038234e80)
[ 62.234270] The buggy address belongs to the page:
[ 62.234287] page:ffffffbf00e08d00 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 62.234302] flags: 0x200(slab)
[ 62.234323] raw: 0000000000000200 dead000000000100 dead000000000200 ffffffc000203c80
[ 62.234340] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 62.234353] page dumped because: kasan: bad access detected
[ 62.234363]
[ 62.234372] Memory state around the buggy address:
[ 62.234388] ffffffc038234d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.234403] ffffffc038234d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.234418] >ffffffc038234e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.234429] ^
[ 62.234443] ffffffc038234e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.234458] ffffffc038234f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 62.234469] ==================================================================
[ 64.084117] ==================================================================
[ 64.084199] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 64.084214]
[ 64.084507]
[ 64.084525] Allocated by task 1313:
[ 64.084730]
[ 64.084745] Freed by task 28:
[ 64.084863]
[ 64.084880] The buggy address belongs to the object at ffffffc02e019800
[ 64.084880] which belongs to the cache kmalloc-128 of size 128
[ 64.084900] The buggy address is located 0 bytes inside of
[ 64.084900] 128-byte region [ffffffc02e019800, ffffffc02e019880)
[ 64.084915] The buggy address belongs to the page:
[ 64.084934] page:ffffffbf00b80640 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 64.084952] flags: 0x200(slab)
[ 64.084974] raw: 0000000000000200 dead000000000100 dead000000000200 ffffffc000203c80
[ 64.084992] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 64.085004] page dumped because: kasan: bad access detected
[ 64.085014]
[ 64.085023] Memory state around the buggy address:
[ 64.085039] ffffffc02e019700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.085055] ffffffc02e019780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.085070] >ffffffc02e019800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.085080] ^
[ 64.085095] ffffffc02e019880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.085110] ffffffc02e019900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.085121] ==================================================================
[ 369.065777] ==================================================================
[ 369.065850] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 369.065866]
[ 369.066223]
[ 369.066241] Allocated by task 1313:
[ 369.066491]
[ 369.066505] Freed by task 47:
[ 369.066651]
[ 369.066670] The buggy address belongs to the object at ffffffc0364ee400
[ 369.066670] which belongs to the cache kmalloc-128 of size 128
[ 369.066694] The buggy address is located 0 bytes inside of
[ 369.066694] 128-byte region [ffffffc0364ee400, ffffffc0364ee480)
[ 369.066712] The buggy address belongs to the page:
[ 369.066732] page:ffffffbf00d93b80 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 369.066752] flags: 0x200(slab)
[ 369.066777] raw: 0000000000000200 ffffffbf00688440 0000000700000007 ffffffc000203c80
[ 369.066799] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 369.066815] page dumped because: kasan: bad access detected
[ 369.066827]
[ 369.066839] Memory state around the buggy address:
[ 369.066859] ffffffc0364ee300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 369.066878] ffffffc0364ee380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 369.066897] >ffffffc0364ee400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 369.066911] ^
[ 369.066928] ffffffc0364ee480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 369.066947] ffffffc0364ee500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 369.066962] ==================================================================
使用objdump 反汇编vxlinux 定位出错位置
aarch64-buildroot-linux-gnu-objdump -S -l --disassemble=vop2_plane_atomic_update vmlinux > dis.out
找到 vop2_plane_atomic_update+0x5d3c 地址
9929 /home/unihmi/linux-v1.4.0/kernel/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c:3890
9930 vpstate->planlist = NULL;
9931 ffffff9008964358: aa1503e0 mov x0, x21
9932 ffffff900896435c: 97e505ff bl ffffff90082a5b58 <__asan_store8>
9933 ffffff9008964360: f94057e0 ldr x0, [sp, #168]
9934 ffffff9008964364: f900881f str xzr, [x0, #272]
发现驱动中没有kmalloc vpstate->planlist, 直接free。
浙公网安备 33010602011771号