Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| arm_kernel_panic [2018/11/28 12:14] – created rpjday | arm_kernel_panic [2018/11/28 13:02] (current) – [The offending(?) kernbel code] rpjday | ||
|---|---|---|---|
| Line 22: | Line 22: | ||
| [  128.468104] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32 | [  128.468104] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32 | ||
| [  128.468109] Control: 10c5387d | [  128.468109] Control: 10c5387d | ||
| + | </ | ||
| + | |||
| + | As you can see: | ||
| + | |||
| + | * kernel panic occurred in '' | ||
| + | * register '' | ||
| + | |||
| + | ===== The offending(? | ||
| + | |||
| + | From '' | ||
| + | |||
| + | < | ||
| + | /* The key must be already stored in q->key. */ | ||
| + | static inline struct futex_hash_bucket *queue_lock(struct futex_q *q) | ||
| + | __acquires(& | ||
| + | { | ||
| + | struct futex_hash_bucket *hb; | ||
| + | |||
| + | hb = hash_futex(& | ||
| + | |||
| + | /* | ||
| + | * Increment the counter before taking the lock so that | ||
| + | * a potential waker won't miss a to-be-slept task that is | ||
| + | * waiting for the spinlock. This is safe as all queue_lock() | ||
| + | * users end up calling queue_me(). Similarly, for housekeeping, | ||
| + | * decrement the counter at queue_unlock() when some error has | ||
| + | * occurred and we don't end up adding the task to the list. | ||
| + | */ | ||
| + | hb_waiters_inc(hb); | ||
| + | |||
| + | q-> | ||
| + | |||
| + | spin_lock(& | ||
| + | return hb; | ||
| + | } | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | /** | ||
| + | * futex_wait_setup() - Prepare to wait on a futex | ||
| + | * @uaddr: | ||
| + | * @val: the expected value | ||
| + | * @flags: | ||
| + | * @q: the associated futex_q | ||
| + | * @hb: | ||
| + | * | ||
| + | * Setup the futex_q and locate the hash_bucket. | ||
| + | * compare it with the expected value. | ||
| + | * Return with the hb lock held and a q.key reference on success, and unlocked | ||
| + | * with no q.key reference on failure. | ||
| + | * | ||
| + | * Return: | ||
| + |  | ||
| + | * <1 - -EFAULT or -EWOULDBLOCK (uaddr does not contain val) and hb is unlocked | ||
| + | */ | ||
| + | static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags, | ||
| + |  | ||
| + | { | ||
| + | u32 uval; | ||
| + | int ret; | ||
| + | |||
| + | /* | ||
| + | * Access the page AFTER the hash-bucket is locked. | ||
| + | * Order is important: | ||
| + | * | ||
| + |  | ||
| + |  | ||
| + | * | ||
| + | * The basic logical guarantee of a futex is that it blocks ONLY | ||
| + | * if cond(var) is known to be true at the time of blocking, for | ||
| + | * any cond. If we locked the hash-bucket after testing *uaddr, that | ||
| + | * would open a race condition where we could block indefinitely with | ||
| + | * cond(var) false, which would violate the guarantee. | ||
| + |  | ||
| + | * On the other hand, we insert q and release the hash-bucket only | ||
| + | * after testing *uaddr. | ||
| + | * absorb a wakeup if *uaddr does not match the desired values | ||
| + | * while the syscall executes. | ||
| + | */ | ||
| + | retry: | ||
| + | ret = get_futex_key(uaddr, | ||
| + | if (unlikely(ret != 0)) | ||
| + | return ret; | ||
| + | |||
| + | retry_private: | ||
| + | *hb = queue_lock(q); | ||
| + | |||
| + | ret = get_futex_value_locked(& | ||
| + | |||
| + | if (ret) { | ||
| + | queue_unlock(*hb); | ||
| + | |||
| + | ret = get_user(uval, | ||
| + | if (ret) | ||
| + | goto out; | ||
| + | |||
| + | if (!(flags & FLAGS_SHARED)) | ||
| + | goto retry_private; | ||
| + | |||
| + | put_futex_key(& | ||
| + | goto retry; | ||
| + | } | ||
| + | |||
| + | if (uval != val) { | ||
| + | queue_unlock(*hb); | ||
| + | ret = -EWOULDBLOCK; | ||
| + | } | ||
| + | |||
| + | out: | ||
| + | if (ret) | ||
| + | put_futex_key(& | ||
| + | return ret; | ||
| + | } | ||
| + | </ | ||
| + | ===== Disassembling '' | ||
| + | |||
| + | Using: | ||
| + | |||
| + | < | ||
| + | $ arm-wrs-linux-gnueabi-objdump -D -m arm vmlinux | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | c0070448 < | ||
| + | c0070448: | ||
| + | c007044c: | ||
| + | c0070450: | ||
| + | c0070454: | ||
| + | c0070458: | ||
| + | c007045c: | ||
| + | c0070460: | ||
| + | c0070464: | ||
| + | c0070468: | ||
| + | c007046c: | ||
| + | c0070470: | ||
| + | c0070474: | ||
| + | c0070478: | ||
| + | c007047c: | ||
| + | c0070480: | ||
| + | c0070484: | ||
| + | c0070488: | ||
| + | c007048c: | ||
| + | c0070490: | ||
| + | c0070494: | ||
| + | c0070498: | ||
| + | c007049c: | ||
| + | c00704a0: | ||
| + | c00704a4: | ||
| + | c00704a8: | ||
| + | c00704ac: | ||
| + | c00704b0: | ||
| + | c00704b4: | ||
| + | c00704b8: | ||
| + | c00704bc: | ||
| + | c00704c0: | ||
| + | c00704c4: | ||
| + | c00704c8: | ||
| + | c00704cc: | ||
| + | c00704d0: | ||
| + | c00704d4: | ||
| + | c00704d8: | ||
| + | c00704dc: | ||
| + | c00704e0: | ||
| + | c00704e4: | ||
| + | c00704e8: | ||
| + | c00704ec: | ||
| + | c00704f0: | ||
| + | c00704f4: | ||
| + | c00704f8: | ||
| + | c00704fc: | ||
| + | c0070500: | ||
| + | c0070504: | ||
| + | c0070508: | ||
| + | c007050c: | ||
| + | c0070510: | ||
| + | c0070514: | ||
| + | c0070518: | ||
| + | c007051c: | ||
| + | c0070520: | ||
| + | c0070524: | ||
| + | c0070528: | ||
| + | c007052c: | ||
| + | c0070530: | ||
| + | c0070534: | ||
| + | c0070538: | ||
| + | c007053c: | ||
| + | c0070540: | ||
| + | c0070544: | ||
| + | c0070548: | ||
| + | c007054c: | ||
| + | c0070550: | ||
| + | c0070554: | ||
| + | c0070558: | ||
| + | c007055c: | ||
| + | c0070560: | ||
| + | c0070564: | ||
| + | c0070568: | ||
| + | c007056c: | ||
| + | c0070570: | ||
| + | c0070574: | ||
| + | c0070578: | ||
| + | c007057c: | ||
| + | c0070580: | ||
| + | c0070584: | ||
| + | c0070588: | ||
| + | c007058c: | ||
| + | c0070590: | ||
| </ | </ | ||