标签:style blog io ar color os sp for on
Panic log:
[ 939.136378] c0 11060 (kworker/u8:5) binder: release 29969:29969 transaction 41327 out, still active [ 951.095433] c1 1026 (Binder_6) binder: 644:1026 transaction failed 29189, size 18336-0 [ 951.103360] c1 1026 (Binder_6) binder: send failed reply for transaction 41327, target dead [ 952.103111] c1 5588 (concur_s_opchan) Unable to handle kernel paging request at virtual address 8000000000 [ 952.125168] c1 5588 (concur_s_opchan) pgd = ffffffc0039be000 [ 952.132150] [8000000000] *pgd=000000001e588003, *pmd=000000001937f003, *pte=0000000000000000 [ 952.175000] c1 5588 (concur_s_opchan) Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 952.182791] Modules linked in: hwmap runcase_sysfs(O) audiostub cidatattydev gs_modem ccinetdev cci_datastub citty iml_module seh cploaddev msocketk tzdd galcore(O) [ 952.197659] c1 5588 (concur_s_opchan) CPU: 1 PID: 5588 Comm: concur_s_opchan Tainted: G O 3.10.33 #1 [ 952.207604] c1 5588 (concur_s_opchan) task: ffffffc02e106180 ti: ffffffc009124000 task.ti: ffffffc009124000 [ 952.217311] c1 5588 (concur_s_opchan) PC is at __rb_insert_augmented+0xe8/0x1e0 [ 952.224595] c1 5588 (concur_s_opchan) LR is at anon_vma_interval_tree_insert+0x94/0x9c [ 952.232475] c1 5588 (concur_s_opchan) pc : [<ffffffc000307d50>] lr : [<ffffffc000164488>] pstate: 60000145 [ 952.242068] c1 5588 (concur_s_opchan) sp : ffffffc009127c50 [ 952.247612] R29: ffffffc009127c50 R28: ffffffc0008fee20 [ 952.252927] R27: ffffffc021d92a10 R26: ffffffc000acbf10 [ 952.258271] R25: ffffffc000c1d5c0 R24: ffffffc00c90c5f8 [ 952.263602] R23: ffffffc021d92a10 R22: ffffffc0299e0c80 [ 952.268935] R21: ffffffc021d92a38 R20: ffffffc02d7bca50 [ 952.274251] R19: ffffffc021e15a60 R18: 0000000000000000 [ 952.279566] R17: 0000000000000000 R16: ffffffc00009eae4 [ 952.284881] R15: 0000000000000000 R14: ffffffc0299e0d10 [ 952.290197] R13: 0000000000000000 R12: 0000000000000000 [ 952.295512] R11: 0000000000000000 R10: 0000000000000000 [ 952.300828] R9 : 000000000000058b R8 : ffffffc0098c35e0 [ 952.306143] R7 : ffffffc021e15a60 R6 : 0000000000000010 [ 952.311459] R5 : ffffffc021e15a61 R4 : ffffffc021e15a61 [ 952.316793] R3 : ffffffc0098c35e0 R2 : ffffffc000163ed0 [ 952.322109] R1 : 0000008000000000 R0 : ffffffc021e15b60 [ 952.327426] c1 5588 (concur_s_opchan) [ 952.331172] c1 5588 (concur_s_opchan) [ 952.331172] PC: ffffffc000307cd0:
Analyze:
We can see that system panic due to access of invalid address 8000000000, where does it come from?
Disassemble function __rb_insert_augmented:
ffffffc000307c68 <__rb_insert_augmented>: ffffffc000307c68: a9bc7bfd stp x29, x30, [sp,#-64]! ffffffc000307c6c: 910003fd mov x29, sp ffffffc000307c70: f90013f5 str x21, [sp,#32] ffffffc000307c74: a90153f3 stp x19, x20, [sp,#16] ffffffc000307c78: f9400003 ldr x3, [x0] ffffffc000307c7c: aa0103f5 mov x21, x1 ffffffc000307c80: b4000be3 cbz x3, ffffffc000307dfc <__rb_insert_augmented+0x194> ffffffc000307c84: f9400073 ldr x19, [x3] ffffffc000307c88: 37000253 tbnz w19, #0, ffffffc000307cd0 <__rb_insert_augmented+0x68> ffffffc000307c8c: f9400664 ldr x4, [x19,#8] ffffffc000307c90: b2400265 orr x5, x19, #0x1 ffffffc000307c94: eb04007f cmp x3, x4 ffffffc000307c98: aa1303e7 mov x7, x19 ffffffc000307c9c: 54000540 b.eq ffffffc000307d44 <__rb_insert_augmented+0xdc> ffffffc000307ca0: b4000204 cbz x4, ffffffc000307ce0 <__rb_insert_augmented+0x78> ffffffc000307ca4: f9400086 ldr x6, [x4] ffffffc000307ca8: 370001c6 tbnz w6, #0, ffffffc000307ce0 <__rb_insert_augmented+0x78> ffffffc000307cac: f9000085 str x5, [x4] ffffffc000307cb0: f9000065 str x5, [x3] ffffffc000307cb4: f9400263 ldr x3, [x19] ffffffc000307cb8: 927ef463 and x3, x3, #0xfffffffffffffffc ffffffc000307cbc: f9000263 str x3, [x19] ffffffc000307cc0: b40009c3 cbz x3, ffffffc000307df8 <__rb_insert_augmented+0x190> ffffffc000307cc4: f9400073 ldr x19, [x3] ffffffc000307cc8: aa0703e0 mov x0, x7 ffffffc000307ccc: 3607fe13 tbz w19, #0, ffffffc000307c8c <__rb_insert_augmented+0x24> ffffffc000307cd0: a94153f3 ldp x19, x20, [sp,#16] ffffffc000307cd4: f94013f5 ldr x21, [sp,#32] ffffffc000307cd8: a8c47bfd ldp x29, x30, [sp],#64 ffffffc000307cdc: d65f03c0 ret ffffffc000307ce0: f9400474 ldr x20, [x3,#8] ffffffc000307ce4: eb00029f cmp x20, x0 ffffffc000307ce8: 54000640 b.eq ffffffc000307db0 <__rb_insert_augmented+0x148> ffffffc000307cec: aa0303e4 mov x4, x3 ffffffc000307cf0: f9000a74 str x20, [x19,#16] ffffffc000307cf4: f9000473 str x19, [x3,#8] ffffffc000307cf8: b4000074 cbz x20, ffffffc000307d04 <__rb_insert_augmented+0x9c> ffffffc000307cfc: b2400260 orr x0, x19, #0x1 ffffffc000307d00: f9000280 str x0, [x20] ffffffc000307d04: f9400260 ldr x0, [x19] ffffffc000307d08: f9000060 str x0, [x3] ffffffc000307d0c: f9000264 str x4, [x19] ffffffc000307d10: 927ef400 and x0, x0, #0xfffffffffffffffc ffffffc000307d14: b40003e0 cbz x0, ffffffc000307d90 <__rb_insert_augmented+0x128> ffffffc000307d18: f9400801 ldr x1, [x0,#16] ffffffc000307d1c: eb01027f cmp x19, x1 ffffffc000307d20: 54000680 b.eq ffffffc000307df0 <__rb_insert_augmented+0x188> ffffffc000307d24: f9000403 str x3, [x0,#8] ffffffc000307d28: aa1303e0 mov x0, x19 ffffffc000307d2c: aa0303e1 mov x1, x3 ffffffc000307d30: d63f0040 blr x2 ffffffc000307d34: a94153f3 ldp x19, x20, [sp,#16] ffffffc000307d38: f94013f5 ldr x21, [sp,#32] ffffffc000307d3c: a8c47bfd ldp x29, x30, [sp],#64 ffffffc000307d40: d65f03c0 ret ffffffc000307d44: f9400a61 ldr x1, [x19,#16] ffffffc000307d48: b2400264 orr x4, x19, #0x1 ffffffc000307d4c: b4000061 cbz x1, ffffffc000307d58 <__rb_insert_augmented+0xf0> ffffffc000307d50: f9400025 ldr x5, [x1] ffffffc000307d54: 36000225 tbz w5, #0, ffffffc000307d98 <__rb_insert_augmented+0x130> ffffffc000307d58: f9400874 ldr x20, [x3,#16]
yellow line caused panic, ldr load memory content from address X1 to X5, x1 equals 8000000000, it is not a valid kernel space address thus panic occurs,
we can see x1 is got from [x19,#16], combine with source code, X19 is the address of struct rb_node(we can get x19 from panic log), use crash to check it.
crash> struct rb_node ffffffc021e15a60 //(it is X19) struct rb_node { __rb_parent_color = 18446743799310610977, rb_right = 0xffffffc0098c35e0, rb_left = 0x8000000000 }
So X1 represents address of rb_left, it should be a normal kernel space address or 0, I think 0x8000000000 is more like a one-bit error address, it should be 0.
ddr不稳定导致1-bit error引起kernel panic(Unable to handle kernel paging request )
标签:style blog io ar color os sp for on
原文地址:http://www.cnblogs.com/muryo/p/4123067.html