高通ramdump抓取及解析

kernel panic 阅读量

问题场景

在做一个高通7.1的SMR版本时,发现了STS中有三个失败项:

Test Result Details
android.security.sts.Poc16_08#testPocCVE_2014_9904 fail junit.framework.AssertionFailedError: Phone has had a hard reset
android.security.sts.Poc16_09#testPocCVE_2016_3866 fail junit.framework.AssertionFailedError: Phone has had a hard reset
android.security.sts.Poc17_08#testPocCVE_2017_0747 fail junit.framework.AssertionFailedError

其中PocCVE_2017_0747这项,经过查找对比发现是之前的补丁有遗漏,打上就好,补丁的查找在“查找CVE对应的补丁”中有说明。CVE_2014_9904这一项在JIRA中搜到了解决方法,另外还知道了失败的原因是Audio模块出现了panic,导致手机进入ramdump模式,当时手机的表现是黑屏、adb连接不上,但是用lsusb查看,手机的端口和开机时是一样的。

PocCVE_2016_3866这一失败项和CVE_2014_9904类似,也是Audio模块的panic造成的。在JIRA上没有找到解决方案,只能自己抓取dump信息,看是哪里出了问题。

抓取ramdump

参考https://blog.csdn.net/forever_2015/article/details/77434580

ramdump解析

参考:https://blog.csdn.net/forever_2015/article/details/70185313 , 在解析的时候,工具的路径最好用sdk里的,或者是Android项目里的,系统自带的可能解析会失败。

分析问题原因

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
[   90.203334] Unable to handle kernel NULL pointer dereference at virtual address 000000e4
[   90.203352] pgd = ffffffc09fcf4000
[   90.203359] [000000e4] *pgd=0000000000000000, *pud=0000000000000000
[   90.203375] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[   90.203382] Modules linked in: wlan(O)
[   90.203400] CPU: 7 PID: 5029 Comm: CVE-2016-3866 Tainted: G        W  O   3.18.31 #1
[   90.203406] Hardware name: Qualcomm Technologies, Inc. MSM8937-PMI8950 MTP (DT)
[   90.203414] task: ffffffc0a04f6040 ti: ffffffc054e64000 task.ti: ffffffc054e64000
[   90.203431] PC is at is_connected_output_ep+0x20/0x258
[   90.203442] LR is at snd_soc_dapm_dai_get_connected_widgets+0x4c/0x13c
[   90.203449] pc : [<ffffffc000ae522c>] lr : [<ffffffc000ae8978>] pstate: 60000145
[   90.203454] sp : ffffffc054e677e0
[   90.203460] x29: ffffffc054e677e0 x28: 0000000000000000 
[   90.203470] x27: 0000000000000001 x26: ffffffc09bfb0b00 
[   90.203481] x25: ffffffc00196a000 x24: ffffffc0a3978f00 
[   90.203491] x23: ffffffc09b028810 x22: 0000000000000000 
[   90.203501] x21: ffffffc00188c468 x20: 0000000000000000 
[   90.203511] x19: ffffffc00188c640 x18: 00000000ffffffff 
[   90.203520] x17: 0000007f7ea97cb4 x16: ffffffc0001b9704 
[   90.203531] x15: 0000007f7eb1adac x14: 00000000000f4240 
[   90.203540] x13: 0000000000000000 x12: ffffffff0000000b 
[   90.203550] x11: 0000001000000011 x10: ffffffc000abac20 
[   90.203560] x9 : 0000000000000000 x8 : ffffffc00d4d3480 
[   90.203570] x7 : 0000000000000000 x6 : 000000000000003f 
[   90.203580] x5 : 0000000000000040 x4 : 000000000000000c 
[   90.203589] x3 : 00000000ffffffff x2 : ffffffc00188c600 
[   90.203599] x1 : ffffffc054e678d0 x0 : 0000000000000000 
[   90.203610] 
[   90.203610] PC: 0xffffffc000ae512c:
[   90.203617] 512c  4b030021 36f80081 91030000 f9406481 14000007 f9406084 d1030084 17ffffdb
[   90.203645] 514c  f94004a1 91030000 aa0503e2 97e18302 a8c17bfd d65f03c0 a9be7bfd 910003fd
[   90.203671] 516c  f9000bf3 aa0003f3 b9400000 35000200 b940b260 340001c0 f9404e60 b4000060
[   90.203698] 518c  52800081 97ea756f aa1303e0 52800021 97fffac3 2a0003e2 340000a0 f0004c61
[   90.203725] 51ac  f9404e60 912b2821 97ea44e0 b940b260 71000c1f b9400260 54000081 71000c1f
[   90.203751] 51cc  54000081 1400000c 71000c1f 54000141 aa1303e0 52800041 97fffab1 2a0003e2
[   90.203778] 51ec  340000a0 f0004c61 f9404e60 912bb021 97ea44ce f9400bf3 a8c27bfd d65f03c0
[   90.203804] 520c  a9ba7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9 a90573fb aa0003f4
[   90.203831] 522c  b940e400 36f810c0 f9401a80 f9405402 b9433440 11000400 b9033440 b9400293
[   90.203857] 524c  51004a75 710026bf 540000e8 d2800036 d28040e2 9ad522d5 52800000 ea0202bf
[   90.203884] 526c  54000ee1 aa0103f7 51001e61 7100483f 540001a8 d2800020 9ac12000 d2900021
[   90.203910] 528c  f2a00081 ea01001f 540000e0 39419280 360800a0 aa1403e0 97fffa65 b900e680
[   90.203937] 52ac  14000067 39419280 361001a0 7100067f 54000041 3627ff00 51002e60 7100041f
[   90.203963] 52cc  54fffea9 7100367f 540000a1 f9405281 91028280 eb00003f 54fffde1 aa1403f9
[   90.203990] 52ec  910003e0 52800015 f0006efa 9272c416 5280081b f84b0f33 9000175c d100a273
[   90.204017] 530c  9100a260 eb19001f 54000780 f9401a80 f9405401 b9433820 11000400 b9033820
[   90.204045] 
[   90.204045] LR: 0xffffffc000ae8878:
[   90.204052] 8878  6b1f02ff 1a9f07e1 5280003c 33000020 39006260 f9400660 97fff123 f9400a60
[   90.204078] 8898  97fff121 f9402673 d1012273 17ffffef 3400009c aa1503e0 52800001 97fffb1e
[   90.204105] 88b8  f901a2bf aa1b03e0 940b6475 3400007c aa1503e0 940019e9 f94047a2 2a1603e0
[   90.204131] 88d8  f9406b21 eb01005f 54000180 97d6e9e1 f9404f80 90004c61 91358421 91008282
[   90.204157] 88f8  f90033a4 f90037a3 97ea3752 f94037a3 f94033a4 17ffffa4 a94153f3 a9425bf5
[   90.204184] 8918  a94363f7 a9446bf9 a94573fb a8c97bfd d65f03c0 a9bb7bfd 910003fd a9025bf5
[   90.204210] 8938  a90153f3 f9001bf7 aa0003f4 2a0103f6 f90027a2 f9404413 9101e275 aa1503e0
[   90.204237] 8958  940b6553 aa1303e0 91094273 97ffec9f f94027a1 35000136 f9401e80 97fff226
[   90.204263] 8978  2a0003f7 f9401e81 aa1303e0 9102c021 97ffec5a 14000008 f9402280 97fff2b4
[   90.204290] 8998  2a0003f7 f9402281 aa1303e0 91028021 97ffec6b 90006ee1 9120a021 b9400820
[   90.204317] 89b8  6b1f001f 5400046d 910003e0 b0001724 9272c402 52800800 f9425084 b9405443
[   90.204344] 89d8  1ac00c60 937d7c00 f8606880 9ac32400 36000300 b9405040 11000400 b9005040
[   90.204370] 89f8  f9401033 b5000113 910003e0 9272c401 b9405020 51000400 b9005020 34000140
[   90.204397] 8a18  1400000c f9400263 2a1703e1 f9400660 2a1603e2 d63f0060 f8410e60 b5ffff40
[   90.204423] 8a38  17fffff2 f9400020 36080040 940b5ac6 aa1503e0 940b6412 2a1703e0 f9401bf7
[   90.204450] 8a58  a94153f3 a9425bf5 a8c57bfd d65f03c0 a9be7bfd 910003fd f9000bf3 aa0003f3
[   90.204477] 
[   90.204477] SP: 0xffffffc054e676e0:
[   90.204484] 76e0  0000000c 00000000 00000040 00000000 0000003f 00000000 00000000 00000000
[   90.204510] 7700  0d4d3480 ffffffc0 00000000 00000000 00abac20 ffffffc0 00000011 00000010
[   90.204537] 7720  0000000b ffffffff 00000000 00000000 000f4240 00000000 7eb1adac 0000007f
[   90.204563] 7740  001b9704 ffffffc0 7ea97cb4 0000007f ffffffff 00000000 0188c640 ffffffc0
[   90.204589] 7760  00000000 00000000 0188c468 ffffffc0 00000000 00000000 9b028810 ffffffc0
[   90.204616] 7780  a3978f00 ffffffc0 0196a000 ffffffc0 9bfb0b00 ffffffc0 00000001 00000000
[   90.204642] 77a0  00000000 00000000 54e677e0 ffffffc0 00ae8978 ffffffc0 54e677e0 ffffffc0
[   90.204669] 77c0  00ae522c ffffffc0 60000145 00000000 0196a000 ffffffc0 9bfb0b00 ffffffc0
[   90.204695] 77e0  54e67840 ffffffc0 00ae8978 ffffffc0 0188c640 ffffffc0 a3978f00 ffffffc0
[   90.204721] 7800  0188c468 ffffffc0 00000000 00000000 9b028810 ffffffc0 a3978f00 ffffffc0
[   90.204748] 7820  0196a000 ffffffc0 9bfb0b00 ffffffc0 00000001 00000000 00000000 00000000
[   90.204774] 7840  54e67890 ffffffc0 00aed4b8 ffffffc0 00000000 00000000 0196a000 ffffffc0
[   90.204801] 7860  54e67970 ffffffc0 00000000 00000000 9b028810 ffffffc0 9bfb0b00 ffffffc0
[   90.204827] 7880  00000001 00000000 54e678d0 ffffffc0 54e678e0 ffffffc0 00aed914 ffffffc0
[   90.204854] 78a0  00000000 00000000 9b028810 ffffffc0 9b028810 ffffffc0 54e67a28 ffffffc0
[   90.204881] 78c0  00000000 00000000 000002a0 00000000 0d4d3400 ffffffc0 dc8cb01f cb88537f
[   90.204907] 
[   90.204915] Process CVE-2016-3866 (pid: 5029, stack limit = 0xffffffc054e64058)
[   90.204921] Call trace:
[   90.204932] [<ffffffc000ae522c>] is_connected_output_ep+0x20/0x258
[   90.204941] [<ffffffc000ae8978>] snd_soc_dapm_dai_get_connected_widgets+0x4c/0x13c
[   90.204952] [<ffffffc000aed4b8>] dpcm_path_get+0x64/0xe4
[   90.204961] [<ffffffc000aed914>] dpcm_fe_dai_open+0x68/0x3d0
[   90.204972] [<ffffffc000ac0bac>] snd_pcm_open_substream+0x88/0x118
[   90.204982] [<ffffffc000ac0cfc>] snd_pcm_open+0xc0/0x1f0
[   90.204991] [<ffffffc000ac0ed8>] snd_pcm_playback_open+0x44/0x68
[   90.205002] [<ffffffc000aad6dc>] snd_open+0x134/0x14c
[   90.205013] [<ffffffc0001be6e0>] chrdev_open+0x140/0x188
[   90.205024] [<ffffffc0001b7fb0>] do_dentry_open+0x260/0x2d8
[   90.205034] [<ffffffc0001b9270>] vfs_open+0x60/0x6c
[   90.205044] [<ffffffc0001c7b44>] do_last+0x870/0xb58
[   90.205054] [<ffffffc0001c806c>] path_openat+0x240/0x5f0
[   90.205062] [<ffffffc0001c8d48>] do_filp_open+0x40/0xa8
[   90.205071] [<ffffffc0001b962c>] do_sys_open+0x174/0x224
[   90.205080] [<ffffffc0001b9714>] SyS_openat+0x10/0x18
[   90.205090] Code: a90363f7 a9046bf9 a90573fb aa0003f4 (b940e400) 
[   90.205100] ---[ end trace 51c768fafb5d0cc0 ]---
[   90.205115] Kernel panic - not syncing: Fatal exception

从上面的log中可以看到出问题的类型是空指针造成的kernel panic,当前执行的函数是[ 90.203431] PC is at is_connected_output_ep+0x20/0x258,其中0x20是函数内部的偏移量。

之后要做的就是确认is_connected_output_ep+0x20对应的是哪一行代码。首先有个gdb加载vmlinux:

1
gdb vmlinux

然后可以使用print查看is_connected_output_ep方法的信息:

1
2
3
4
(gdb) print is_connected_output_ep
$1 = {int (struct snd_soc_dapm_widget *, 
    struct snd_soc_dapm_widget_list **)} 0xffffffc000ae520c <is_connected_output_ep>

从上面的结果可以看到该方法的起始地址是0xffffffc000ae520c,加上0x20的偏移量就是0xffffffc000ae522c,最后再来看一下这个地址对应的是哪一行代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
(gdb) list *0xffffffc000ae524c
0xffffffc000ae524c is in is_connected_output_ep (/home/android/workdir/p7601/LA.UM.5.6/LINUX/android/kernel/msm-3.18/sound/soc/soc-dapm.c:857).
warning: Source file is more recent than executable.
857		if (widget->outputs >= 0)
858			return widget->outputs;
859	
860		DAPM_UPDATE_STAT(widget, path_checks);
861	
862		switch (widget->id) {
863		case snd_soc_dapm_supply:
864		case snd_soc_dapm_regulator_supply:
865		case snd_soc_dapm_clock_supply:
866		case snd_soc_dapm_kcontrol:

从上面的内容来看,是soc-dapm.c的857行出了问题,也就是widget为NULL。

确认了出问题的代码,再根据调用栈及上下文做修改即可,调用栈可以在上面的log里看到。

Powered by Hexo and Hexo-theme-hiker

Copyright © 2018 - 2022 得一 All Rights Reserved.

访客数 : | 访问量 :