惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
有赞技术团队
有赞技术团队
T
The Blog of Author Tim Ferriss
F
Fortinet All Blogs
D
DataBreaches.Net
F
Full Disclosure
腾讯CDC
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
爱范儿
爱范儿
The GitHub Blog
The GitHub Blog
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
The Register - Security
The Register - Security
WordPress大学
WordPress大学
博客园 - 聂微东
雷峰网
雷峰网
J
Java Code Geeks
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
A
Arctic Wolf
Scott Helme
Scott Helme
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
Know Your Adversary
Know Your Adversary
AWS News Blog
AWS News Blog
G
Google Developers Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
CERT Recently Published Vulnerability Notes
O
OpenAI News
Project Zero
Project Zero
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Application and Cybersecurity Blog
Application and Cybersecurity Blog
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
MongoDB | Blog
MongoDB | Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security

博客园 - 什么都没有

rk3588 docker 安装 rk3288 buildroot 编译webkit yocto简介 linux 调试串口测试程序(pc与开发板通信) spin_lock spin_lock_irq spin_lock_irqsave INIT: version 2.88 booting linux 进程读书笔记 linux kvm源码分析 虚拟化技术慢谈 linux中断子系统 注释规范 linux下C获取文件的大小 imx6 工具链下载地址 程序、任务、进程和线程的联系与区别 linux下socket connect 阻塞方式 阻塞时间控制 实时操作系统性能指标 这段代码可以,佩服作者 imx6 gpio irq imx6sl 调试记录
rk3568 ubuntu20.04 oop问题分析
什么都没有 · 2025-12-25 · via 博客园 - 什么都没有

点击桌面图标,串口打印如下错误,而且每次死机的错误都不太一样

[ 92.839866] Unable to handle kernel paging request at virtual address dead000000000100
[ 92.840575] Mem abort info:
[ 92.840832] ESR = 0x96000004
[ 92.841110] Exception class = DABT (current EL), IL = 32 bits
[ 92.841636] SET = 0, FnV = 0
[ 92.841939] EA = 0, S1PTW = 0
[ 92.842267] Data abort info:
[ 92.842529] ISV = 0, ISS = 0x00000004
[ 92.842876] CM = 0, WnR = 0
[ 92.843144] [dead000000000100] address between user and kernel address ranges
[ 92.843873] Internal error: Oops: 96000004 [#1] SMP
[ 92.844321] Modules linked in:
[ 92.844606] Process kworker/0:1 (pid: 13, stack limit = 0x000000004f5c3f8a)
[ 92.845228] CPU: 0 PID: 13 Comm: kworker/0:1 Not tainted 4.19.232 #6
[ 92.845792] Hardware name: rk3568-bl-metro-SDK140-2512050935 tpcl_edp_boe_M116B30 (V2) beta-(V31) (DT)
[ 92.846625] Workqueue: events rockchip_drm_atomic_work
[ 92.847089] pstate: a0c00009 (NzCv daif +PAN +UAO)
[ 92.847520] pc : __kmalloc+0x210/0x25c
[ 92.847859] lr : __kmalloc+0xc0/0x25c
[ 92.848182] sp : ffffff80097e3bb0
[ 92.848481] x29: ffffff80097e3bb0 x28: 0000000000000000
[ 92.848952] x27: ffffffc07d6610c8 x26: 0000000000000000
[ 92.849423] x25: 0000000000000001 x24: ffffff800868bd0c
[ 92.849894] x23: ffffff800868bd0c x22: 0000000000000080
[ 92.850364] x21: 00000000006000c0 x20: ffffffc000203c80
[ 92.850834] x19: dead000000000100 x18: 0000000000000000
[ 92.851304] x17: 0000000000000000 x16: 0000000000000000
[ 92.851775] x15: ffffff800ca3bcc8 x14: 0000048300000441
[ 92.852245] x13: 0000043b00000483 x12: 0000043800000438
[ 92.852715] x11: 0000000000000854 x10: 000007d0000007b0
[ 92.853185] x9 : 0000085400000780 x8 : 0000000000000000
[ 92.853656] x7 : 0000000000000000 x6 : ffffffc07aad89a8
[ 92.854126] x5 : 0000000000003862 x4 : 0000000000fe6525
[ 92.854596] x3 : ffffffc07feff4b0 x2 : 0000004076a44000
[ 92.855066] x1 : 000000000002f8c7 x0 : 0000000000000000
[ 92.855536] Call trace:
[ 92.855762] __kmalloc+0x210/0x25c
[ 92.856067] vop2_crtc_atomic_begin+0x7c/0x1f0c
[ 92.856474] drm_atomic_helper_commit_planes+0xdc/0x200
[ 92.856935] rockchip_atomic_commit_complete+0xc0/0x138
[ 92.857397] rockchip_drm_atomic_work+0x24/0x34
[ 92.857803] process_one_work+0x1fc/0x330
[ 92.858162] worker_thread+0x22c/0x30c
[ 92.858497] kthread+0x128/0x138
[ 92.858789] ret_from_fork+0x10/0x18
[ 92.859112]
[ 92.859112] PC: 0xffffff80081fd900:

内核开KASAN功能,复现打印信息如下

[ 59.883501] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 59.883514]
[ 59.883802]
[ 59.883817] Allocated by task 1313:
[ 59.884010]
[ 59.884022] Freed by task 28:
[ 59.884136]
[ 59.884152] The buggy address belongs to the object at ffffffc068985a00
[ 59.884152] which belongs to the cache kmalloc-128 of size 128
[ 59.884170] The buggy address is located 0 bytes inside of
[ 59.884170] 128-byte region [ffffffc068985a00, ffffffc068985a80)
[ 59.884185] The buggy address belongs to the page:
[ 59.884201] page:ffffffbf01a26140 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 59.884217] flags: 0x200(slab)
[ 59.884239] raw: 0000000000000200 ffffffbf00c1e1c0 0000000200000002 ffffffc000203c80
[ 59.884257] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 59.884268] page dumped because: kasan: bad access detected
[ 59.884278]
[ 59.884287] Memory state around the buggy address:
[ 59.884302] ffffffc068985900: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 59.884317] ffffffc068985980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.884333] >ffffffc068985a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.884343] ^
[ 59.884357] ffffffc068985a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.884372] ffffffc068985b00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 59.884383] ==================================================================
[ 60.216109] ==================================================================
[ 60.216182] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 60.216194]
[ 60.216479]
[ 60.216494] Allocated by task 1313:
[ 60.216682]
[ 60.216694] Freed by task 13:
[ 60.216804]
[ 60.216819] The buggy address belongs to the object at ffffffc02cb48100
[ 60.216819] which belongs to the cache kmalloc-128 of size 128
[ 60.216838] The buggy address is located 0 bytes inside of
[ 60.216838] 128-byte region [ffffffc02cb48100, ffffffc02cb48180)
[ 60.216852] The buggy address belongs to the page:
[ 60.216868] page:ffffffbf00b2d200 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 60.216884] flags: 0x200(slab)
[ 60.216904] raw: 0000000000000200 dead000000000100 dead000000000200 ffffffc000203c80
[ 60.216922] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 60.216934] page dumped because: kasan: bad access detected
[ 60.216943]
[ 60.216952] Memory state around the buggy address:
[ 60.216968] ffffffc02cb48000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 60.216983] ffffffc02cb48080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.216999] >ffffffc02cb48100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.217011] ^
[ 60.217025] ffffffc02cb48180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 60.217039] ffffffc02cb48200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.217050] ==================================================================
[ 62.233526] ==================================================================
[ 62.233589] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 62.233602]
[ 62.233885]
[ 62.233900] Allocated by task 1313:
[ 62.234096]
[ 62.234108] Freed by task 47:
[ 62.234222]
[ 62.234237] The buggy address belongs to the object at ffffffc038234e00
[ 62.234237] which belongs to the cache kmalloc-128 of size 128
[ 62.234256] The buggy address is located 0 bytes inside of
[ 62.234256] 128-byte region [ffffffc038234e00, ffffffc038234e80)
[ 62.234270] The buggy address belongs to the page:
[ 62.234287] page:ffffffbf00e08d00 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 62.234302] flags: 0x200(slab)
[ 62.234323] raw: 0000000000000200 dead000000000100 dead000000000200 ffffffc000203c80
[ 62.234340] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 62.234353] page dumped because: kasan: bad access detected
[ 62.234363]
[ 62.234372] Memory state around the buggy address:
[ 62.234388] ffffffc038234d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.234403] ffffffc038234d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.234418] >ffffffc038234e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.234429] ^
[ 62.234443] ffffffc038234e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.234458] ffffffc038234f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 62.234469] ==================================================================
[ 64.084117] ==================================================================
[ 64.084199] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 64.084214]
[ 64.084507]
[ 64.084525] Allocated by task 1313:
[ 64.084730]
[ 64.084745] Freed by task 28:
[ 64.084863]
[ 64.084880] The buggy address belongs to the object at ffffffc02e019800
[ 64.084880] which belongs to the cache kmalloc-128 of size 128
[ 64.084900] The buggy address is located 0 bytes inside of
[ 64.084900] 128-byte region [ffffffc02e019800, ffffffc02e019880)
[ 64.084915] The buggy address belongs to the page:
[ 64.084934] page:ffffffbf00b80640 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 64.084952] flags: 0x200(slab)
[ 64.084974] raw: 0000000000000200 dead000000000100 dead000000000200 ffffffc000203c80
[ 64.084992] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 64.085004] page dumped because: kasan: bad access detected
[ 64.085014]
[ 64.085023] Memory state around the buggy address:
[ 64.085039] ffffffc02e019700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.085055] ffffffc02e019780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.085070] >ffffffc02e019800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.085080] ^
[ 64.085095] ffffffc02e019880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 64.085110] ffffffc02e019900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 64.085121] ==================================================================
[ 369.065777] ==================================================================
[ 369.065850] BUG: KASAN: double-free or invalid-free in vop2_plane_atomic_update+0x5d3c/0x6b30
[ 369.065866]
[ 369.066223]
[ 369.066241] Allocated by task 1313:
[ 369.066491]
[ 369.066505] Freed by task 47:
[ 369.066651]
[ 369.066670] The buggy address belongs to the object at ffffffc0364ee400
[ 369.066670] which belongs to the cache kmalloc-128 of size 128
[ 369.066694] The buggy address is located 0 bytes inside of
[ 369.066694] 128-byte region [ffffffc0364ee400, ffffffc0364ee480)
[ 369.066712] The buggy address belongs to the page:
[ 369.066732] page:ffffffbf00d93b80 count:1 mapcount:0 mapping:ffffffc000203c80 index:0x0
[ 369.066752] flags: 0x200(slab)
[ 369.066777] raw: 0000000000000200 ffffffbf00688440 0000000700000007 ffffffc000203c80
[ 369.066799] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 369.066815] page dumped because: kasan: bad access detected
[ 369.066827]
[ 369.066839] Memory state around the buggy address:
[ 369.066859] ffffffc0364ee300: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[ 369.066878] ffffffc0364ee380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 369.066897] >ffffffc0364ee400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 369.066911] ^
[ 369.066928] ffffffc0364ee480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 369.066947] ffffffc0364ee500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

[ 369.066962] ==================================================================

使用objdump 反汇编vxlinux 定位出错位置

aarch64-buildroot-linux-gnu-objdump -S -l --disassemble=vop2_plane_atomic_update  vmlinux > dis.out

找到 vop2_plane_atomic_update+0x5d3c 地址

9929 /home/unihmi/linux-v1.4.0/kernel/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c:3890
9930 vpstate->planlist = NULL;
9931 ffffff9008964358: aa1503e0 mov x0, x21
9932 ffffff900896435c: 97e505ff bl ffffff90082a5b58 <__asan_store8>
9933 ffffff9008964360: f94057e0 ldr x0, [sp, #168]
9934 ffffff9008964364: f900881f str xzr, [x0, #272]

发现驱动中没有kmalloc vpstate->planlist, 直接free。