FaceID操作出现踩内存问题分析

现象：手机进行Face ID 的基本操作后，查看手机版本，手机静置于桌上，过会，手机卡住，重启

[ 2715.426638] (1)[16556:lsof]Unable to handle kernel NULL pointer dereference at virtual address 00000008

空指针问题
 对应出问题时的源码位置：
 fs/proc/task_mmu.c:330

330         dev = inode->i_sb->s_dev;


通过反汇编可得 R2是由R3得到，R3是由R6的得到。
0xc0281f78 <+0>: mov r12, sp
 0xc0281f7c <+4>: push 
{r4, r5, r6, r7, r8, r9, r10, r11, r12, lr, pc} 
0xc0281f80 <+8>: sub r11, r12, #4
 0xc0281f84 <+12>: sub sp, sp, #52 ; 0x34
 0xc0281f88 <+16>: ldr r6, r1, #80 ; 0x50
 0xc0281f8c <+20>: ldr r3, r0, #80 ; 0x50
 0xc0281f90 <+24>: mov r8, r2
 0xc0281f94 <+28>: cmp r6, #0
 0xc0281f98 <+32>: mov r4, r1
 0xc0281f9c <+36>: ldr r7, r1, #32
 0xc0281fa0 <+40>: mov r5, r0
 0xc0281fa4 <+44>: str r3, r11, #-48 ; 0xffffffd0
 0xc0281fa8 <+48>: moveq r2, r6
 0xc0281fac <+52>: ldrne r3, r6, #16
 0xc0281fb0 <+56>: moveq r12, r6
 0xc0281fb4 <+60>: ldr r0, r1, #40 ; 0x28
 0xc0281fb8 <+64>: moveq lr, r6
 0xc0281fbc <+68>: moveq r1, r6
 0xc0281fc0 <+72>: ldr r9, r5, #12
 0xc0281fc4 <+76>: ldrne r2, r3, #28
 0xc0281fc8 <+80>: ldrne lr, r3, #40 ; 0x28
 0xc0281fcc <+84>: add r9, r9, #48 ; 0x30
 --Type <return> to continue, or q <return> to quit--
0xc0281fd0 <+88>: ldr r3, [r4]
 => 0xc0281fd4 <+92>: ldrne r1, r2, #8

通过检查汇编确认R6为源码中的file = vma->vm_file;
 0xc0281fac <+52>: ldrne r3, r6, #16
 r3 = [r6+0x10]
 通过测算当时 r3 = 0xdc5a84bf
 (gdb) p 
{struct file} 
0xda1173c0
 $3 = {f_u = {fu_llist = 
{next = 0xdc5c83bf} 
, fu_rcuhead = {next = 0xdc5c83bf,
 func = 0xdc5c82bf}}, f_path = 
{mnt = 0xdc5c83c1, dentry = 0xdc5c83c1} 
,
f_inode = 0xdc5a84bf, f_op = 0xdc5a83bf, f_lock = {{rlock = {raw_lock = {{

正好对应上f_inode.

(gdb) x 0xdc5a84bf
 0xdc5a84bf: Cannot access memory at address 0xdc5a84bf
 但这个地址不在dump中。

通过 计算可以得知 
问题点：
 => 0xc0281fd4 <+92>: ldrne r1, r2, #8

r2为 inode->i_sb 也就是这个值为空导致的。

此题是踩内存问题，复现难度比较大