[44620.238095] Unable to handle kernel paging request at virtual address ffffffc936ae0618
[44620.238100] Mem abort info:
[44620.238103] Exception class = DABT (current EL), IL = 32 bits
[44620.238106] SET = 0, FnV = 0
[44620.238107] EA = 0, S1PTW = 0
[44620.238109] Data abort info:
[44620.238111] ISV = 0, ISS = 0x00000005
[44620.238113] CM = 0, WnR = 0
[44620.238118] swapper pgtable: 4k pages, 39-bit VAs, pgd = 000000000da83148
[44620.238120] [ffffffc936ae0618] *pgd=0000000000000000, *pud=0000000000000000
[44620.238129] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[44620.278306] Process droid.bluetooth (pid: 15602, stack limit = 0x00000000465176b8)
[44620.286133] CPU: 0 PID: 15602 Comm: droid.bluetooth Tainted: G S W O 4.14.199 #1
[44620.299952] task: 000000007da1fd7c task.stack: 00000000465176b8
[44620.306126] pc : rb_next+0x38/0x58
[44620.309775] lr : binder_inc_ref_for_node+0x21c/0x3fc
[44620.314984] sp : ffffff80198db870 pstate : 80400045
[44620.320118] x29: ffffff80198db880 x28: ffffffc0dedb67a8
[44620.325675] x27: ffffff8009813000 x26: ffffffc149c75420
[44620.331242] x25: ffffffc149c75400 x24: ffffffc0dedb6480
[44620.336806] x23: 0000000000000001 x22: ffffffc0dedb6680
[44620.342368] x21: ffffffc175cabf60 x20: ffffffc149c75634
[44620.347931] x19: ffffff80198dba60 x18: 000000783069c000
[44620.353494] x17: 000000782d0e8a24 x16: ffffff800829d5e0
[44620.359058] x15: 0000000000000008 x14: fffffffe00000000
[44620.364621] x13: 0000000085400000 x12: 0000000000000000
[44620.370185] x11: a02c74954456e100 x10: ffffffc151755190
[44620.375747] x9 : ffffffc936ae0611 x8 : ffffffc1521f3310
[44620.381306] x7 : 0000000000000000 x6 : 000000000000003f
[44620.386873] x5 : 0000000000000040 x4 : 0000000000000000
[44620.392435] x3 : ffffff80198db808 x2 : ffffff8008091c68
[44620.397999] x1 : ffffffc149c75428 x0 : ffffffc936ae0610
[44622.042581] Call trace:
[44622.045283] rb_next+0x38/0x58
[44622.048583] binder_transaction+0x2394/0x34f0
[44622.053192] binder_thread_write+0x704/0x257c
[44622.057800] binder_ioctl+0x3a8/0x2cd8
[44622.061798] do_vfs_ioctl+0x6a4/0x10d0
[44622.065793] SyS_ioctl+0x90/0x9c
[44622.069274] __sys_trace_return+0x0/0x4
[44622.073359] Code: b5ffffc9 1400000a f27ef540 54000100 (f9400409)
-008|rb_next(
| node = 0xFFFFFFC1521F3310 -> (
| __rb_parent_color_=_0xFFFFFFC136AE0611,
| rb_right = 0xFFFFFFC1387AB610 -> (
| __rb_parent_color = 0xFFFFFFC1521F3310,
| rb_right = 0xFFFFFFC139CFA590,
| rb_left = 0xFFFFFFC1339E1210 -> (
| __rb_parent_color = 0xFFFFFFC1387AB611,
| rb_right = 0xFFFFFFC1339E1110,
| rb_left = 0xFFFFFFC136AE0910 -> (
| __rb_parent_color = 0xFFFFFFC1339E1211,
| rb_right = 0xFFFFFFC1339E1010,
| rb_left = 0xFFFFFFC1393F7D10))),
| rb_left = 0xFFFFFFC151587E10 -> (
| __rb_parent_color = 0xFFFFFFC1521F3311,
| rb_right = 0xFFFFFFC151587B90,
| rb_left = 0xFFFFFFC151587790)))
| parent = 0xFFFFFFC936AE0610 -> (
| __rb_parent_color = 0x0,
| rb_right = 0x0,
| rb_left = 0x0)
-009|binder_inc_ref_for_node(
| proc = 0xFFFFFFC149C75400,
| node = 0xFFFFFFC0DEDB6480,
| strong = TRUE,
| target_list = 0xFFFFFFC1522F2248,
| rdata = 0xFFFFFF80198DBA60)
| new_ref = 0xFFFFFFC0DEDB6680
-010|binder_translate_binder(inline)
| t = 0xFFFFFFC061602800
| thread = 0xFFFFFFC1522F2200
| node = 0xFFFFFFC0DEDB6480
| proc = 0xFFFFFFC14353D400
| target_proc = 0xFFFFFFC149C75400
-010|binder_transaction(
| ?,
| thread = 0xFFFFFFC1522F2200,
| ?,
| ?,
| extra_buffers_size = 0x18)
| last_fixup_min_off = 0x0
| last_fixup_obj_off = 0x0
| target_proc = 0xFFFFFFC149C75400
| sg_buf_offset = 0x0170
| off_start_offset = 0x0160
| buffer_offset = 0x0168
| tcomplete = 0xFFFFFFC0DEDB6980
| t_debug_id = 0x000F7BC6
| object_offset = 0x0144
| object_size = 0x18
-011|copy_from_user(inline)
crash_arm64> vtop ffffffc936ae0610
VIRTUAL PHYSICAL
ffffffc936ae0610 9b6ae0610
PAGE DIRECTORY: ffffff8009bb0000
PGD: ffffff8009bb0920 => 0
crash_arm64> kmem -p | grep 9b6ae
ffffffbf006dab80 9b6ae000 0 0 1 1000 reserved
1645 for (n = rb_first(&proc->refs_by_desc); n != NULL; n = rb_next(n)) {
1646 ref = rb_entry(n, struct binder_ref, rb_node_desc);
1647 if (ref->data.desc > new_ref->data.desc)
1648 break;
1649 new_ref->data.desc = ref->data.desc + 1;
1650 }
/AndroidR/bsp/kernel/kernel4.14/drivers/android/binder.c: 1645
0xffffff8008a2c464 <binder_inc_ref_for_node+0x1ec>: add x26, x25, #0x20
AndroidR/bsp/kernel/kernel4.14/drivers/android/binder.c: 1644
0xffffff8008a2c468 <binder_inc_ref_for_node+0x1f0>: str w8, [x22,#4]
/AndroidR/bsp/kernel/kernel4.14/drivers/android/binder.c: 1645
0xffffff8008a2c46c <binder_inc_ref_for_node+0x1f4>: mov x0, x26
0xffffff8008a2c470 <binder_inc_ref_for_node+0x1f8>: bl 0xffffff8008d16c54 <rb_first>
0xffffff8008a2c474 <binder_inc_ref_for_node+0x1fc>: cbz x0, 0xffffff8008a2c498 <binder_inc_ref_for_node+0x220>
AndroidR/bsp/kernel/kernel4.14/drivers/android/binder.c: 1647
0xffffff8008a2c478 <binder_inc_ref_for_node+0x200>: ldr w8, [x0,#-12]
0xffffff8008a2c47c <binder_inc_ref_for_node+0x204>: ldr w9, [x22,#4]
0xffffff8008a2c480 <binder_inc_ref_for_node+0x208>: cmp w8, w9
0xffffff8008a2c484 <binder_inc_ref_for_node+0x20c>: b.hi 0xffffff8008a2c498 <binder_inc_ref_for_node+0x220>
AndroidR/bsp/kernel/kernel4.14/drivers/android/binder.c: 1649
0xffffff8008a2c488 <binder_inc_ref_for_node+0x210>: add w8, w8, #0x1
0xffffff8008a2c48c <binder_inc_ref_for_node+0x214>: str w8, [x22,#4]
AndroidR/bsp/kernel/kernel4.14/drivers/android/binder.c: 1645
0xffffff8008a2c490 <binder_inc_ref_for_node+0x218>: bl 0xffffff8008d16c94 <rb_next>
AndroidR/bsp/kernel/kernel4.14/lib/rbtree.c: 532
0xffffff8008d16c94 <rb_next>: ldr x10, [x0] - x10 - ffffffc136ae0611 - x0 - 0xFFFFFFC1521F3310
0xffffff8008d16c98 <rb_next+0x4>: cmp x10, x0
0xffffff8008d16c9c <rb_next+0x8>: b.ne 0xffffff8008d16ca8 <rb_next+0x14>
0xffffff8008d16ca0 <rb_next+0xc>: mov x0, xzr
AndroidR/bsp/kernel/kernel4.14/lib/rbtree.c: 557
0xffffff8008d16ca4 <rb_next+0x10>: ret
0xffffff8008d16ca8 <rb_next+0x14>: mov x8, x0 - x8 - 0xFFFFFFC1521F3310
AndroidR/bsp/kernel/kernel4.14/lib/rbtree.c: 539
0xffffff8008d16cac <rb_next+0x18>: ldr x9, [x0,#8] x9 - ffffffc1387ab610
0xffffff8008d16cb0 <rb_next+0x1c>: cbz x9, 0xffffff8008d16cc4 <rb_next+0x30>
0xffffff8008d16cb4 <rb_next+0x20>: mov x0, x9 x0 - ffffffc1387ab610
AndroidR/bsp/kernel/kernel4.14/lib/rbtree.c: 541
0xffffff8008d16cb8 <rb_next+0x24>: ldr x9, [x9,#16] x9 - ffffffc1339e1210
0xffffff8008d16cbc <rb_next+0x28>: cbnz x9, 0xffffff8008d16cb4 <rb_next+0x20>
0xffffff8008d16cc0 <rb_next+0x2c>: b 0xffffff8008d16ce8 <rb_next+0x54>
/AndroidR/bsp/kernel/kernel4.14/lib/rbtree.c: 553
0xffffff8008d16cc4 <rb_next+0x30>: ands x0, x10, #0xfffffffffffffffc //0xc - 1100
0xffffff8008d16cc8 <rb_next+0x34>: b.eq 0xffffff8008d16ce8 <rb_next+0x54>
0xffffff8008d16ccc <rb_next+0x38>: ldr x9, [x0,#8] //crash现场
0xffffff8008d16cd0 <rb_next+0x3c>: cmp x8, x9
0xffffff8008d16cd4 <rb_next+0x40>: b.ne 0xffffff8008d16ce8 <rb_next+0x54>
0xffffff8008d16cd8 <rb_next+0x44>: ldr x9, [x0] - ffffffc136ae0611 x9 - ffffffc936ae0611 .此处已经出错。
0xffffff8008d16cdc <rb_next+0x48>: mov x8, x0
0xffffff8008d16ce0 <rb_next+0x4c>: ands x0, x9, #0xfffffffffffffffc
0xffffff8008d16ce4 <rb_next+0x50>: b.ne 0xffffff8008d16ccc <rb_next+0x38>// bl跳转。
AndroidR/bsp/kernel/kernel4.14/lib/rbtree.c: 557
0xffffff8008d16ce8 <rb_next+0x54>: ret
crash_arm64> rd ffffffc15ae0ea90
ffffffc15ae0ea90: ffffffc146407690 .v@F....
crash_arm64> struct rb_root ffffffc149c75420 -o
struct rb_root {
[ffffffc149c75420] struct rb_node *rb_node;
}
SIZE: 8
crash_arm64> struct rb_node 0xffffffc14598bc90 -x
struct rb_node {
__rb_parent_color = 0x1,
rb_right = 0x ffffffc0cb371b10,
rb_left = 0x ffffffc1420c5110
}
crash_arm64> struct binder_proc -o
struct binder_proc { - x25 - ffffffc149c75400
[0] struct hlist_node proc_node;
[16] struct rb_root threads;
[24] struct rb_root nodes;
[32] struct rb_root refs_by_desc;//0x20 - x0/x26 - rd ffffffc149c75420 = 0xffffffc14598bc90
结论:
0xFFFFFFC136AE0611& 0xfffffffffffffffc - 0xFFFFFFC136AE0610 但是x0变成了FFFFFFC136AE0610 (ffffffc936ae0610) 1001 - 0001
发生了1bit跳变,怀疑是DDR/cpu等硬件问题。
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
