[复现场景]
MC3230(Gsensor)正常后,image文件下载到没贴MC3230的板子上,系统反复重启。
CUSDB00055082
[分析过程]
实验及log带来的疑惑:
1.删掉gsensor的kfree(mc3xx0)不会再有重启现象,
2.从log看是死在FM的register_early_suspend,为什么修改gsensor代码会有影响
gsensor代码mc3xx0.c
static int __devinitmc3xx0_i2c_probe(struct i2c_client *client,
const struct i2c_device_id*id)
{
struct mc3xx0_data *mc3xx0;
int err;
#ifdef MCUBE_FUNC_DEBUG
printk("%s called\n",__func__);
#endif
/* setup private data */
mc3xx0 = kzalloc(sizeof(structmc3xx0_data), GFP_KERNEL);
if (! mc3xx0) {
printk("%s: can't allocatememory for mc3xx0_data!\n", __func__);
//pr_err("%s: can't allocatememory for mc3xx0_data!\n", __func__);
err = -ENOMEM;
return err;
}
mutex_init(&mc3xx0->enable_mutex);
mutex_init(&mc3xx0->value_mutex);
/* setup i2c client */
if(!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
printk("%s: i2c function notsupport!\n", __func__);
//pr_err("%s: i2c function notsupport!\n", __func__);
kfree(mc3xx0);
err = -ENODEV;
return err;
}
i2c_set_clientdata(client, mc3xx0);
mc3xx0->client = client;
mc3xx0_client = client;
#ifdef CONFIG_HAS_EARLYSUSPEND
mc3xx0->early_suspend.suspend =mc3xx0_early_suspend;
mc3xx0->early_suspend.resume =mc3xx0_early_resume;
mc3xx0->early_suspend.level =EARLY_SUSPEND_LEVEL_BLANK_SCREEN;
register_early_suspend(&mc3xx0->early_suspend);
#endif
dev_info(&client->dev, "%sfound\n", id->name);
atomic_set(&mc3xx0->position,mc3xx0_current_placement);
atomic_set(&mc3xx0->delay,MC3XX0_MAX_DELAY);
err = mc3xx0_detect_pcode(mc3xx0);
if (err < 0) {
printk("%s: isn't mcubeg-sensor!\n", __func__);
//pr_err("%s: input initfail!\n", __func__);
if (mc3xx0!=NULL)
{
kfree(mc3xx0);//注释掉这句就不会panic
printk("%s: 0 kfree\n",__func__);
}
else
{
printk("%s: 0 kfree not\n",__func__);
}
return -ENODEV;
}
#ifdef MCUBE_DOT_CALIBRATION
mc3xx0_soft_reset(mc3xx0);
#endif
mc3xx0_init(mc3xx0);
/* setup driver interfaces */
INIT_DELAYED_WORK(&mc3xx0->work,mc3xx0_work_func);
err = mc3xx0_input_init(mc3xx0);
if (err < 0) {
printk("%s: input init fail!\n",__func__);
//pr_err("%s: input initfail!\n", __func__);
kfree(mc3xx0);
return err;
}
err =sysfs_create_group(&mc3xx0->input->dev.kobj,&mc3xx0_attribute_group);
if (err < 0) {
printk("%s: create groupfail!\n", __func__);
//pr_err("%s: create groupfail!\n", __func__);
mc3xx0_input_deinit(mc3xx0);
//kfree(mc3xx0);
if (mc3xx0!=NULL)
{
kfree(mc3xx0);
printk("%s: 1 kfree\n",__func__);
}
else
{
printk("%s: 1 kfree not\n",__func__);
}
return err;
}
err = misc_register(&mc3xx0_device);
if (err) {
printk("%s: create registerfail!\n", __func__);
//pr_err("%s: create registerfail!\n", __func__);
mc3xx0_input_deinit(mc3xx0);
// kfree(mc3xx0);
if (mc3xx0!=NULL)
{
kfree(mc3xx0);
printk("%s: 2 kfree\n",__func__);
}
else
{
printk("%s: 2 kfree not\n",__func__);
}
return err;
}
return 0;
}
Fm代码kt0812g_fm_ctrl.c:
static int kt0812g_probe(structi2c_client *client,
const struct i2c_device_id *id)
{
u16 reg_value = 0x0;
int ret = -EINVAL;
struct kt0812g_drv_data *cxt =NULL;
if(!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
dev_err(&client->dev,"kt0812g driver: client is not i2c capable.\n");
ret = -ENODEV;
goto i2c_functioality_failed;
}
cxt = kzalloc(sizeof(structkt0812g_drv_data), GFP_KERNEL);
if (cxt == NULL) {
dev_err(&client->dev,"Can't alloc memory for module data.\n");
ret = -ENOMEM;
goto alloc_data_failed;
}
mutex_init(&cxt->mutex);
mutex_lock(&cxt->mutex);
cxt->client = client;
i2c_set_clientdata(client, cxt);
atomic_set(&cxt->fm_searching,0);
atomic_set(&cxt->fm_opened,0);
ret = kt0812g_fm_power_on(cxt);
if (ret < 0) {
goto poweron_failed;
}
printk("###kt0812g_probekt0812g_check_chip_id 01\n");
kt0812g_check_chip_id(cxt,®_value);
printk("###kt0812g_probekt0812g_check_chip_id 02\n");
#if (KT0812G_DEBUG)
// kt0812g_read_all_registers(cxt);
#endif
//kt0812g_fm_close(cxt);
cxt->fm_class.owner =THIS_MODULE;
cxt->fm_class.name = "fm_class";
kt0812g_fm_sysfs_init(&cxt->fm_class);
ret =class_register(&cxt->fm_class);
if (ret < 0) {
dev_err(&client->dev,"kt0812g class init failed.\n");
goto class_init_failed;
}
ret =misc_register(&kt0812g_fm_misc_device);
if (ret < 0) {
dev_err(&client->dev,"kt0812g misc device register failed.\n");
goto misc_register_failed;
}
#ifdef CONFIG_HAS_EARLYSUSPEND
cxt->early_suspend.suspend =kt0812g_early_suspend;
cxt->early_suspend.resume =kt0812g_early_resume;
cxt->early_suspend.level =EARLY_SUSPEND_LEVEL_BLANK_SCREEN;
register_early_suspend(&cxt->early_suspend); //死在了这里
#endif
cxt->opened_before_suspend = 0;
cxt->bg_play_enable = 1;
cxt->current_freq = 875; /* initcurrent frequency, search may use it. */
kt0812g_dev_data = cxt;
mutex_unlock(&cxt->mutex);
printk("###kt0812g_probekt0812g_check_chip_id 03\n");
return ret;
misc_register_failed:
misc_deregister(&kt0812g_fm_misc_device);
class_init_failed:
class_unregister(&cxt->fm_class);
poweron_failed:
mutex_unlock(&cxt->mutex);
kfree(cxt);
alloc_data_failed:
i2c_functioality_failed:
dev_err(&client->dev,"kt0812gdriver init failed.\n");
return ret;
}
让客户抓的log如下
[ 11.669000] I2C:sc8810_i2c_stop!
[ 11.672000] incomplete xfer (-121)
[ 11.675000] I2C:transmission failed!
[ 11.679000] mc3xx0_i2c_probe: isn'tmcube g-sensor!
[ 11.684000] mc3xx0_i2c_probe: 0kfree
[ 11.702000] KT0812G_FM 2-0070:kt0812g_fm_power_on
[ 11.702000] ###kt0812g_chip_vdd_input turn_on=1
[ 11.702000] ###kt0812g_chip_vdd_input turn on LDO_SIM2
[ 11.711000] ###kt0812g_probekt0812g_check_chip_id 01
[ 11.711000] KT0812G_FM 2-0070: Readchip id
[ 11.716000] KT0812G_FM 2-0070:KT0812G chip_5802_2 id:0x1080
[ 11.720000] KT0812G_FM 2-0070:KT0812G chip id:0x1080
[ 11.725000] ###kt0812g_check_chip_id chip id:0x1080
[ 11.730000] ###kt0812g_probekt0812g_check_chip_id 02
//出错的原因
[ 11.736000] Unableto handle kernel NULL pointer dereference at virtual address 00000000
//start:OOP信息序号
[ 11.744000] pgd = ce1fc000
[ 11.746000] [00000000]*pgd=0e1f2031, *pte=00000000, *ppte=00000000
[ 11.752000] Internal error: Oops: 17[#1] PREEMPT
//end:OOP信息序号
[ 11.757000] last sysfs file:/sys/module/softdog/parameters/soft_margin
//出错时内核已经加载的模块列表(加载顺序从后到前)
[ 11.764000] Modules linked in:kt0812g_fm_ctrl(+) mc3xx0 snd_dummy mali ump
//发生错误的CPU序号
[ 11.771000] CPU: 0 Not tainted (2.6.35.7 #5)
//start:发生错误的位置,以及当时CPU各个寄存器的值,这最有利于我们找出问题所在地
[ 11.775000] PCis at register_early_suspend+0x30/0x8c
[ 11.780000] LR is at__mutex_lock_slowpath+0x1cc/0x28c
[ 11.785000] pc : [<c4590d80>] lr : [<c48d4078>] psr: 80800013
//pc保存最后出问题的地址
[ 11.785000] sp : ce827e48 ip :22222222 fp : bf07eec8
[ 11.797000] r10: 00000000 r9 :cdcbd268 r8 : cdcbd220
[ 11.802000] r7 : cdcea7e0 r6 :c46c6844 r5 : c4a3ebf4 r4 : cdcbd294
[ 11.808000] r3: 00000000 r2 : 00000000 r1 : 00000032 r0 : 00000000
[ 11.815000] Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 11.822000] Control: 00c53c7d Table: 0e1fc019 DAC: 40000015
[ 11.828000]
[ 11.828000] PC: 0xc4590d00:
[ 11.832000] 0d00 e12fff1e e92d4070e30e5bdc e34c54a3 e1a04000 e1a00005 eb0d0ea0 e5941004
[ 11.840000] 0d20 e594c000 e3003100e3002200 e3403010 e3402020 e1a00005 e58c1004 e581c000
[ 11.848000] 0d40 e5842004 e5843000e8bd4070 ea0d0c0a e92d4070 e59f5078 e1a04000 e1a00005
[ 11.856000] 0d60 eb0d0e8e e5b53018ea000004 e5930008 e5941008 e1500001 ca000004 e1a03002
[ 11.865000] 0d80 e5932000f5d2f000 e1530005 1afffff6 e5932004 e5834004 e5843000 e59f3034
[ 11.873000] 0da0 e5842004 e5824000e5933000 e3130002 0a000004 e594300c e3530000 0a000001
[ 11.881000] 0dc0 e1a00004 e12fff33e59f0004 e8bd4070 ea0d0be9 c4a3ebdc c4ad14e4 e92d4ff0
[ 11.889000] 0de0 e24dd06c e1a04000eb070e83 eb0d1297 e1a05000 e3a00001 eb0d1aed e59f3178
[ 11.897000]
[ 11.897000] LR: 0xc48d3ff8:
[ 11.901000] 3ff8 0affffde ebf71796e3500000 0affffdb e30a2dec e34c24ad e5923000 e3530000
[ 11.909000] 4018 1affffd6 e59f010ce3001106 ebf226da eaffffd2 e1a00004 e1a0100a e1a02007
[ 11.918000] 4038 ebf2c321 e584700ce5943004 e1a00005 e59d2004 e1520003 03a03000 05843000
[ 11.926000] 4058 eb000607 e5973000e3130002 1a000018 e1a0000a ebf2c3a4 e3a00001 eb000e1e
[ 11.934000] 4078 e5973000 e31300021a00000f e28dd01c e8bd8ff0 ebfffc8d eaffffc4 ebf71770
[ 11.942000] 4098 e3500000 0affffcee30a2dec e34c24ad e5923000 e3530000 1affffc9 e59f0074
[ 11.950000] 40b8 e3001106 ebf226b4eaffffc5 ebfffc7f eaffffed ebfffc7d eaffffe4 ebf71760
[ 11.958000] 40d8 e3500000 0affff8ce59f304c e5933000 e3530000 1affff88 e59f0038 e3a010d6
[ 11.966000]
[ 11.966000] SP: 0xce827dc8:
[ 11.971000] 7dc8 cdcdaeac ce867aa0343a3031 bf070031 cdcbd268 00000000 ce827dfc ce867aa0
[ 11.979000] 7de8 00000000 ffffffffce827e34 c46c6844 cdcea7e0 c48d56f4 00000000 00000032
[ 11.987000] 7e08 00000000 00000000cdcbd294 c4a3ebf4 c46c6844 cdcea7e0 cdcbd220 cdcbd268
[ 11.995000] 7e28 00000000 bf07eec822222222 ce827e48 c48d4078 c4590d80 80800013 ffffffff
[ 12.003000] 7e48 cdcea7c0 c48d2bf4c46c6844 bf07dbfc cdccdfc8 cdcbd224 00000000 00008010
[ 12.011000] 7e68 ce80e578 bf07e4b4cdcea7c4 cdcea7c0 bf07d92c c452e144 ce826000 0000ccf5
[ 12.019000] 7e88 00000000 c471dcd4c4ae2454 bf07ef54 cdcea7e0 bf07ef54 c452e144 c46c9f98
[ 12.028000] 7ea8 cdcea7e0 bf07ef54cdcea814 00000000 c452e144 c46ca138 bf07ef54 ce827ed0
[ 12.036000]
[ 12.036000] R4: 0xcdcbd214:
[ 12.040000] d214 00000000 0000000000000000 cdcea7c0 bf07ed0c bf07efe8 bf07eec8 00000000
[ 12.048000] d234 ce814e20 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.056000] d254 00000000 00000000cdcdaf00 00000000 00000000 00000000 cdcbd26c cdcbd26c
[ 12.064000] d274 ce826000 00000000cdcbd268 00000000 00000000 00000000 00000000 00000000
[ 12.073000] d294 00000000 0000000000000032 bf07dd90 bf07d750 00000000 00000000 00000000
[ 12.081000] d2b4 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.089000] d2d4 00000000 0000000000000000 cdcbd9a0 cdce4f00 cdce6220 cdcea8ec cdcbd3ac
[ 12.097000] d2f4 cdcbd9a8 ce814ee0c4a5f6a8 cdce7f98 00000003 00000007 00000000 00000000
[ 12.105000]
[ 12.105000] R5: 0xc4a3eb74:
[ 12.109000] eb74 00000003 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.117000] eb94 00000000 c458feac00000000 00000000 00000000 00000000 00000000 00000000
[ 12.126000] ebb4 00000000 0000000000000000 00000001 00000001 c4a3ebc8 c4a3ebc8 00000000
[ 12.134000] ebd4 00000000 c4a3ebc400000000 c4a3ebe0 c4a3ebe0 ce826000 00000000 c4a3ebdc
[ 12.142000] ebf4 c4b59990 c4b5993000000001 00000002 c4a3ec04 c4a3ec04 c4590ff4 00000002
[ 12.150000] ec14 c4a3ec14 c4a3ec14c4591178 00000000 00000000 c4a3ec40 ce8892ac cebe4e4c
[ 12.158000] ec34 00000064 c4591558c45914ec c4a3ec4c c4a3ec60 00000000 c49a72ac 00000000
[ 12.166000] ec54 00000124 c45912a400000000 c49a72c0 00000000 00000124 c459139c 00000000
[ 12.174000]
[ 12.174000] R6: 0xc46c67c4:
[ 12.179000] 67c4 e59f0060 eb083109eaffffdc e1a01005 e59f0054 eb083105 eaffffd8 e1a01005
[ 12.187000] 67e4 e59f0048 eb083101eaffffd4 e1a01005 e59f203c e59f003c eb0830fc eaffffcf
[ 12.195000] 6804 e59f0034 eb0830f9eaffffd9 c4ae2418 c49c1488 c49c14c4 c4a5f434 c4a5f4a4
[ 12.203000] 6824 c4a5f480 c49c1494c49c1558 c49c1530 c49c1508 c49c1500 c49c14cc c49c157c
[ 12.211000] 6844 e5903050 e35300000a000001 e5930000 e12fff1e e590304c e3530000 1afffffa
[ 12.219000] 6864 e59030b4 e3530000059f0004 15930000 e12fff1e c49c15cc e92d4010 e591c010
[ 12.227000] 6884 e35c0000 03e0000408bd8010 e2400008 e12fff3c e8bd8010 e2400008 e92d4010
[ 12.236000] 68a4 e59030b4 e35300001a000001 e3a00000 e8bd8010 e593202c e3520000 0afffffa
[ 12.244000]
[ 12.244000] R7: 0xcdcea760:
[ 12.248000] a760 0000a003 0040208020400000 00a00000 04223000 4000000c 00055290 00400000
[ 12.256000] a780 00010100 10a001000208c000 800000a2 14014100 22802000 90000084 00200001
[ 12.264000] a7a0 0a000000 0000000300000000 00001000 00000180 00000002 80010000 00808000
[ 12.272000] a7c0 00700000 3830544b5f473231 00004d46 00000000 00000000 cebebe18 bf07ef2c
[ 12.280000] a7e0 cebebe48 cdce4ba0cdce6ec0 cdcdae4c cdcea8ec cebebe50 ce814ee0 c4a5f6a8
[ 12.289000] a800 cdccdfc8 0000000300000007 00000000 c4a633c0 00000000 cdcea818 cdcea818
[ 12.297000] a820 ce826000 00000000cdcea814 c4a633f0 bf07ef54 00000000 00000000 00000000
[ 12.305000] a840 00000001 cdcdaea4cdcea944 7fffffff cdcea850 cdcea850 00000000 00000000
[ 12.313000]
[ 12.313000] R8: 0xcdcbd1a0:
[ 12.317000] d1a0 c49a65e4 0000000000000124 c458aef0 00000000 00000000 00000000 00000000
[ 12.325000] d1c0 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.334000] d1e0 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.342000] d200 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.350000] d220 cdcea7c0 bf07ed0cbf07efe8 bf07eec8 00000000 ce814e20 00000000 00000000
[ 12.358000] d240 00000000 0000000000000000 00000000 00000000 00000000 00000000 cdcdaf00
[ 12.366000] d260 00000000 0000000000000000 cdcbd26c cdcbd26c ce826000 00000000 cdcbd268
[ 12.374000] d280 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000032
[ 12.382000]
[ 12.382000] R9: 0xcdcbd1e8:
[ 12.387000] d1e8 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.395000] d208 00000000 0000000000000000 00000000 00000000 00000000 cdcea7c0 bf07ed0c
[ 12.403000] d228 bf07efe8 bf07eec800000000 ce814e20 00000000 00000000 00000000 00000000
[ 12.411000] d248 00000000 0000000000000000 00000000 00000000 cdcdaf00 00000000 00000000
[ 12.419000] d268 00000000 cdcbd26ccdcbd26c ce826000 00000000 cdcbd268 00000000 00000000
[ 12.427000] d288 00000000 0000000000000000 00000000 00000000 00000032 bf07dd90 bf07d750
[ 12.435000] d2a8 00000000 0000000000000000 00000000 00000000 00000000 00000000 00000000
[ 12.444000] d2c8 00000000 0000000000000000 00000000 00000000 00000000 cdcbd9a0 cdce4f00
//end:发生错误的位置,以及当时CPU各个寄存器的值,这最有利于我们找出问题所在地
//当前进程的名字及进程ID
[ 12.452000] Process init (pid: 1,stack limit = 0xce8262e8)
//start:出错时栈内的内容
[ 12.457000] Stack: (0xce827e48 to0xce828000)
[ 12.462000] 7e40: cdcea7c0 c48d2bf4 c46c6844 bf07dbfc cdccdfc8 cdcbd224
[ 12.470000] 7e60: 00000000 00008010ce80e578 bf07e4b4 cdcea7c4 cdcea7c0 bf07d92c c452e144
[ 12.478000] 7e80: ce826000 0000ccf500000000 c471dcd4 c4ae2454 bf07ef54 cdcea7e0 bf07ef54
[ 12.486000] 7ea0: c452e144 c46c9f98cdcea7e0 bf07ef54 cdcea814 00000000 c452e144 c46ca138
[ 12.494000] 7ec0: bf07ef54 ce827ed0c46ca0ac c46c9814 ce8490d8 cdce4bd0 bf07ef54 bf07ef54
[ 12.502000] 7ee0: c4a633f0 cdce4b4000000000 c46c90cc bf07ee74 c4691a74 c4a633c0 c4a633c0
[ 12.510000] 7f00: bf07ef54 bf07ef2cc4a633f0 c452e144 0000ccf5 c46ca3c8 c4a633c0 ce826000
[ 12.518000] 7f20: bf07ef2c c4a633f0c452e144 c471ea78 00000000 ce826000 00000000 bf082000
[ 12.527000] 7f40: c452e144 bf082040c4a7cc20 c452c2f0 bf07efe8 c457a820 00000000 00000000
[ 12.535000] 7f60: 40009008 bf07efe840009008 bf07efe8 00000000 000224ec c452e144 ce826000
[ 12.543000] 7f80: 0000ccf5 c458d4f8ce826000 c45ded30 40009008 40009008 be9b6d48 00000002
[ 12.551000] 7fa0: 00000080 c452df6040009008 be9b6d48 40009008 000224ec be9b6d48 4002b4f4
[ 12.559000] 7fc0: 40009008 be9b6d4800000002 00000080 be9b6d48 00020578 0000ccf5 00000000
[ 12.567000] 7fe0: 000214a8 be9b6d280000b679 0000875c a0800010 40009008 ffffffbd fffdbfff
//end:出错时栈内的内容
//start:栈回溯信息,可看出直到出错时的函数递进调用关系
[ 12.575000] [<c4590d80>](register_early_suspend+0x30/0x8c) from[<bf07dbfc>] (kt0812g_probe+0x2d0/0x464[kt0812g_fm_ctrl])
//解释:
// kt0812g_probe该函数总尺寸是0x464,在0x2d0偏移量处调用register_early_suspend,
//这个偏移量的绝对地址是0xbf07dbfc
//register_early_suspend的函数总共长度是0x8c(0x8c/4=50条指令),死的位置是从函数开始偏移0x30
//处,c4590d80(正是当前pc的值)调用地址,即(函数register_early_suspend的起始地址+偏移量)
//的绝对地址(在反汇编中找到函数的起始再加上此偏移就可定位死在那条指令上了)
//[kt0812g_fm_ctrl]是ko模块名字
[ 12.586000] [<bf07dbfc>](kt0812g_probe+0x2d0/0x464 [kt0812g_fm_ctrl]) from [<c471dcd4>](i2c_device_probe+0xbc/0xe4)
[ 12.597000] [<c471dcd4>](i2c_device_probe+0xbc/0xe4) from [<c46c9f98>](driver_probe_device+0x70/0x184)
[ 12.606000] [<c46c9f98>](driver_probe_device+0x70/0x184) from [<c46ca138>](__driver_attach+0x8c/0x90)
[ 12.616000] [<c46ca138>](__driver_attach+0x8c/0x90) from [<c46c9814>](bus_for_each_dev+0x60/0x8c)
[ 12.625000] [<c46c9814>](bus_for_each_dev+0x60/0x8c) from [<c46c90cc>](bus_add_driver+0xa0/0x240)
[ 12.634000] [<c46c90cc>](bus_add_driver+0xa0/0x240) from [<c46ca3c8>](driver_register+0x78/0x144)
[ 12.643000] [<c46ca3c8>](driver_register+0x78/0x144) from [<c471ea78>](i2c_register_driver+0x2c/0x8c)
[ 12.652000] [<c471ea78>](i2c_register_driver+0x2c/0x8c) from [<bf082040>](kt0812g_driver_init+0x40/0x6c [kt0812g_fm_ctrl])
[ 12.663000] [<bf082040>](kt0812g_driver_init+0x40/0x6c [kt0812g_fm_ctrl]) from [<c452c2f0>](do_one_initcall+0x30/0x1b8)
[ 12.674000] [<c452c2f0>](do_one_initcall+0x30/0x1b8) from [<c458d4f8>](sys_init_module+0xac/0x1c0)
[ 12.683000] [<c458d4f8>](sys_init_module+0xac/0x1c0) from [<c452df60>](ret_fast_syscall+0x0/0x5c)
//end:栈回溯信息,可看出直到出错时的函数递进调用关系
//记录出错前最后几条机器码,出错指令本身在小括号中
//可以在反汇编代码中搜索此出错指令,直接定位哪个指令出错了
[ 12.692000] Code: e5941008 e1500001ca000004 e1a03002 (e5932000)
[ 12.701000] mali: clock down done
[ 12.702000] ---[ end traceaccd228a739fb9da ]---
[ 12.706000] Kernel panic - notsyncing: Fatal exception
[ 12.711000] [<c45330e0>](unwind_backtrace+0x0/0xfc) from [<c48d2b70>] (panic+0x60/0xe4)
[ 12.720000] [<c48d2b70>](panic+0x60/0xe4) from [<c4531c4c>] (die+0x264/0x344)
[ 12.727000] [<c4531c4c>](die+0x264/0x344) from [<c4536448>](__do_kernel_fault+0x64/0x84)
[ 12.735000] [<c4536448>](__do_kernel_fault+0x64/0x84) from [<c48d7520>](do_page_fault+0x7c/0x3b8)
[ 12.744000] [<c48d7520>](do_page_fault+0x7c/0x3b8) from [<c452c25c>](do_DataAbort+0x34/0x98)
[ 12.752000] [<c452c25c>](do_DataAbort+0x34/0x98) from [<c48d56f4>](__dabt_svc+0x54/0x84)
[ 12.761000] Exceptionstack(0xce827e00 to 0xce827e48)
[ 12.766000] 7e00: 00000000 0000003200000000 00000000 cdcbd294 c4a3ebf4 c46c6844 cdcea7e0
[ 12.774000] 7e20: cdcbd220 cdcbd26800000000 bf07eec8 22222222 ce827e48 c48d4078 c4590d80
[ 12.782000] 7e40: 80800013 ffffffff
[ 12.785000] [<c48d56f4>](__dabt_svc+0x54/0x84) from [<c4590d80>](register_early_suspend+0x30/0x8c)
[ 12.795000] [<c4590d80>](register_early_suspend+0x30/0x8c) from[<bf07dbfc>] (kt0812g_probe+0x2d0/0x464 [kt0812g_fm_ctrl])
[ 12.806000] [<bf07dbfc>](kt0812g_probe+0x2d0/0x464[kt0812g_fm_ctrl]) from [<c471dcd4>](i2c_device_probe+0xbc/0xe4)
[ 12.816000] [<c471dcd4>](i2c_device_probe+0xbc/0xe4) from [<c46c9f98>](driver_probe_device+0x70/0x184)
[ 12.826000] [<c46c9f98>](driver_probe_device+0x70/0x184) from [<c46ca138>](__driver_attach+0x8c/0x90)
[ 12.835000] [<c46ca138>](__driver_attach+0x8c/0x90) from [<c46c9814>](bus_for_each_dev+0x60/0x8c)
[ 12.844000] [<c46c9814>](bus_for_each_dev+0x60/0x8c) from [<c46c90cc>](bus_add_driver+0xa0/0x240)
[ 12.853000] [<c46c90cc>](bus_add_driver+0xa0/0x240) from [<c46ca3c8>](driver_register+0x78/0x144)
[ 12.862000] [<c46ca3c8>](driver_register+0x78/0x144) from [<c471ea78>](i2c_register_driver+0x2c/0x8c)
[ 12.871000] [<c471ea78>](i2c_register_driver+0x2c/0x8c) from [<bf082040>](kt0812g_driver_init+0x40/0x6c [kt0812g_fm_ctrl])
[ 12.882000] [<bf082040>](kt0812g_driver_init+0x40/0x6c [kt0812g_fm_ctrl]) from [<c452c2f0>](do_one_initcall+0x30/0x1b8)
[ 12.893000] [<c452c2f0>](do_one_initcall+0x30/0x1b8) from [<c458d4f8>](sys_init_module+0xac/0x1c0)
[ 12.902000] [<c458d4f8>](sys_init_module+0xac/0x1c0) from [<c452df60>](ret_fast_syscall+0x0/0x5c)
[ 12.919000] task PCstack pid father
[ 12.919000] init Rrunning 120 0 1 0 0x00000002
[ 12.923000] [<c45330e0>](unwind_backtrace+0x0/0xfc) from [<c453214c>](show_stack+0x10/0x14)
[ 12.932000] [<c453214c>](show_stack+0x10/0x14) from [<c455a83c>](show_state_filter+0x58/0xbc)
[ 12.941000] [<c455a83c>](show_state_filter+0x58/0xbc) from [<c46d5770>](apanic+0x9c/0x174)
[ 12.949000] [<c46d5770>](apanic+0x9c/0x174) from [<c48d7abc>](notifier_call_chain+0x44/0x84)
[ 12.958000] [<c48d7abc>](notifier_call_chain+0x44/0x84) from [<c48d7b38>](__atomic_notifier_call_chain+0x3c/0x74)
[ 12.968000] [<c48d7b38>](__atomic_notifier_call_chain+0x3c/0x74) from [<c48d7b88>](atomic_notifier_call_chain+0x18/0x20)
[ 12.979000] [<c48d7b88>](atomic_notifier_call_chain+0x18/0x20) from [<c48d2b90>](panic+0x80/0xe4)
[ 12.988000] [<c48d2b90>](panic+0x80/0xe4) from [<c4531c4c>] (die+0x264/0x344)
[ 12.995000] [<c4531c4c>](die+0x264/0x344) from [<c4536448>](__do_kernel_fault+0x64/0x84)
[ 13.003000] [<c4536448>](__do_kernel_fault+0x64/0x84) from [<c48d7520>](do_page_fault+0x7c/0x3b8)
[ 13.012000] [<c48d7520>](do_page_fault+0x7c/0x3b8) from [<c452c25c>](do_DataAbort+0x34/0x98)
[ 13.021000] [<c452c25c>](do_DataAbort+0x34/0x98) from [<c48d56f4>](__dabt_svc+0x54/0x84)
[ 13.029000] Exceptionstack(0xce827e00 to 0xce827e48)
[ 13.034000] 7e00: 00000000 0000003200000000 00000000 cdcbd294 c4a3ebf4 c46c6844 cdcea7e0
[ 13.042000] 7e20: cdcbd220 cdcbd26800000000 bf07eec8 22222222 ce827e48 c48d4078 c4590d80
[ 13.050000] 7e40: 80800013 ffffffff
[ 13.054000] [<c48d56f4>](__dabt_svc+0x54/0x84) from [<c4590d80>](register_early_suspend+0x30/0x8c)
[ 13.063000] [<c4590d80>](register_early_suspend+0x30/0x8c) from[<bf07dbfc>] (kt0812g_probe+0x2d0/0x464[kt0812g_fm_ctrl])
[ 13.074000] [<bf07dbfc>](kt0812g_probe+0x2d0/0x464 [kt0812g_fm_ctrl]) from [<c471dcd4>](i2c_device_probe+0xbc/0xe4)
[ 13.085000] [<c471dcd4>](i2c_device_probe+0xbc/0xe4) from [<c46c9f98>](driver_probe_device+0x70/0x184)
[ 13.094000] [<c46c9f98>](driver_probe_device+0x70/0x184) from [<c46ca138>](__driver_attach+0x8c/0x90)
[ 13.103000] [<c46ca138>](__driver_attach+0x8c/0x90) from [<c46c9814>](bus_for_each_dev+0x60/0x8c)
[ 13.112000] [<c46c9814>](bus_for_each_dev+0x60/0x8c) from [<c46c90cc>](bus_add_driver+0xa0/0x240)
[ 13.121000] [<c46c90cc>](bus_add_driver+0xa0/0x240) from [<c46ca3c8>](driver_register+0x78/0x144)
[ 13.130000] [<c46ca3c8>](driver_register+0x78/0x144) from [<c471ea78>](i2c_register_driver+0x2c/0x8c)
[ 13.140000] [<c471ea78>](i2c_register_driver+0x2c/0x8c) from [<bf082040>](kt0812g_driver_init+0x40/0x6c [kt0812g_fm_ctrl])
[ 13.151000] [<bf082040>](kt0812g_driver_init+0x40/0x6c [kt0812g_fm_ctrl]) from [<c452c2f0>](do_one_initcall+0x30/0x1b8)
[ 13.162000] [<c452c2f0>](do_one_initcall+0x30/0x1b8) from [<c458d4f8>](sys_init_module+0xac/0x1c0)
[ 13.171000] [<c458d4f8>](sys_init_module+0xac/0x1c0) from [<c452df60>](ret_fast_syscall+0x0/0x5c)
[ 13.180000] kthreadd Sc48d2ef0 120 0 2 0 0x00000000
[ 13.187000] ksoftirqd/0 Sc48d2ef0 120 0 3 2 0x00000000
[ 13.194000] watchdog/0 Sc48d2ef0 0 0 4 2 0x00000000
[ 13.200000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c459e664>] (watchdog+0x48/0x80)
[ 13.208000] [<c459e664>](watchdog+0x48/0x80) from [<c4574c08>] (kthread+0x7c/0x84)
[ 13.216000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.224000] events/0 Sc48d2ef0 120 0 5 2 0x00000000
[ 13.231000] khelper Sc48d2ef0 120 0 6 2 0x00000000
[ 13.238000] async/mgr Sc48d2ef0 120 0 7 2 0x00000000
[ 13.245000] suspend Sc48d2ef0 120 0 8 2 0x00000000
[ 13.252000] sync_supers Sc48d2ef0 120 0 9 2 0x00000000
[ 13.258000] bdi-default Sc48d2ef0 120 0 10 2 0x00000000
[ 13.265000] kblockd/0 Sc48d2ef0 120 0 11 2 0x00000000
[ 13.272000] kseriod Sc48d2ef0 120 0 12 2 0x00000000
[ 13.279000] kmmcd Sc48d2ef0 120 0 13 2 0x00000000
[ 13.286000] cfg80211 Sc48d2ef0 120 0 14 2 0x00000000
[ 13.293000] kondemand/0 Sc48d2ef0 120 0 15 2 0x00000000
[ 13.299000] swapper Dc48d2ef0 94 0 16 1 0x00000000
[ 13.306000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c48d3894>](schedule_timeout+0x188/0x218)
[ 13.315000] [<c48d3894>](schedule_timeout+0x188/0x218) from [<c48d4e88>](__down+0x74/0xb0)
[ 13.323000] [<c48d4e88>](__down+0x74/0xb0) from [<c457a4d8>] (down+0x64/0x68)
[ 13.331000] [<c457a4d8>](down+0x64/0x68) from [<c4542650>](mux_receive_thread+0x3c/0x3ac)
[ 13.339000] [<c4542650>](mux_receive_thread+0x3c/0x3ac) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.348000] muxsend/0 Sc48d2ef0 120 0 17 2 0x00000000
[ 13.355000] muxpostreceive/ Sc48d2ef0 120 0 18 2 0x00000000
[ 13.362000] swapper Sc48d2ef0 120 0 19 1 0x00000000
[ 13.369000] deep_sleep Sc48d2ef0 120 0 20 2 0x00000000
[ 13.376000] cpufreq_catch_i Sc48d2ef0 120 0 21 2 0x00000000
[ 13.382000] khungtaskd Sc48d2ef0 120 0 22 2 0x00000000
[ 13.389000] kswapd0 Sc48d2ef0 120 0 23 2 0x00000000
[ 13.396000] aio/0 Sc48d2ef0 120 0 24 2 0x00000000
[ 13.403000] crypto/0 Sc48d2ef0 120 0 25 2 0x00000000
[ 13.410000] vaudio-fe Dc48d2ef0 120 0 35 2 0x00000000
[ 13.417000] vbd-fe Sc48d2ef0 120 0 36 2 0x00000000
[ 13.423000] mtdblock0 Sc48d2ef0 120 0 37 2 0x00000000
[ 13.430000] mtdblock1 Sc48d2ef0 120 0 38 2 0x00000000
[ 13.437000] mtdblock2 Sc48d2ef0 120 0 39 2 0x00000000
[ 13.444000] mtdblock3 Sc48d2ef0 120 0 40 2 0x00000000
[ 13.451000] mtdblock4 Sc48d2ef0 120 0 41 2 0x00000000
[ 13.458000] mtdblock5 Sc48d2ef0 120 0 42 2 0x00000000
[ 13.464000] mtdblock6 Sc48d2ef0 120 0 43 2 0x00000000
[ 13.471000] mtdblock7 Sc48d2ef0 120 0 44 2 0x00000000
[ 13.478000] mtdblock8 Sc48d2ef0 120 0 45 2 0x00000000
[ 13.485000] mtdblock9 Sc48d2ef0 120 0 46 2 0x00000000
[ 13.492000] mtdblock10 Sc48d2ef0 120 0 47 2 0x00000000
[ 13.499000] mtdblock11 Sc48d2ef0 120 0 48 2 0x00000000
[ 13.505000] mtdblock12 Sc48d2ef0 120 0 49 2 0x00000000
[ 13.512000] mtdblock13 Sc48d2ef0 120 0 50 2 0x00000000
[ 13.519000] mtdblock14 Sc48d2ef0 120 0 51 2 0x00000000
[ 13.526000] mtdblock15 Sc48d2ef0 120 0 52 2 0x00000000
[ 13.533000] mtdblock16 Sc48d2ef0 120 0 53 2 0x00000000
[ 13.540000] mtdblock17 Sc48d2ef0 120 0 54 2 0x00000000
[ 13.546000] mtdblock18 Sc48d2ef0 120 0 55 2 0x00000000
[ 13.553000] mtdblock19 Sc48d2ef0 120 0 56 2 0x00000000
[ 13.560000] usb detect wq Sc48d2ef0 120 0 63 2 0x00000000
[ 13.567000] file-storage Sc48d2ef0 120 0 64 2 0x00000000
[ 13.574000] rtc_alarm Sc48d2ef0 120 0 65 2 0x00000000
[ 13.581000] rtc_alarm Sc48d2ef0 120 0 66 2 0x00000000
[ 13.587000] rtc_alarm Sc48d2ef0 120 0 67 2 0x00000000
[ 13.594000] rtc_alarm Sc48d2ef0 120 0 68 2 0x00000000
[ 13.601000] rtc_alarm Sc48d2ef0 120 0 69 2 0x00000000
[ 13.608000] rtc_alarm Sc48d2ef0 120 0 70 2 0x00000000
[ 13.615000] kstriped Sc48d2ef0 120 0 71 2 0x00000000
[ 13.622000] binder Sc48d2ef0 120 0 72 2 0x00000000
[ 13.629000] binder_deferred Sc48d2ef0 120 0 73 2 0x00000000
[ 13.635000] l2cap Sc48d2ef0 120 0 74 2 0x00000000
[ 13.642000] krfcommd Sc48d2ef0 110 0 75 2 0x00000000
[ 13.649000] ueventd Sc48d2ef0 120 0 76 1 0x00000000
[ 13.656000] yaffs-bg-1 Sc48d2ef0 120 0 77 2 0x00000000
[ 13.663000] yaffs-bg-1 Rrunning 120 0 78 2 0x00000000
[ 13.670000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c464820c>](yaffs_BackgroundThread+0x134/0x234)
[ 13.679000] [<c464820c>](yaffs_BackgroundThread+0x134/0x234) from [<c4574c08>](kthread+0x7c/0x84)
[ 13.688000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.696000] yaffs-bg-1 Rrunning 120 0 79 2 0x00000000
[ 13.703000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c464820c>](yaffs_BackgroundThread+0x134/0x234)
[ 13.712000] [<c464820c>](yaffs_BackgroundThread+0x134/0x234) from [<c4574c08>](kthread+0x7c/0x84)
[ 13.721000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.729000] yaffs-bg-1 Rrunning 120 0 80 2 0x00000000
[ 13.736000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c464820c>](yaffs_BackgroundThread+0x134/0x234)
[ 13.746000] [<c464820c>](yaffs_BackgroundThread+0x134/0x234) from [<c4574c08>](kthread+0x7c/0x84)
[ 13.755000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.763000] yaffs-bg-1 Rrunning 120 0 81 2 0x00000000
[ 13.770000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c464820c>](yaffs_BackgroundThread+0x134/0x234)
[ 13.779000] [<c464820c>](yaffs_BackgroundThread+0x134/0x234) from [<c4574c08>](kthread+0x7c/0x84)
[ 13.788000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.796000] yaffs-bg-1 Rrunning 120 0 82 2 0x00000000
[ 13.803000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c464820c>](yaffs_BackgroundThread+0x134/0x234)
[ 13.812000] [<c464820c>](yaffs_BackgroundThread+0x134/0x234) from [<c4574c08>](kthread+0x7c/0x84)
[ 13.821000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.830000] yaffs-bg-1 Rrunning 120 0 83 2 0x00000000
[ 13.837000] [<c48d2ef0>](schedule+0x1b0/0x3e4) from [<c464820c>](yaffs_BackgroundThread+0x134/0x234)
[ 13.846000] [<c464820c>](yaffs_BackgroundThread+0x134/0x234) from [<c4574c08>](kthread+0x7c/0x84)
[ 13.855000] [<c4574c08>](kthread+0x7c/0x84) from [<c452ea18>](kernel_thread_exit+0x0/0x8)
[ 13.863000] mali/0 Sc48d2ef0 120 0 85 2 0x00000000
[ 13.870000] mali-pmm-wq Sc48d2ef0 120 0 86 2 0x00000000
[ 13.877000] Sched Debug Version:v0.09, 2.6.35.7 #5
[ 13.882000] now at 9953.000003 msecs
log从上往下依次看
Unable to handlekernel NULL pointer dereference at virtual address 00000000
//panic原因是解引用空指针
PC is at(register_early_suspend+0x30)/0x8c
//解引用空指针在register_early_suspend中的0写0x30处
可以看出是死在register_early_suspend+0x30这个地址处,而从接下来的堆栈信息可以看到这个
register_early_suspend是在kt0812g_probe中调用的。看一下register_early_suspend
void register_early_suspend(structearly_suspend *handler) {
struct list_head *pos;
mutex_lock(&early_suspend_lock);
list_for_each(pos,&early_suspend_handlers) { structearly_suspend *e;
e = list_entry(pos,struct early_suspend, link);
if (e->level >handler->level)
break;
}
list_add_tail(&handler->link,pos);
if ((state & SUSPENDED) &&handler->suspend) handler->suspend(handler);
mutex_unlock(&early_suspend_lock); }
#define list_for_each(pos, head) \
for (pos = (head)->next;prefetch(pos->next), pos != (head); \
pos = pos->next)
通过log和实验结合,可以找到原因:
可以发现当register_early_suspend时会遍历系统注册的earlysuspend链表,其节点按照level值由小到大排列,当注册一个新的节点找到第一个其level值大于要注册的earlysuspend的节点,把要注册的earlysuspend放在其前面。
结合前面的实验猜测可能是在遍历earlysuspend的时候出现了空指针。
在仔细分析以下两个模块的probe函数,就会发现问题:
gsensor中probe失败时,调用kfree(mc3xx0),mc3xx0整个结构体(其中包含了earlysuspend)占用的内存归还系统,在FM的probe中
cxt = kzalloc(sizeof(structkt0812g_drv_data), GFP_KERNEL);
分配时正好分在了上面mc3xx0占用的内存,并把这块内存初始化为0,(其实这个动作使mc3xx0中earlysuspend的next和prev指针赋为0,导致系统的earlysuspend链表断掉了),而接下来在FM的
register_early_suspend(&cxt->early_suspend)时会调用list_for_each,
mc3xx0->earlysuspend.head->next=NULL
在遍历链表时,当判断完mc3xx0的earlysuspend,后再次进入for循环时pos=NULL,
判断完成后再次回到for当执行pos= pos->next时,即NULL->next即dereferenceNULL
pointer
结合汇编看一下:
$sourcebuild/envsetup.sh
$lunch
$arm-eabi-objdump -D -S./out/target/product/hsdroid/obj/KERNEL.sp6820a/kernel/power/earlysuspend.o|teeearlysuspend.dump
./out/target/product/hsdroid/obj/KERNEL.sp6820a/kernel/power/earlysuspend.o: file format elf32-littlearm
Disassembly of section .text:
00000000 <get_suspend_state>:
}
EXPORT_SYMBOL(register_early_suspend);
void unregister_early_suspend(structearly_suspend *handler)
{
10: e92d4070 push {r4, r5, r6, lr}
mutex_lock(&early_suspend_lock);
14: e3005000 movw r5, #0 ; 0x0
18: e3405000 movt r5, #0 ; 0x0
mutex_unlock(&early_suspend_lock);
}
EXPORT_SYMBOL(register_early_suspend);
void unregister_early_suspend(structearly_suspend *handler)
{
1c: e1a04000 mov r4, r0
mutex_lock(&early_suspend_lock);
20: e1a00005 mov r0, r5
24: ebfffffe bl 0 <mutex_lock>
* in an undefined state.
*/
#ifndef CONFIG_DEBUG_LIST
static inline void list_del(structlist_head *entry)
{
__list_del(entry->prev,entry->next);
28: e5941004 ldr r1, [r4, #4]
2c: e594c000 ldr ip, [r4]
entry->next = LIST_POISON1;
30: e3003100 movw r3, #256 ; 0x100
entry->prev = LIST_POISON2;
34: e3002200 movw r2, #512 ; 0