Fixed
Created: May 7, 2015
Updated: Dec 3, 2018
Resolved Date: Jun 24, 2015
Found In Version: 6.0.0.18
Fix Version: 6.0.0.22
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Kernel
Hi,
As I see a few windriver changes in this area, maybe they have an idea what happens.
The crash happens in drivers/staging/fsl_qbman/qman_high.c around row 2720.
The list_for_each_entry() finds an entry in the list that has the value 0 (NULL).
It then subtracts 24 (offset of list element in the struct type) and dereference that value
which causes the oops.
As far as I know a kernel list like this can not normal have NULL pointers, so
there is some corruption, use after free, or some such going on here.
As this is not easy to reproduce here and that we are in progress of upgrading to
WRL7 we will wait to see what happens with the new kernel.
But maybe someone more familiar with the code can spot an issue from this.
----
# reboot -f
Rebooting.[ 214.274701] sd 0:0:0:0: [sda] Synchronizing SCSI cache
[ 214.410888] Unable to handle kernel paging request for data at address 0xffffffffffffffe8
[ 214.419073] Faulting instruction address: 0xc0000000046c4040
[ 214.424732] Oops: Kernel access of bad area, sig: 11 [#1]
[ 214.430128] PREEMPT SMP NR_CPUS=24 CoreNet Generic
[ 214.434925] Modules linked in: linx_eth_cm(O) efdlinux(O) linx(O) tievent(O) nfsd fuse esdi_cpld(O) eri_ipmi(O)
[ 214.445054] CPU: 0 PID: 2232 Comm: reboot Tainted: G O 3.10.62-ltsi-WR6.0.0.18_standard #1
[ 214.454190] task: c0000005f2346b80 ti: c0000005df950000 task.ti: c0000005df950000
[ 214.461673] NIP: c0000000046c4040 LR: c0000000046c3fd8 CTR: c0000000040ca9f0
[ 214.468722] REGS: c0000005df953500 TRAP: 0300 Tainted: G O (3.10.62-ltsi-WR6.0.0.18_standard)
[ 214.478378] MSR: 0000000080029000 <CE,EE,ME> CR: 24088244 XER: 20000000
[ 214.485187] SOFTE: 0
[ 214.487367] DEAR: ffffffffffffffe8, ESR: 0000000000000000
[ 214.492763]
GPR00: c0000000046c3fd8 c0000005df953780 c000000004fe63e8 0000000000000001
GPR04: 0000000000000031 0000000000000031 0000000024088248 c0000000051315a0
GPR08: 000000000000000b ffffffffffffffe8 0000000000000000 c000000004fe0000
GPR12: 0000000024088244 c000000007ff4000 0000000020000000 0000000000008000
GPR16: 0000000000000000 c0000000049da0e0 c000000005131580 c000000004ae7a40
GPR20: c0000000051318a8 c000000004ff39f0 c000000004ae81c0 c000000004ae7a40
GPR24: c0000005f3542410 c000000004ff3858 0000000000000000 0000000000000001
GPR28: c000000055103750 c000000055103640 c0000000051315b0 c000000055103740
[ 214.547972] NIP [c0000000046c4040] .qman_delete_cgr+0x120/0x270
[ 214.553892] LR [c0000000046c3fd8] .qman_delete_cgr+0xb8/0x270
[ 214.559635] Call Trace:
[ 214.562078] [c0000005df953780] [c0000000046c3fd8] .qman_delete_cgr+0xb8/0x270 (unreliable)
[ 214.570358] [c0000005df9538a0] [c00000000468cd40] .caam_qi_shutdown+0x210/0x300
[ 214.577672] [c0000005df9539a0] [c00000000468a1e4] .caam_remove+0xc4/0x420
[ 214.584467] [c0000005df953a70] [c00000000449c36c] .platform_drv_shutdown+0x3c/0x60
[ 214.592046] [c0000005df953af0] [c0000000044968e8] .device_shutdown+0x128/0x240
[ 214.599275] [c0000005df953b90] [c00000000409d2a4] .kernel_restart_prepare+0x54/0x70
[ 214.606936] [c0000005df953c10] [c00000000409d2e4] .kernel_restart+0x24/0xc0
[ 214.613902] [c0000005df953c90] [c00000000409d570] .SyS_reboot+0x1c0/0x2d0
[ 214.620695] [c0000005df953e30] [c000000004010718] syscall_exit+0x0/0x8c
[ 214.627311] Instruction dump:
[ 214.630276] 7fbf4840 3929ffe8 419e0048 811e0000 48000020 60000000 60000000 60000000
[ 214.638050] e9290018 7fbf4840 3929ffe8 419e0024 <81490000> 7f8a4000 409effe8 e9490008
----
--