[Android稳定性] 第010篇 [问题篇] 数组越界导致的内核panic

0. 问题现象收到研发提供的反馈，服务器打包的daliy版本刷机后出现900E口，出现死机问题。 1. 问题分析 1.1 dmesg_TZ.txt [ 51.674148][ T1598] xiaomi_touch_dev_open [ 51.674189][ T1598] xiaomi_

本文作者 林渡
文章发布日期 2024-12-23 13:15
热度 4
本文共计
预计阅读

0. 问题现象

收到研发提供的反馈，服务器打包的daliy版本刷机后出现900E口，出现死机问题。

1. 问题分析

1.1 dmesg_TZ.txt

[   51.674148][ T1598] xiaomi_touch_dev_open
[   51.674189][ T1598] xiaomi_touch_dev_ioctl cmd:0, mode:100, value:0
[   51.674197][ T1598] Unexpected kernel BRK exception at EL1
[   51.674203][ T1598] Internal error: BRK handler: 00000000f2005512 [#1] PREEMPT SMP
[   51.681890][ T1598] Dumping ftrace buffer:
[   51.686014][ T1598]    (ftrace buffer empty)

[   51.691054][ T1598] CPU: 4 PID: 1598 Comm: binder:1581_1 Tainted: G           OE      6.1.90-android14-11-g6f645aac9706-ab12424481 #1
[   51.691062][ T1598] Hardware name: Qualcomm Technologies, Inc. Spring QRD (DT)
[   51.691066][ T1598] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   51.691073][ T1598] pc : fts_set_cur_value+0x270/0x278 [focaltech_spi]
[   51.691146][ T1598] lr : xiaomi_touch_dev_ioctl+0x1e0/0x498 [xiaomi_tp]
[   51.691165][ T1598] sp : ffffffc011783970
[   51.691168][ T1598] x29: ffffffc011783d80 x28: ffffff8059f1b840 x27: ffffff805966c800
[   51.691177][ T1598] x26: 0000007ffffffc01 x25: 00006f5e50e46800 x24: ffffff8059f1b840
[   51.691185][ T1598] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000005400
[   51.691192][ T1598] x20: 0000006f5e50e468 x19: ffffffc002438090 x18: ffffffc0112f6038
[   51.691200][ T1598] x17: 0000000056e5b5a5 x16: 0000000056e5b5a5 x15: 0000000000000004
[   51.691208][ T1598] x14: ffffff82f1e10000 x13: 000000000000ffff x12: 0000000000000003
[   51.691216][ T1598] x11: 0000000000000040 x10: ffffffc002434370 x9 : ffffffc002436168
[   51.691223][ T1598] x8 : ffffffc002eb7928 x7 : 7665645f6863756f x6 : 745f696d6f616978
[   51.691231][ T1598] x5 : ffffffc00a1c8887 x4 : ffffff82f25e73cf x3 : 0000000000000000
[   51.691238][ T1598] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000064
[   51.691246][ T1598] Call trace:
[   51.691251][ T1598]  fts_set_cur_value+0x270/0x278 [focaltech_spi]
[   51.691310][ T1598]  __arm64_sys_ioctl+0xa8/0xe4
[   51.691324][ T1598]  invoke_syscall+0x58/0x11c
[   51.691333][ T1598]  el0_svc_common+0xb4/0xf4
[   51.691339][ T1598]  do_el0_svc+0x2c/0xb0
[   51.691345][ T1598]  el0_svc+0x2c/0x90
[   51.691353][ T1598]  el0t_64_sync_handler+0x68/0xb4
[   51.691359][ T1598]  el0t_64_sync+0x1a4/0x1a8
[   51.691369][ T1598] Code: 2a1503e2 2a1603e3 958482f8 17ffffee (d42aa240) 
[   51.698178][ T1598] ---[ end trace 0000000000000000 ]---

从calltrace来看，死在了fts_set_cur_value+0x270的地方。

1.2 trace32恢复现场

从现场我们可以看到fts_mode=100，而此时touch_mode作为xiaomi_touch_interfaces的成员，在定义时已经限制了数组的最大值为Touch_Mode_NUM。查看定义此变量为15，所以这是一个很明显的数组越界导致的踩内存问题。

2025 年 6 月
日	一	二	三	四	五	六
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30