现象:手机进行Face ID 的基本操作后,查看手机版本,手机静置于桌上,过会,手机卡住,重启
[ 2715.426638] (1)[16556:lsof]Unable to handle kernel NULL pointer dereference at virtual address 00000008
空指针问题
对应出问题时的源码位置:
fs/proc/task_mmu.c:330
330 dev = inode->i_sb->s_dev;
通过反汇编可得 R2是由R3得到,R3是由R6的得到。
0xc0281f78 <+0>: mov r12, sp
0xc0281f7c <+4>: push
{r4, r5, r6, r7, r8, r9, r10, r11, r12, lr, pc}
0xc0281f80 <+8>: sub r11, r12, #4
0xc0281f84 <+12>: sub sp, sp, #52 ; 0x34
0xc0281f88 <+16>: ldr r6, r1, #80 ; 0x50
0xc0281f8c <+20>: ldr r3, r0, #80 ; 0x50
0xc0281f90 <+24>: mov r8, r2
0xc0281f94 <+28>: cmp r6, #0
0xc0281f98 <+32>: mov r4, r1
0xc0281f9c <+36>: ldr r7, r1, #32
0xc0281fa0 <+40>: mov r5, r0
0xc0281fa4 <+44>: str r3, r11, #-48 ; 0xffffffd0
0xc0281fa8 <+48>: moveq r2, r6
0xc0281fac <+52>: ldrne r3, r6, #16
0xc0281fb0 <+56>: moveq r12, r6
0xc0281fb4 <+60>: ldr r0, r1, #40 ; 0x28
0xc0281fb8 <+64>: moveq lr, r6
0xc0281fbc <+68>: moveq r1, r6
0xc0281fc0 <+72>: ldr r9, r5, #12
0xc0281fc4 <+76>: ldrne r2, r3, #28
0xc0281fc8 <+80>: ldrne lr, r3, #40 ; 0x28
0xc0281fcc <+84>: add r9, r9, #48 ; 0x30
--Type <return> to continue, or q <return> to quit--
0xc0281fd0 <+88>: ldr r3, [r4]
=> 0xc0281fd4 <+92>: ldrne r1, r2, #8
通过检查汇编确认R6为源码中的file = vma->vm_file;
0xc0281fac <+52>: ldrne r3, r6, #16
r3 = [r6+0x10]
通过测算当时 r3 = 0xdc5a84bf
(gdb) p
{struct file}
0xda1173c0
$3 = {f_u = {fu_llist =
{next = 0xdc5c83bf}
, fu_rcuhead = {next = 0xdc5c83bf,
func = 0xdc5c82bf}}, f_path =
{mnt = 0xdc5c83c1, dentry = 0xdc5c83c1}
,
f_inode = 0xdc5a84bf, f_op = 0xdc5a83bf, f_lock = {{rlock = {raw_lock = {{
正好对应上f_inode.
(gdb) x 0xdc5a84bf
0xdc5a84bf: Cannot access memory at address 0xdc5a84bf
但这个地址不在dump中。
通过 计算可以得知
问题点:
=> 0xc0281fd4 <+92>: ldrne r1, r2, #8
r2为 inode->i_sb 也就是这个值为空导致的。此题是踩内存问题,复现难度比较大