遇到的crash及分析

1. 使用 ioremap申请到一块memory, 但使用更大的内存。

    iomap_address = (void __iomem *)ioremap( 0x80000000,  10M);

   memset(iomap_address, 0, 20M);

  申请了10M的虚拟地址，但使用了20M，必然data abort.

从kerenl dump详细分析：

2.中断处理函数或tasklet中和进程中其他函数共有一个lock

 进程中的函数获得锁后，被中段打断，且中断处理函数中也需要这个 lock,这样就会出现死锁，

如果打开spin lock就会 crash.

        printk(KERN_EMERG "BUG: soft lockup - CPU#%d stuck for %us! [%s:%d]\n",
            smp_processor_id(), duration,
            current->comm, task_pid_nr(current));

        if (softlockup_panic)
            panic("softlockup: hung tasks");

3. memory释放后，又使用

/******************************************************************/
crash> dis -r c02e9a58
0xc02e9a30 <_complete>: mov     r12, sp
0xc02e9a34 <_complete+0x4>:     push    {r4, r5, r6, r7, r8, r10, r11, r12, lr, pc}
0xc02e9a38 <_complete+0x8>:     sub     r11, r12, #4
0xc02e9a3c <_complete+0xc>:     mov     r4, r0    [r0 -> r4]
0xc02e9a40 <_complete+0x10>:    mov     r0, r2
0xc02e9a44 <_complete+0x14>:    mov     r5, r1    [r1 -> r5]
0xc02e9a48 <_complete+0x18>:    mov     r7, r3    [r3 -> r7]
0xc02e9a4c <_complete+0x1c>:    mov     r6, r2    [r2 -> r6]
0xc02e9a50 <_complete+0x20>:    bl      0xc02d8584 <dwc_otg_hcd_urb_get_actual_length>
0xc02e9a54 <_complete+0x24>:    cmn     r7, #75 ; 0x4b
0xc02e9a58 <_complete+0x28>:    str     r0, [r5, #88]   ; 0x58


crash> dis dwc_otg_hcd_urb_get_actual_length
0xc02d8584 <dwc_otg_hcd_urb_get_actual_length>: mov     r12, sp
0xc02d8588 <dwc_otg_hcd_urb_get_actual_length+0x4>:     push    {r11, r12, lr, pc}
0xc02d858c <dwc_otg_hcd_urb_get_actual_length+0x8>:     sub     r11, r12, #4
0xc02d8590 <dwc_otg_hcd_urb_get_actual_length+0xc>:     ldr     r0, [r0, #28]
0xc02d8594 <dwc_otg_hcd_urb_get_actual_length+0x10>:    ldm     sp, {r11, sp, pc}

/*输入参数来自r2:dwc_otg_hcd_urb_t*/
uint32_t dwc_otg_hcd_urb_get_actual_length(dwc_otg_hcd_urb_t * dwc_otg_urb)
{
    return dwc_otg_urb->actual_length;
}
crash> struct dwc_otg_hcd_urb_t e3c571a0
struct dwc_otg_hcd_urb_t {
  priv = 0x6b6b6b6b,
  qtd = 0x6b6b6b6b,
  buf = 0x6b6b6b6b,
  dma = 0x6b6b6b6b,
  setup_packet = 0x6b6b6b6b,
  setup_dma = 0x6b6b6b6b,
  length = 0x6b6b6b6b,
  actual_length = 0x6b6b6b6b,
  status = 0x6b6b6b6b,
  error_count = 0x6b6b6b6b,
  packet_count = 0x6b6b6b6b,
  flags = 0x6b6b6b6b,
  interval = 0x6b6b,
  pipe_info = {
    dev_addr = 0x6b,
    ep_num = 0x6b,
    pipe_type = 0x6b,
    pipe_dir = 0x6b,
    mps = 0x6b6b
  },
  iso_descs = 0xe3c571d8
}


static int _complete(dwc_otg_hcd_t * hcd, void *urb_handle,/*传入的参数urb_handle有问题*/
             dwc_otg_hcd_urb_t * dwc_otg_urb, int32_t status)
{
    struct urb *urb = (struct urb *)urb_handle;
    urb->actual_length = dwc_otg_hcd_urb_get_actual_length(dwc_otg_urb);
}
crash> eval (6b6b6b6b+0x58)
hexadecimal: 6b6b6bc3
[  606.902950:0] Unable to handle kernel paging request at virtual address 6b6b6bc3
[  606.902963:1] Indeed it is in host mode hprt0 = 00001101
[  606.910323:0] pgd = dfe9c000
[  606.913193:0] [6b6b6bc3] *pgd=b010b831, *pte=00000000, *ppte=00000000
[  606.919659:0] Internal error: Oops: 817 [#1] PREEMPT SMP ARM
[  606.925297:0] Modules linked in: galcore memalloc hx280enc hx170dec mali ump
[  606.932414:0] CPU: 0    Not tainted  (3.4.0-g679cc80-dirty #1)
[  606.938238:0] PC is at _complete+0x28/0x1b0
[  606.942410:0] LR is at _complete+0x24/0x1b0
[  606.946580:0] pc : [<c02e9a58>]    lr : [<c02e9a54>]    psr: 00000193
[  606.946586:0] sp : dfe99d68  ip : dfe99d68  fp : dfe99d8c
[  606.958369:0] r10: ee1618c0  r9 : 00000004  r8 : 00000001
[  606.963747:0] r7 : 6b6b6b6b  r6 : e3c571a0  r5 : 6b6b6b6b  r4 : ed9f88a0
[  606.970422:0] r3 : 6b6b6b6b  r2 : e3c571a0  r1 : 6b6b6b6b  r0 : 6b6b6b6b
[  606.977100:0] Flags: nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  606.984469:0] Control: 10c53c7d  Table: a1e9c04a  DAC: 00000015