[Android稳定性] 第010篇 [问题篇] 数组越界导致的内核panic

iliuqi2024-12-232025-03-14
0. 问题现象

收到研发提供的反馈，服务器打包的daliy版本刷机后出现900E口，出现死机问题。
1. 问题分析

1.1 dmesg_TZ.txt

[   51.674148][ T1598] xiaomi_touch_dev_open
[   51.674189][ T1598] xiaomi_touch_dev_ioctl cmd:0, mode:100, value:0
[   51.674197][ T1598] Unexpected kernel BRK exception at EL1
[   51.674203][ T1598] Internal error: BRK handler: 00000000f2005512 [#1] PREEMPT SMP
[   51.681890][ T1598] Dumping ftrace buffer:
[   51.686014][ T1598]    (ftrace buffer empty)
[   51.690295][ T1598] Modules linked in: wlan(OE) focaltech_spi(OE) nt36xxx_spi(OE) rmnet_wlan(OE) rmnet_shs(OE) rmnet_offload(OE) rmnet_perf(OE) rmnet_perf_tether(OE) rmnet_core(OE) ipanetm(OE) rmnet_ctl(OE) machine_dlkm(OE) msm_kgsl(OE) wcd937x_dlkm(OE) camera(OE) va_macro_dlkm(OE) tx_macro_dlkm(OE) rx_macro_dlkm(OE) wcd938x_dlkm(OE) ipam(OE) hdcp_qseecom_dlkm(OE) msm_drm(OE) swr_ctrl_dlkm(OE) mac80211(E) wcd9xxx_dlkm(OE) bolero_cdc_dlkm(OE) adsp_loader_dlkm(OE) audio_prm_dlkm(OE) audio_pkt_dlkm(OE) pinctrl_lpi_dlkm(OE) coresight_tmc(E) fs15xxx_drv_dlkm(OE) msm_memshare(E) qcom_spmi_adc_tm5(E) spf_core_dlkm(OE) gpr_dlkm(OE) q6_notifier_dlkm(OE) qcedev_mod_dlkm(OE) smcinvoke_dlkm(OE) usb_f_gsi(E) qcom_spmi_adc5(E) usb_f_qdss(E) bt_fm_slim(OE) qcom_q6v5_pas(E) msm_video(OE) qcrypto_msm_dlkm(OE) coresight_tmc_sec(E) wsa881x_analog_dlkm(OE) dwc3_msm(E) icnss2(OE) qcom_q6v5(E) coresight_cti(E) nxp_nci(OE) frpc_adsprpc(OE) qce50_dlkm(OE) wcd937x_slave_dlkm(OE) wcd938x_slave_dlkm(OE)
[   51.690420][ T1598]  coresight_hwevent(E) stub_dlkm(OE) xiaomi_tp(OE) audpkt_ion_dlkm(OE) sipa_dlkm(OE) qrng_dlkm(OE) mmrm_test_module(OE) snd_event_dlkm(OE) coresight_stm(E) mtdblock(E) ofpart(E) gsim(OE) qcom_pil_info(E) coresight_funnel(E) sipa_tuning_dlkm(OE) coresight_replicator(E) leds_qti_tri_led(E) chipreg(E) coresight_tpda(E) mtdoops(E) stm_console(E) stm_heartbeat(E) coresight_tpdm(E) fs15xxx_amp_dlkm(OE) cdsp_loader(OE) qcom_lpm(E) tz_log_dlkm(OE) qseecom_dlkm(OE) btpower(OE) qcom_cpufreq_hw_debug(E) cnss_prealloc(OE) rpm_master_stat(E) coresight_remote_etm(E) cnss_utils(OE) leds_qpnp_vibrator_ldo(E) mbhc_dlkm(OE) msm_geni_serial(E) qcom_vadc_common(E) icc_test(E) q6_dlkm(OE) qti_qmi_cdev(E) snd_usb_audio_qmi(E) pd_policy_manager(E) usb_f_cdev(E) stm_p_ost(E) wlan_firmware_service(OE) qcom_sysmon(E) rmnet_mem(OE) cnss_nl(OE) wcd_core_dlkm(OE) block2mtd(E) lct_tp(OE) qpnp_pdphy(E) slim_qcom_ngd_ctrl(E) qti_qmi_sensor(E) msm_tsens_driver(E) coresight_tgu(E) msm_mmrm(OE)
[   51.690539][ T1598]  swr_dlkm(OE) qcom_pm8008_regulator(E) panel_event_notifier(E) cfg80211(E) q6_pdr_dlkm(OE) lc_charger_sysfs_main(E) regulator_cdev(E) phy_msm_qusb(E) kryo_arm64_edac(E) heap_mem_ext_v01(E) stm_ftrace(E) coresight_dummy(E) pdr_interface(E) qcom_spmi_temp_alarm(E) coresight_csr(E) usbtouchscreen(E) hung_task_enh(E) eud(E) cpu_hotplug(E) qpnp_power_on(E) qcom_pon(E) usb_f_ccid(E) devfreq_vdd_cdev(E) lct_audio_info_dlkm(OE) stub_regulator(E) sps_drv(E) phy_msm_ssusb_qmp(E) f_fs_ipc_log(E) qcom_ramdump(E) rpm_smd_cooling_device(E) rpm_smd_debug(E) mtd_blkdevs(E) usbpd(E) phy_qcom_emu(E) i3c_master_msm_geni(E) qpnp_amoled_regulator(E) i2c_msm_geni(E) fsa4480_i2c(E) mem_offline(E) spmi_pmic_arb_debug(E) msm_performance(E) cx_ipeak_cdev(E) qti_cpufreq_cdev(E) phy_msm_snps_hs(E) leds_qpnp_flash_v2(E) lc_ccsoh(E) qcom_logbuf_vendor_hooks(E) thermal_pause(E) mtd(E) coresight(E) leds_aw2016(E) qcom_logbuf_boot_log(E) spidev(E) mdt_loader(E) stm_core(E) debugcc_blair(E)
[   51.690654][ T1598]  qcom_qpnp_qg(E) phy_msm_qusb_v2(E) cp_qc30(E) pwm_qti_lpg(E) phy_qcom_ufs_qmp_v4(E) bq25960_charger(E) memlat(E) qti_devfreq_cdev(E) qfprom_sys(E) bcl_pmic5(E) boot_stats(E) qpnp_smb5_main(E) bwmon(E) bcl_soc(E) bq25960h_charger(E) ehset(E) sc853x_charger(E) smsm(E) reboot_mode(E) spi_msm_geni(E) qcom_iommu_debug(E) mem_hooks(E) xiaomi_fingerprint(E) rtc_pm8xxx(E) refgen(E) sg(E) pm8941_pwrkey(E) rq_stats(E) phy_generic(E) core_hang_detect(E) msm_sharedmem(E) cdsprm(E) qpnp_lcdb_regulator(E) qcom_va_minidump(E) rdbg(E) msm_gpi(E) qmi_helpers(E) qcom_stats(E) debugcc_holi(E) gpucc_holi(E) gpucc_blair(E) clk_rpmh(E) bam_dma(E) msm_sysstats(E) hci_uart hidp btsdio btqca rfcomm r8153_ecm l2tp_ppp btbcm cdc_ncm aqc111 diag asix ax88179_178a mac802154 r8152 ieee802154_socket nfc can_bcm cdc_ether ieee802154_6lowpan cdc_eem can_gw nhc_udp ieee802154 tipc bluetooth nhc_routing pptp vcan slcan l2tp_core nhc_ipv6 8021q ftdi_sio usbnet cdc_acm rfkill usbserial
[   51.690816][ T1598]  nhc_fragment nhc_dest nhc_mobility can_raw nhc_hop mii rtl8150 wwan zram can 6lowpan bsd_comp pppox kheaders can_dev ppp_mppe ppp_deflate libarc4 ppp_generic zsmalloc slhc gzvm glink_probe(E) rproc_qcom_common(E) glink_pkt(E) mi_memory(E) qrtr_smd(E) qcom_glink_spss(E) rpmhpd(E) qcom_glink_rpm(E) qcom_glink_smem(E) ufs_qcom(E) sdhci_msm(E) qcom_glink(E) qcom_rpmh(E) qrtr(E) msm_qmp(E) smp2p(E) qcom_soc_wdt(E) qcom_ipc_logging(E) swinfo(OE) memory_dump_v2(E) dcc_v2(E) qcom_wdt_core(E) qcom_dload_mode(E) minidump(E) qcom_dma_heaps(E) qnoc_holi(E) gcc_holi(E) gcc_blair(E) clk_smd_rpm(E) qnoc_blair(E) dispcc_blair(E) dispcc_holi(E) mem_buf(E) clk_dummy(E) mem_buf_dev(E) clk_qcom(E) icc_rpm(E) arm_smmu(E) cqhci(E) pinctrl_blair(E) socinfo(E) rpm_smd_regulator(E) ufshcd_crypto_qti(E) pinctrl_holi(E) smem(E) rpm_smd(E) crypto_qti(E) qcom_iommu_util(E) pinctrl_msm(E) sched_walt(E) secure_buffer(E) qcom_i2c_pmic(E) qcom_pmu_lib(E) gdsc_regulator(E) qcom_spmi_pmic(E)
[   51.690968][ T1598]  qti_fixed_regulator(E) phy_qcom_ufs_qmp_v4_blair(E) phy_qcom_ufs_qrbtc_sdm845(E) phy_qcom_ufs_qmp_v3(E) wifi_ant_check(OE) slimbus(E) debug_regulator(E) qcom_mpm(E) qcom_scm(E) qcom_llcc_pmu(E) sdhci_msm_scaling(E) qcom_cpufreq_hw(E) spmi_pmic_arb(E) qti_regmap_debugfs(E) simtray(E) iommu_logger(E) icc_debug(E) proxy_consumer(E) qcom_dcvs(E) tms_device_modules(E) hwkm_v1(E) qcom_ipcc(E) qcom_hwspinlock(E) qnoc_qos_rpm(E) smp2p_sleepstate(E) phy_qcom_ufs(E) debug_symbol(E) cmd_db(E) pinctrl_spmi_mpp(E) nvmem_qfprom(E) pinctrl_spmi_gpio(E) goodix_fp(E) msm_dma_iommu_mapping(E) qcom_cpu_vendor_hooks(E) nvmem_qcom_spmi_sdam(E) msm_poweroff(E) msm_show_resume_irq(E) clk_spmi_pmic_div(E) irq_qcom_mpm(E)
[   51.691054][ T1598] CPU: 4 PID: 1598 Comm: binder:1581_1 Tainted: G           OE      6.1.90-android14-11-g6f645aac9706-ab12424481 #1
[   51.691062][ T1598] Hardware name: Qualcomm Technologies, Inc. Spring QRD (DT)
[   51.691066][ T1598] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   51.691073][ T1598] pc : fts_set_cur_value+0x270/0x278 [focaltech_spi]
[   51.691146][ T1598] lr : xiaomi_touch_dev_ioctl+0x1e0/0x498 [xiaomi_tp]
[   51.691165][ T1598] sp : ffffffc011783970
[   51.691168][ T1598] x29: ffffffc011783d80 x28: ffffff8059f1b840 x27: ffffff805966c800
[   51.691177][ T1598] x26: 0000007ffffffc01 x25: 00006f5e50e46800 x24: ffffff8059f1b840
[   51.691185][ T1598] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000005400
[   51.691192][ T1598] x20: 0000006f5e50e468 x19: ffffffc002438090 x18: ffffffc0112f6038
[   51.691200][ T1598] x17: 0000000056e5b5a5 x16: 0000000056e5b5a5 x15: 0000000000000004
[   51.691208][ T1598] x14: ffffff82f1e10000 x13: 000000000000ffff x12: 0000000000000003
[   51.691216][ T1598] x11: 0000000000000040 x10: ffffffc002434370 x9 : ffffffc002436168
[   51.691223][ T1598] x8 : ffffffc002eb7928 x7 : 7665645f6863756f x6 : 745f696d6f616978
[   51.691231][ T1598] x5 : ffffffc00a1c8887 x4 : ffffff82f25e73cf x3 : 0000000000000000
[   51.691238][ T1598] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000064
[   51.691246][ T1598] Call trace:
[   51.691251][ T1598]  fts_set_cur_value+0x270/0x278 [focaltech_spi]
[   51.691310][ T1598]  __arm64_sys_ioctl+0xa8/0xe4
[   51.691324][ T1598]  invoke_syscall+0x58/0x11c
[   51.691333][ T1598]  el0_svc_common+0xb4/0xf4
[   51.691339][ T1598]  do_el0_svc+0x2c/0xb0
[   51.691345][ T1598]  el0_svc+0x2c/0x90
[   51.691353][ T1598]  el0t_64_sync_handler+0x68/0xb4
[   51.691359][ T1598]  el0t_64_sync+0x1a4/0x1a8
[   51.691369][ T1598] Code: 2a1503e2 2a1603e3 958482f8 17ffffee (d42aa240) 
[   51.698178][ T1598] ---[ end trace 0000000000000000 ]---