Closed
Conversation
luyanci
pushed a commit
that referenced
this pull request
Mar 14, 2026
It is possible for some commands to be sent where the header is NULL during blank/unblank events, and/or when brightness is set to zero. [ 37.905330] mdss_dsi_dcs_swrite1: dp=00000000bc7fee96 hdr=00000000678040ab dlen=2 payload=000000008ade2ece ... [ 52.131327] mdss_dsi_dcs_swrite1: dp=00000000bc7fee96 hdr= (null) dlen=2 payload=00000000b02c1877 [ 52.188132] ------------[ cut here ]------------ [ 52.188147] Kernel BUG at mdss_dsi_cmd_dma_add+0x188/0x838 [verbose debug info unavailable] [ 52.188150] Internal error: Accessing user space memory outside uaccess.h routines: 96000045 [#1] PREEMPT SMP [ 52.188155] Modules linked in: [ 52.188162] CPU: 2 PID: 2861 Comm: HwBinder:591_3 Tainted: G W 4.9.337-lineageos-gbc3abbf28e31-dirty #27 [ 52.188163] Hardware name: Qualcomm Technologies, Inc. MSM8976v1.1 QRD SKUN (DT) [ 52.188166] task: 00000000c41d84c6 task.stack: 00000000ed979e59 [ 52.188170] PC is at mdss_dsi_cmd_dma_add+0x188/0x838 [ 52.188173] LR is at mdss_dsi_cmds_tx+0x140/0x39c [ 52.188175] pc : [<ffffff8008529694>] lr : [<ffffff8008526ae4>] pstate: 80400145 [ 52.188176] sp : ffffffc04ab1b800 [ 52.188180] x29: ffffffc04ab1b800 x28: 0000000000000001 [ 52.188183] x27: ffffffc04bd0da00 x26: ffffffc0ec70ed20 [ 52.188186] x25: 0000000000000000 x24: ffffffc0ec70ede8 [ 52.188189] x23: 0000000000000000 x22: 0000000000000001 [ 52.188192] x21: 00000000000003e8 x20: ffffff8009e8c768 [ 52.188195] x19: ffffffc0ec70ede8 x18: 0000000000000000 [ 52.188198] x17: ffffffc0a78dd890 x16: ffffffc04ab1b828 [ 52.188201] x15: 00000000fffffff8 x14: ffffffc04ab1b8a0 [ 52.188203] x13: 00000000ffffffff x12: 000000000000f8dd [ 52.188206] x11: 000000000000004b x10: ffffff800852967c [ 52.188209] x9 : 0000000000000004 x8 : 0000000000000000 [ 52.188212] x7 : 0000000000000001 x6 : 00000000ffffffff [ 52.188214] x5 : 0000000000000000 x4 : 0000000000000000 [ 52.188217] x3 : 0000000000000000 x2 : 0000000000000001 [ 52.188220] x1 : ffffff8009e8c768 x0 : 0000000000000000 [ 52.188224] [ 52.188224] PC: mdss_dsi_cmd_dma_add+0x148/0x838: [ 52.188238] 9654 39400a89 330a052a b900010a 3940068a 3400256a 12000529 52b0004a 530a2529 [ 52.188247] 9674 2a0a0129 14000125 f9400688 b40027c8 f9401268 91001109 f9000268 f9001269 [ 52.188256] 9694 b900011f 39400a89 12000529 530a2529 b9000109 39400e8a 3400006a 32030129 [ 52.188265] 96b4 b9000109 3940068a 3201012b 7100015f 52a000aa 1a8b0129 2a0a0129 14000013 [ 52.188268] [ 52.188268] LR: mdss_dsi_cmds_tx+0x100/0x39c: [ 52.188278] 6aa4 12800008 f90003f9 b9000be8 14000008 aa1803e0 94000a5f 2a1f03e1 510006d6 [ 52.188287] 6ac4 0b170397 91004294 34000d96 aa1803e0 94000a40 aa1803e0 aa1403e1 94000a8b [ 52.188296] 6ae4 34000ba0 2a0003fc 39400688 34000148 b947ee68 f946ee69 7100051f f906fa69 [ 52.188305] 6b04 54000060 395fa268 370800a8 52800039 14000023 2a1c03e1 17ffffe9 aa1303e0 [ 52.188308] [ 52.188308] SP: 0xffffffc04ab1b7c0: [ 52.188317] b7c0 08526ae4 ffffff80 4ab1b800 ffffffc0 08529694 ffffff80 80400145 00000000 [ 52.188326] b7e0 4ab1b860 ffffffc0 0851bea4 ffffff80 ffffffff 0000007f 097c18f5 ffffff80 [ 52.188335] b800 4ab1b840 ffffffc0 08526ae4 ffffff80 000003e8 00000000 00000000 00000000 [ 52.188343] b820 09e8c768 ffffff80 ec70e018 ffffffc0 00000000 00000000 ffffffff 00000000 [ 52.188347] Process HwBinder:591_3 (pid: 2861, stack limit = 0x00000000ed979e59) [ 52.188349] Call trace: [ 52.188352] Exception stack(0xffffffc04ab1b6a0 to 0xffffffc04ab1b7d0) [ 52.188357] b6a0: 0000000080400145 ffffff8009245efc ffffff8008529694 00000000120aa000 [ 52.188360] b6c0: 0000007fffffffff ffffffc0ec70ede8 0000000000000000 ffffff8009e8c768 [ 52.188364] b6e0: 0000000000000001 0000000000000000 0000000000000000 0000000000000000 [ 52.188367] b700: 00000000ffffffff 0000000000000001 0000000000000000 0000000000000004 [ 52.188370] b720: ffffff800852967c 000000000000004b 000000000000f8dd 00000000ffffffff [ 52.188374] b740: ffffffc04ab1b8a0 00000000fffffff8 ffffffc04ab1b828 ffffffc0a78dd890 [ 52.188377] b760: 0000000000000000 ffffffc0ec70ede8 ffffff8009e8c768 00000000000003e8 [ 52.188381] b780: 0000000000000001 0000000000000000 ffffffc0ec70ede8 0000000000000000 [ 52.188384] b7a0: ffffffc0ec70ed20 ffffffc04bd0da00 0000000000000001 ffffffc04ab1b800 [ 52.188386] b7c0: ffffff8008526ae4 ffffffc04ab1b800 [ 52.188391] [<00000000b6235ac4>] mdss_dsi_cmd_dma_add+0x188/0x838 [ 52.188394] [<0000000086dca0df>] mdss_dsi_cmds_tx+0x140/0x39c [ 52.188398] [<00000000e4e3f4d1>] mdss_dsi_cmdlist_commit+0x410/0x6a8 [ 52.188401] [<0000000072815bd7>] mdss_dsi_cmdlist_put+0xe0/0x118 [ 52.188405] [<00000000a7dd4077>] mdss_dsi_set_tear_off+0x4c/0x70 [ 52.188408] [<0000000051772a49>] mdss_dsi_blank+0x138/0x310 [ 52.188411] [<000000000b340ddf>] mdss_dsi_event_handler+0x14c/0x914 [ 52.188416] [<00000000d47f19e0>] mdss_mdp_ctl_intf_event+0x4c/0xb4 [ 52.188421] [<00000000e2769e6a>] mdss_mdp_cmd_stop+0x178/0x348 [ 52.188424] [<00000000cc7fe547>] mdss_mdp_ctl_stop+0x88/0x3b4 [ 52.188427] [<00000000d9327555>] mdss_mdp_overlay_off+0x504/0x62c [ 52.188432] [<00000000173e5ae9>] mdss_fb_blank_blank+0xe0/0x190 [ 52.188435] [<00000000acfc8d3d>] mdss_fb_blank_sub+0x194/0x2c4 [ 52.188439] [<000000009e4c5817>] mdss_fb_blank+0x108/0x190 [ 52.188444] [<000000002b36d9fd>] do_fb_ioctl+0x558/0x704 [ 52.188448] [<000000001d284a68>] fb_ioctl+0x44/0x4c [ 52.188453] [<00000000d620f401>] do_vfs_ioctl+0x7b8/0xbe4 [ 52.188456] [<00000000339abbc7>] SyS_ioctl+0x88/0x94 [ 52.188462] [<0000000083e5becd>] el0_svc_naked+0x34/0x38 [ 52.188468] Code: f9401268 91001109 f9000268 f9001269 (b900011f) [ 52.188472] ---[ end trace ba68f9297f199a4f ]--- Cancel preparation before BUG is triggered to prevention kernel panic. Change-Id: Ie0d54a29ad9b4d032d64c48b4aa3ec492fe8e1cf Signed-off-by: Ricky Cheung <[email protected]>
xwdy114514
pushed a commit
to xwdy114514/android_kernel_oppo_msm8937
that referenced
this pull request
Mar 16, 2026
[ 21.335974] ------------[ cut here ]------------ [ 21.335997] Kernel BUG at msm_flash_i2c_init+0xac/0x494 [verbose debug info unavailable] [ 21.336002] Internal error: Accessing user space memory outside uaccess.h routines: 96000005 [vc-teahouse#1] PREEMPT SMP [ 21.336007] Modules linked in: [ 21.336017] CPU: 1 PID: 1411 Comm: CAM_sensor Tainted: G W 4.9.337-lineageos-ge38410289cd1-dirty #13 [ 21.336021] Hardware name: Qualcomm Technologies, Inc. MSM8953 + PMI8950 MTP (DT) [ 21.336026] task: 0000000063307f08 task.stack: 000000009436bc94 [ 21.336031] PC is at msm_flash_i2c_init+0xac/0x494 [ 21.336036] LR is at msm_flash_i2c_init+0x308/0x494 [ 21.336040] pc : [<ffffff8008eea6c8>] lr : [<ffffff8008eea924>] pstate: 60400145 [ 21.336043] sp : ffffffc0ac773bb0 [ 21.336046] x29: ffffffc0ac773bb0 x28: 00000000e9f50d0c [ 21.336052] x27: 0000000000000000 x26: ffffff8008eeb4a8 [ 21.336058] x25: 0000000000000000 x24: ffffffc0ac6f6100 [ 21.336064] x23: ffffffc0b31e4b00 x22: ffffffc0ac773c98 [ 21.336070] x21: ffffffc0db9f2800 x20: ffffffc0ac773cd0 [ 21.336076] x19: ffffffc0e9715000 x18: 0000000000000000 [ 21.336081] x17: 0000000000000000 x16: 000000008f100000 [ 21.336087] x15: 0000000100000000 x14: 0000000000000000 [ 21.336093] x13: 0000000000000001 x12: 0000000000000008 [ 21.336099] x11: ffffffc0e97158b8 x10: 0000000000000003 [ 21.336105] x9 : ffffffc0e9032a00 x8 : 00000000f3543790 [ 21.336111] x7 : 0000000000000000 x6 : ffffffc0db9f2d50 [ 21.336117] x5 : ffffffc0db9f2d50 x4 : 0000000000000003 [ 21.336122] x3 : 0000000000000003 x2 : 0000000000000003 [ 21.336128] x1 : ffffffc0db9f2aa8 x0 : ffffffc0e97157e8 [ 21.336137] [ 21.336137] PC: msm_flash_i2c_init+0x6c/0x494: [ 21.336141] a688 52813c02 97d5d77d b5002040 b942e268 7100051f 540001a1 b94006c8 5280006a [ 21.336162] a6a8 f9400a69 53017d08 b9001d2a 79002928 b9400ac8 b9000d28 f9401288 f9400d08 [ 21.336183] a6c8 b9406508 b9002268 910be262 911fa268 794fc263 7959a269 f940e660 f900d262 [ 21.336203] a6e8 b941d261 f900da68 79035263 79037269 97ffc1dd 36f80100 2a0003e3 f0003ac0 [ 21.336222] [ 21.336222] LR: msm_flash_i2c_init+0x2c8/0x494: [ 21.336226] a8e4 f9066668 f903ee69 34000603 7100307f 540005c8 51003488 3100351f 54000569 [ 21.336247] a904 910be260 aa1503e1 2a0303e2 9400010e 911fa260 910aa2a1 7959a262 9400010a [ 21.336271] a924 17ffff5c 52813c02 cb0202a8 2a1f03e1 91278100 97d5db12 f0004901 91367821 [ 21.336291] a944 d0004340 910e0000 528020e2 aa0103e3 528020e4 17ffffbd f0004901 91367821 [ 21.336312] [ 21.336312] SP: 0xffffffc0ac773b70: [ 21.336316] 3b70 08eea924 ffffff80 ac773bb0 ffffffc0 08eea6c8 ffffff80 60400145 00000000 [ 21.336336] 3b90 ac773c98 ffffffc0 c02856cd 00000000 ffffffff 0000007f e9715000 ffffffc0 [ 21.336355] 3bb0 ac773bf0 ffffffc0 08eea5d4 ffffff80 ac773ce0 ffffffc0 082391c8 ffffff80 [ 21.336374] 3bd0 ac773d68 ffffffc0 c02856cd 00000000 ac773cd0 ffffffc0 e9715000 ffffffc0 [ 21.336395] Process CAM_sensor (pid: 1411, stack limit = 0x000000009436bc94) [ 21.336399] Call trace: [ 21.336404] Exception stack(0xffffffc0ac773a50 to 0xffffffc0ac773b80) [ 21.336409] 3a40: 0000000060400145 00000000000000d8 [ 21.336414] 3a60: ffffff8008eea6c8 00000000123a9000 0000007fffffffff ffffffc0e9715000 [ 21.336419] 3a80: ffffffc0e97157e8 ffffffc0db9f2aa8 0000000000000003 0000000000000003 [ 21.336424] 3aa0: 0000000000000003 ffffffc0db9f2d50 ffffffc0db9f2d50 0000000000000000 [ 21.336428] 3ac0: 00000000f3543790 ffffffc0e9032a00 0000000000000003 ffffffc0e97158b8 [ 21.336433] 3ae0: 0000000000000008 0000000000000001 0000000000000000 0000000100000000 [ 21.336438] 3b00: 000000008f100000 0000000000000000 0000000000000000 ffffffc0e9715000 [ 21.336443] 3b20: ffffffc0ac773cd0 ffffffc0db9f2800 ffffffc0ac773c98 ffffffc0b31e4b00 [ 21.336447] 3b40: ffffffc0ac6f6100 0000000000000000 ffffff8008eeb4a8 0000000000000000 [ 21.336452] 3b60: 00000000e9f50d0c ffffffc0ac773bb0 ffffff8008eea924 ffffffc0ac773bb0 [ 21.336458] [<00000000934963f9>] msm_flash_i2c_init+0xac/0x494 [ 21.336463] [<0000000042f1a990>] msm_flash_init+0x1a8/0x1f0 [ 21.336468] [<000000009265581a>] msm_flash_subdev_ioctl+0x2c0/0x334 [ 21.336474] [<00000000e98a9b0e>] msm_flash_subdev_do_ioctl+0x184/0x220 [ 21.336482] [<0000000052dbfdd7>] video_usercopy+0x27c/0x634 [ 21.336487] [<000000006b8da8fe>] msm_flash_subdev_fops_ioctl+0x14/0x1c [ 21.336494] [<0000000011fbe704>] v4l2_compat_ioctl32+0x78/0x90 [ 21.336501] [<000000005766beda>] compat_SyS_ioctl+0x128/0x230 [ 21.336507] [<00000000bab7dc49>] el0_svc_naked+0x34/0x38 [ 21.336516] Code: b9400ac8 b9000d28 f9401288 f9400d08 (b9406508) [ 21.336521] ---[ end trace a320582449fee65f ]--- Change-Id: I87cce0d63b8b8afe5448df638cf42366207696c0
xwdy114514
pushed a commit
to xwdy114514/android_kernel_oppo_msm8937
that referenced
this pull request
Mar 16, 2026
The QPNP regulator doesn't go well with current SW specified 1.165V max voltage and causes kernel panic while getting voltage: [ 0.214373] pm8004_s5: Bringing 1180000uV into 1165000-1165000uV [ 0.214410] Unable to handle kernel NULL pointer dereference at virtual address 000003e8 [ 0.214420] pgd = ffffff8009c40000 [ 0.214427] [000003e8] *pgd=00000000d5ffe003, *pud=00000000d5ffe003, *pmd=0000000000000000 [ 0.214517] ------------[ cut here ]------------ [ 0.214525] Kernel BUG at ffffff80085782b4 [verbose debug info unavailable] [ 0.214534] Internal error: Oops: 96000005 [vc-teahouse#1] PREEMPT SMP [ 0.214583] Workqueue: events_unbound async_run_entry_fn [ 0.214594] task: ffffffc08f354600 task.stack: ffffffc08f37c000 [ 0.214607] PC is at rdev_get_drvdata+0x0/0x8 [ 0.214619] LR is at qpnp_regulator_common_get_voltage+0xc/0xa8 Adjusting it to 1.18V [HW configured?] solves the issue. Change-Id: Ib0a5b46f313c99e5e6d9d484ff691a82d47835b0 Signed-off-by: Chippa-a <[email protected]>
luyanci
pushed a commit
that referenced
this pull request
Mar 22, 2026
commit 050fad7c4534c13c8eb1d9c2ba66012e014773cb upstream. Recently during testing, I ran into the following panic: [ 207.892422] Internal error: Accessing user space memory outside uaccess.h routines: 96000004 [#1] SMP [ 207.901637] Modules linked in: binfmt_misc [...] [ 207.966530] CPU: 45 PID: 2256 Comm: test_verifier Tainted: G W 4.17.0-rc3+ #7 [ 207.974956] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB18A 03/31/2017 [ 207.982428] pstate: 60400005 (nZCv daif +PAN -UAO) [ 207.987214] pc : bpf_skb_load_helper_8_no_cache+0x34/0xc0 [ 207.992603] lr : 0xffff000000bdb754 [ 207.996080] sp : ffff000013703ca0 [ 207.999384] x29: ffff000013703ca0 x28: 0000000000000001 [ 208.004688] x27: 0000000000000001 x26: 0000000000000000 [ 208.009992] x25: ffff000013703ce0 x24: ffff800fb4afcb00 [ 208.015295] x23: ffff00007d2f5038 x22: ffff00007d2f5000 [ 208.020599] x21: fffffffffeff2a6f x20: 000000000000000a [ 208.025903] x19: ffff000009578000 x18: 0000000000000a03 [ 208.031206] x17: 0000000000000000 x16: 0000000000000000 [ 208.036510] x15: 0000ffff9de83000 x14: 0000000000000000 [ 208.041813] x13: 0000000000000000 x12: 0000000000000000 [ 208.047116] x11: 0000000000000001 x10: ffff0000089e7f18 [ 208.052419] x9 : fffffffffeff2a6f x8 : 0000000000000000 [ 208.057723] x7 : 000000000000000a x6 : 00280c6160000000 [ 208.063026] x5 : 0000000000000018 x4 : 0000000000007db6 [ 208.068329] x3 : 000000000008647a x2 : 19868179b1484500 [ 208.073632] x1 : 0000000000000000 x0 : ffff000009578c08 [ 208.078938] Process test_verifier (pid: 2256, stack limit = 0x0000000049ca7974) [ 208.086235] Call trace: [ 208.088672] bpf_skb_load_helper_8_no_cache+0x34/0xc0 [ 208.093713] 0xffff000000bdb754 [ 208.096845] bpf_test_run+0x78/0xf8 [ 208.100324] bpf_prog_test_run_skb+0x148/0x230 [ 208.104758] sys_bpf+0x314/0x1198 [ 208.108064] el0_svc_naked+0x30/0x34 [ 208.111632] Code: 91302260 f9400001 f9001fa1 d2800001 (29500680) [ 208.117717] ---[ end trace 263cb8a59b5bf29f ]--- The program itself which caused this had a long jump over the whole instruction sequence where all of the inner instructions required heavy expansions into multiple BPF instructions. Additionally, I also had BPF hardening enabled which requires once more rewrites of all constant values in order to blind them. Each time we rewrite insns, bpf_adj_branches() would need to potentially adjust branch targets which cross the patchlet boundary to accommodate for the additional delta. Eventually that lead to the case where the target offset could not fit into insn->off's upper 0x7fff limit anymore where then offset wraps around becoming negative (in s16 universe), or vice versa depending on the jump direction. Therefore it becomes necessary to detect and reject any such occasions in a generic way for native eBPF and cBPF to eBPF migrations. For the latter we can simply check bounds in the bpf_convert_filter()'s BPF_EMIT_JMP helper macro and bail out once we surpass limits. The bpf_patch_insn_single() for native eBPF (and cBPF to eBPF in case of subsequent hardening) is a bit more complex in that we need to detect such truncations before hitting the bpf_prog_realloc(). Thus the latter is split into an extra pass to probe problematic offsets on the original program in order to fail early. With that in place and carefully tested I no longer hit the panic and the rewrites are rejected properly. The above example panic I've seen on bpf-next, though the issue itself is generic in that a guard against this issue in bpf seems more appropriate in this case. Change-Id: Icc4913ebc3949ab2de3f28f1637cbcc3fec090c8 Signed-off-by: Daniel Borkmann <[email protected]> Acked-by: Martin KaFai Lau <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]> [ab: Dropped BPF_PSEUDO_CALL hardening, introoduced in 4.16] Signed-off-by: Alessio Balsini <[email protected]> Acked-by: Thadeu Lima de Souza Cascardo <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 6824208b59a4727b8a8653f83d8e685584d04606)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.