OpenWrt/LEDE Project

  • Status Assigned
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Kernel
  • Assigned To
    Petr Štetiar
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Vadzim Dambrouski - 31.05.2019

FS#2305 - mt76: kernel panic when using mkfs.ext2 on usb drive.

Device: MT7621 Xiaomi Mi Router 3G
Version: OpenWrt SNAPSHOT, r10114+2-a1210f8
Steps to reproduce:
Run

mkfs.ext2 -L data /dev/sda2

Can reproduce consistently. The hard drive is powered from an external power supply so it’s not an electrical issue.

<0>[  608.342771] usercopy: kernel memory exposure attempt detected from c0d173c1 (kmalloc-256) (71 bytes)
<4>[  608.352010] Kernel bug detected[#1]:
<4>[  608.355602] CPU: 0 PID: 2505 Comm: dropbear Not tainted 4.14.121 #0
<4>[  608.361842] task: 8fdeea40 task.stack: 8b21a000
<4>[  608.366346] $ 0   : 00000000 00000001 00000058 00000000
<4>[  608.371558] $ 4   : 8121133c 8121133c 81215e78 00006990
<4>[  608.376766] $ 8   : 00000000 0000015b 00000007 00000000
<4>[  608.381975] $12   : 00000000 80590000 00053af3 00000000
<4>[  608.387183] $16   : c0d173c1 00000047 00000001 c0d17408
<4>[  608.392392] $20   : 8dbbfe00 8b21be3c 8b21bdf0 c0d17000
<4>[  608.397601] $24   : 00000003 802a2780                  
<4>[  608.402810] $28   : 8b21a000 8b21bd38 006b1029 80115df0
<4>[  608.408019] Hi    : 00000124
<4>[  608.410880] Lo    : 74e58000
<4>[  608.413763] epc   : 80115df0 __check_object_size+0x1b0/0x1e0
<4>[  608.419395] ra    : 80115df0 __check_object_size+0x1b0/0x1e0
<4>[  608.425022] Status: 11008403	KERNEL EXL IE 
<4>[  608.429192] Cause : 50800024 (ExcCode 09)
<4>[  608.433179] PrId  : 0001992f (MIPS 1004Kc)
<4>[  608.437250] Modules linked in: pppoe ppp_async pppox ppp_generic nf_conntrack_ipv6 mt76x2e mt76x2_common mt76x02_lib mt7603e mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat fuse ledtrig_usbport nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 nfsv4 nfsd nfs rpcsec_gss_krb5 auth_rpcgss oid_registry tun loop vfat fat lockd sunrpc grace dns_resolver
<4>[  608.508454]  dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax nls_utf8 nls_iso8859_1 nls_cp437 sha1_generic md5 hmac ecb des_generic cts cbc usb_storage leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd sd_mod scsi_mod gpio_button_hotplug ext4 mbcache jbd2 usbcore nls_base usb_common crc32c_generic
<4>[  608.535207] Process dropbear (pid: 2505, threadinfo=8b21a000, task=8fdeea40, tls=77fd2eb8)
<4>[  608.543426] Stack : 00000000 80522e50 80517aa4 c0d173c1 80521640 00000047 00000000 00000047
<4>[  608.551758]         c0d173c1 c0d17000 000013c6 80292008 7fa9f4fc 7fa9f47c 00000000 00000000
<4>[  608.560089]         8dbbfe00 c0d17000 7fffffff 006b1029 00010000 00000000 00000000 c0d17000
<4>[  608.568421]         8dbbfe68 80294e84 8b21bdb8 8b21bdbc 8b21bdc0 8b21bdc4 00000001 00000000
<4>[  608.576752]         006b102b 006b102a 8dbbff74 0000137f c0d19258 00000000 00000000 8b21bea0
<4>[  608.585084]         ...
<4>[  608.587519] Call Trace:
<4>[  608.589961] [<80115df0>] __check_object_size+0x1b0/0x1e0
<4>[  608.595268] [<80292008>] copy_from_read_buf+0x90/0x1b0
<4>[  608.600384] [<80294e84>] n_tty_read+0x6f4/0x8b4
<4>[  608.604895] [<8028dd78>] tty_read+0xac/0x11c
<4>[  608.609153] [<8011a89c>] __vfs_read+0x28/0x158
<4>[  608.613576] [<8011aa9c>] vfs_read+0xd0/0x17c
<4>[  608.617828] [<8011b01c>] SyS_read+0x58/0xc4
<4>[  608.622004] [<80019578>] syscall_common+0x34/0x58
<4>[  608.626690] Code: 02003825  0c01d530  24842e5c <000c000d> 8fb30028  8fb20024  8fb10020  8fb0001c  03e00008 
<4>[  608.636415] 
<4>[  608.638435] ---[ end trace 1fd93e66459e17ad ]---
Vadzim Dambrouski commented on 01.06.2019 06:19

mkfs.ext2 is just a reliable way to reproduce the problem. I can get the same crash when doing normal disk activity like copying files, but it's much more random.

Admin
Petr Štetiar commented on 02.06.2019 13:06

I've just tried it with 16GB USB flash disk and I'm not able to reproduce it on my mt7620 device (I don't own anything with mt7621 yet).

Project Manager
Hauke Mehrtens commented on 09.06.2019 13:58

Please try if this patch fixes your problem and report back:
https://patchwork.ozlabs.org/patch/1112640/

Vadzim Dambrouski commented on 10.06.2019 22:09

This patch has very nasty undefined behavior which causes virt_addr_valid function to miscompile down to this

8001dd24 __virt_addr_valid:
8001dd24:	03e00008 	jr	ra
8001dd28:	00001025 	move	v0,zero

which will unconditionally disable checks for all heap objects. I think it was a typo and they meant to check kaddr instead of vaddr.

But this does help to fix my issue, so the problem is identified correctly.

Project Manager
Hauke Mehrtens commented on 11.06.2019 08:23

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing