Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2305 - mt76: kernel panic when using mkfs.ext2 on usb drive. #7357

Closed
openwrt-bot opened this issue May 31, 2019 · 5 comments
Closed

FS#2305 - mt76: kernel panic when using mkfs.ext2 on usb drive. #7357

openwrt-bot opened this issue May 31, 2019 · 5 comments
Labels

Comments

@openwrt-bot
Copy link

pftbest:

Device: MT7621 Xiaomi Mi Router 3G
Version: OpenWrt SNAPSHOT, r10114+2-a1210f8
Steps to reproduce:
Run mkfs.ext2 -L data /dev/sda2
Can reproduce consistently. The hard drive is powered from an external power supply so it's not an electrical issue.

<0>[ 608.342771] usercopy: kernel memory exposure attempt detected from c0d173c1 (kmalloc-256) (71 bytes) <4>[ 608.352010] Kernel bug detected[#1]: <4>[ 608.355602] CPU: 0 PID: 2505 Comm: dropbear Not tainted 4.14.121 #0 <4>[ 608.361842] task: 8fdeea40 task.stack: 8b21a000 <4>[ 608.366346] $ 0 : 00000000 00000001 00000058 00000000 <4>[ 608.371558] $ 4 : 8121133c 8121133c 81215e78 00006990 <4>[ 608.376766] $ 8 : 00000000 0000015b 00000007 00000000 <4>[ 608.381975] $12 : 00000000 80590000 00053af3 00000000 <4>[ 608.387183] $16 : c0d173c1 00000047 00000001 c0d17408 <4>[ 608.392392] $20 : 8dbbfe00 8b21be3c 8b21bdf0 c0d17000 <4>[ 608.397601] $24 : 00000003 802a2780 <4>[ 608.402810] $28 : 8b21a000 8b21bd38 006b1029 80115df0 <4>[ 608.408019] Hi : 00000124 <4>[ 608.410880] Lo : 74e58000 <4>[ 608.413763] epc : 80115df0 __check_object_size+0x1b0/0x1e0 <4>[ 608.419395] ra : 80115df0 __check_object_size+0x1b0/0x1e0 <4>[ 608.425022] Status: 11008403 KERNEL EXL IE <4>[ 608.429192] Cause : 50800024 (ExcCode 09) <4>[ 608.433179] PrId : 0001992f (MIPS 1004Kc) <4>[ 608.437250] Modules linked in: pppoe ppp_async pppox ppp_generic nf_conntrack_ipv6 mt76x2e mt76x2_common mt76x02_lib mt7603e mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat fuse ledtrig_usbport nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 nfsv4 nfsd nfs rpcsec_gss_krb5 auth_rpcgss oid_registry tun loop vfat fat lockd sunrpc grace dns_resolver <4>[ 608.508454] dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax nls_utf8 nls_iso8859_1 nls_cp437 sha1_generic md5 hmac ecb des_generic cts cbc usb_storage leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd sd_mod scsi_mod gpio_button_hotplug ext4 mbcache jbd2 usbcore nls_base usb_common crc32c_generic <4>[ 608.535207] Process dropbear (pid: 2505, threadinfo=8b21a000, task=8fdeea40, tls=77fd2eb8) <4>[ 608.543426] Stack : 00000000 80522e50 80517aa4 c0d173c1 80521640 00000047 00000000 00000047 <4>[ 608.551758] c0d173c1 c0d17000 000013c6 80292008 7fa9f4fc 7fa9f47c 00000000 00000000 <4>[ 608.560089] 8dbbfe00 c0d17000 7fffffff 006b1029 00010000 00000000 00000000 c0d17000 <4>[ 608.568421] 8dbbfe68 80294e84 8b21bdb8 8b21bdbc 8b21bdc0 8b21bdc4 00000001 00000000 <4>[ 608.576752] 006b102b 006b102a 8dbbff74 0000137f c0d19258 00000000 00000000 8b21bea0 <4>[ 608.585084] ... <4>[ 608.587519] Call Trace: <4>[ 608.589961] [<80115df0>] __check_object_size+0x1b0/0x1e0 <4>[ 608.595268] [<80292008>] copy_from_read_buf+0x90/0x1b0 <4>[ 608.600384] [<80294e84>] n_tty_read+0x6f4/0x8b4 <4>[ 608.604895] [<8028dd78>] tty_read+0xac/0x11c <4>[ 608.609153] [<8011a89c>] __vfs_read+0x28/0x158 <4>[ 608.613576] [<8011aa9c>] vfs_read+0xd0/0x17c <4>[ 608.617828] [<8011b01c>] SyS_read+0x58/0xc4 <4>[ 608.622004] [<80019578>] syscall_common+0x34/0x58 <4>[ 608.626690] Code: 02003825 0c01d530 24842e5c <000c000d> 8fb30028 8fb20024 8fb10020 8fb0001c 03e00008 <4>[ 608.636415] <4>[ 608.638435] ---[ end trace 1fd93e66459e17ad ]---
@openwrt-bot
Copy link
Author

pftbest:

mkfs.ext2 is just a reliable way to reproduce the problem. I can get the same crash when doing normal disk activity like copying files, but it's much more random.

@openwrt-bot
Copy link
Author

ynezz:

I've just tried it with 16GB USB flash disk and I'm not able to reproduce it on my mt7620 device (I don't own anything with mt7621 yet).

@openwrt-bot
Copy link
Author

Hauke:

Please try if this patch fixes your problem and report back:
https://patchwork.ozlabs.org/patch/1112640/

@openwrt-bot
Copy link
Author

pftbest:

This patch has very nasty undefined behavior which causes virt_addr_valid function to miscompile down to this

8001dd24 __virt_addr_valid: 8001dd24: 03e00008 jr ra 8001dd28: 00001025 move v0,zero

which will unconditionally disable checks for all heap objects. I think it was a typo and they meant to check kaddr instead of vaddr.

But this does help to fix my issue, so the problem is identified correctly.

@openwrt-bot
Copy link
Author

Hauke:

I raised the problem here:
https://lore.kernel.org/linux-mips/9e5c6f1a-b4a9-dbae-6314-aeb08f31c8aa@hauke-m.de/T/#t
Lets see what happens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant