OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Kernel
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Soberia - 11.06.2019

FS#2316 - Kernel's iptables crash unexpectedly

<Xiaomi Mi Router 3G / OpenWrt SNAPSHOT, r10173-6b762dd>
My router sometimes restart unexpectedly with no reason. Here’s the kernel’s crash log (/sys/kernel/debug/crashlog)

<0>[12930.571103] usercopy: kernel memory overwrite attempt detected to c2651000 (kmalloc-2048) (5408 bytes)
<4>[12930.580437] Kernel bug detected[#1]:
<4>[12930.584007] CPU: 2 PID: 28709 Comm: iptables Not tainted 4.14.123 #0
<4>[12930.590333] task: 8186ddc0 task.stack: 81fe4000
<4>[12930.594840] $ 0   : 00000000 00000001 0000005a 00000000
<4>[12930.600054] $ 4   : 8122d33c 8122d33c 81231e78 00007388
<4>[12930.605266] $ 8   : 00000000 00000194 00000008 00000000
<4>[12930.610476] $12   : 00000000 805c0000 0008b6df 00000000
<4>[12930.615697] $16   : c2651000 00001520 00000000 c2652520
<4>[12930.620906] $20   : 006678e0 00001548 00000000 77fca000
<4>[12930.626115] $24   : 00000001 802ab558
<4>[12930.631326] $28   : 81fe4000 81fe5dc0 00000000 80116360
<4>[12930.636539] Hi    : 00000124
<4>[12930.639403] Lo    : 74e58000
<4>[12930.642286] epc   : 80116360 __check_object_size+0x1b0/0x1e0
<4>[12930.647921] ra    : 80116360 __check_object_size+0x1b0/0x1e0
<4>[12930.653549] Status: 11007c03      KERNEL EXL IE
<4>[12930.657721] Cause : 50800024 (ExcCode 09)
<4>[12930.661707] PrId  : 0001992f (MIPS 1004Kc)
<4>[12930.665796] Modules linked in: pppoe ppp_async pptp pppox ppp_mppe ppp_generic nf_nat_pptp nf_conntrack_pptp nf_conntrack_ipv6 mt76x2e mt76x2_common mt76x02_lib mt7603e mt76 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY ts_fsm ts_bm slhc nf_reject_ipv4 nf_nat_tftp nf_nat_snmp_basic nf_nat_sip nf_nat_redirect nf_nat_proto_gre nf_nat_masquerade_ipv4 nf_nat_irc nf_conntrack_ipv4 nf_nat_ipv4 nf_nat_h323 nf_nat_amanda nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_tftp
<4>[12930.736837]  nf_conntrack_snmp nf_conntrack_sip nf_conntrack_rtcache nf_conntrack_proto_gre nf_conntrack_netlink nf_conntrack_irc nf_conntrack_h323 nf_conntrack_broadcast ts_kmp nf_conntrack_amanda iptable_raw iptable_mangle iptable_filter ipt_ECN ip_tables crc_ccitt compat fuse sch_cake nf_conntrack sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred ledtrig_usbport xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter
<4>[12930.808159]  ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 ip_gre gre ifb ip_tunnel tun vfat fat nls_utf8 nls_iso8859_1 nls_cp437 sha1_generic ecb usb_storage sd_mod scsi_mod ext4 mbcache jbd2 crc32c_generic leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd gpio_button_hotplug usbcore nls_base usb_common
<4>[12930.835248] Process iptables (pid: 28709, threadinfo=81fe4000, task=8186ddc0, tls=77fd8eb8)
<4>[12930.843554] Stack : 818c0040 8055090c 8055e4c8 c2651000 8054f124 00001520 00000000 00001520
<4>[12930.851887]         c2651000 00667908 805d9980 8ead1c3c 818c0000 818c0040 c264e000 805b0000
<4>[12930.860223]         805b0000 805e0000 00000041 8f1b9c98 805d9980 c264e000 0066a000 81fe5e34
<4>[12930.868560]         8adcd004 006663b0 81840040 805d9980 00000000 00000000 746c6966 00007265
<4>[12930.876894]         00000000 00000000 00000000 00000000 00000000 00000000 00000152 00000000
<4>[12930.885244]         ...
<4>[12930.887733] Call Trace:
<4>[12930.890172] [<80116360>] __check_object_size+0x1b0/0x1e0
<4>[12930.895540] [<8ead1c3c>] xt_copy_counters_from_user+0xac/0x158 [x_tables]
<4>[12930.902322] [<8f1b9c98>] ipt_register_table+0x508/0xdf8 [ip_tables]
<4>[12930.908568] Code: 02003825  0c01d530  24840924 <000c000d> 8fb30028  8fb20024  8fb10020  8fb0001c  03e00008
<4>[12930.918296]
<4>[12930.920137] ---[ end trace 0d59c51a87e12512 ]---
moeller0 commented on 11.06.2019 21:27

Same issue, applying https://patchwork.ozlabs.org/patch/1112640/ might have solved the issue. I performed two hard dsl line disconnects, in the recent past upon resyncing and establishing a new ppp connection the router pretty reliably rebooted with a:
usercopy: kernel memory exposure attempt detected from
type error messages in the crashlog, now after patching it surbvived two dsl-unplug/re-plug cycles. I will monitor it further but this looks at least like it is going in the right direction ;)

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing