| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6355174d-4ab6-595d-17db-311bce607aef@arm.com>
Date: Mon, 29 Oct 2018 15:05:53 +0000
From: Marc Zyngier <marc.zyngier@....com>
To: Thomas Petazzoni <thomas.petazzoni@...tlin.com>,
Maxime Chevallier <maxime.chevallier@...tlin.com>,
Antoine Tenart <antoine.tenart@...tlin.com>,
Marcin Wojtas <mw@...ihalf.com>
Cc: "linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: [BUG] MVPP2 driver exploding in presence of a tap interface
Hi all,
This is a follow-up on the conversation Thomas and I had last week at
ELC, with me ranting at the sorry state of the MVPP2 driver.
I reported this last time in a conversation on the macchiato list,
but it looks like nobody investigated the issue at the time:
https://lists.einval.com/pipermail/macchiato/2018-January/000085.html
Triggering this is dead simple:
- Add a macvtap to one of the MVPP2 interfaces
- Bring it online
- Watch the kernel exploding and memory being corrupted
You don't even need anything listening on the tap interface, just its
simple existence triggers it. I use a similar setup on a large variety
of machines, and this box is the only one that catches fire. Removing
the macvtap interface makes it (more) reliable.
Given that I cannot reproduce this issue on any other ARM (32 or 64bit)
platform, including other Marvell stuff, I can only conclude that the
MVPP2 driver is responsible for this.
Example crash and .config below (4.19 vanilla, as linux/master dies in
new and wonderful ways on this box). I'm looking forward to testing any
idea you may have.
M.
[ 29.040686] mvpp2 f2000000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 29.234413] BUG: Bad page state in process swapper/0 pfn:e6804
[ 29.240364] page:ffff7e00039a0100 count:0 mapcount:0 mapping:ffff8000e7bf3800 index:0x0 compound_mapcount: 0
[ 29.250238] flags: 0xfffc00000008100(slab|head)
[ 29.254793] raw: 0fffc00000008100 dead000000000100 dead000000000200 ffff8000e7bf3800
[ 29.262571] raw: 0000000000000000 0000000000100010 00000000ffffffff 0000000000000000
[ 29.270345] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 29.276813] bad because of flags: 0x100(slab)
[ 29.281190] Modules linked in:
[ 29.284264] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.0-dirty #272
[ 29.290903] Hardware name: Marvell 8040 MACCHIATOBin (DT)
[ 29.296323] Call trace:
[ 29.298784] dump_backtrace+0x0/0x148
[ 29.302461] show_stack+0x14/0x20
[ 29.305789] dump_stack+0x90/0xb4
[ 29.309117] bad_page+0x104/0x130
[ 29.312444] free_pages_check_bad+0x9c/0xa8
[ 29.316642] __free_pages_ok+0x1b0/0x450
[ 29.320580] page_frag_free+0x8c/0xa8
[ 29.324257] skb_free_head+0x18/0x30
[ 29.327846] skb_release_data+0x130/0x160
[ 29.331870] skb_release_all+0x24/0x30
[ 29.335633] consume_skb+0x2c/0x58
[ 29.339047] arp_process.constprop.4+0x200/0x6f0
[ 29.343681] arp_rcv+0xf4/0x128
[ 29.346834] __netif_receive_skb_one_core+0x54/0x78
[ 29.351731] __netif_receive_skb+0x14/0x60
[ 29.355843] netif_receive_skb_internal+0x40/0x138
[ 29.360653] napi_gro_receive+0x64/0xc8
[ 29.364504] mvpp2_poll+0x384/0x6b8
[ 29.368005] net_rx_action+0x104/0x2c0
[ 29.371768] __do_softirq+0x10c/0x208
[ 29.375444] irq_exit+0xb8/0xc8
[ 29.378597] __handle_domain_irq+0x64/0xb8
[ 29.382709] gic_handle_irq+0x50/0xa0
[ 29.386383] el1_irq+0xb0/0x128
[ 29.389535] arch_cpu_idle+0x10/0x18
[ 29.393124] do_idle+0x208/0x280
[ 29.396363] cpu_startup_entry+0x24/0x28
[ 29.400302] rest_init+0xd0/0xdc
[ 29.403543] start_kernel+0x3d8/0x400
[ 29.407220] Disabling lock debugging due to kernel taint
[ 30.578010] BUG: Bad page state in process swapper/0 pfn:e681d
[ 30.583963] page:ffff7e00039a0740 count:0 mapcount:0 mapping:ffff8000ef43f080 index:0x0
[ 30.592002] flags: 0xfffc00000000100(slab)
[ 30.596120] raw: 0fffc00000000100 dead000000000100 dead000000000200 ffff8000ef43f080
[ 30.603889] raw: 0000000000000000 00000000001e001e 00000000ffffffff 0000000000000000
[ 30.611663] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 30.618131] bad because of flags: 0x100(slab)
[ 30.622508] Modules linked in:
[ 30.625580] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.19.0-dirty #272
[ 30.633615] Hardware name: Marvell 8040 MACCHIATOBin (DT)
[ 30.639035] Call trace:
[ 30.641495] dump_backtrace+0x0/0x148
[ 30.645172] show_stack+0x14/0x20
[ 30.648499] dump_stack+0x90/0xb4
[ 30.651826] bad_page+0x104/0x130
[ 30.655153] free_pages_check_bad+0x9c/0xa8
[ 30.659352] __free_pages_ok+0x1b0/0x450
[ 30.663288] page_frag_free+0x8c/0xa8
[ 30.666965] skb_free_head+0x18/0x30
[ 30.670554] skb_release_data+0x130/0x160
[ 30.674578] skb_release_all+0x24/0x30
[ 30.678341] kfree_skb+0x2c/0x58
[ 30.681582] __udp4_lib_rcv+0x818/0x910
[ 30.685432] udp_rcv+0x1c/0x28
[ 30.688498] ip_local_deliver_finish+0x100/0x248
[ 30.693133] ip_local_deliver+0x60/0x110
[ 30.697070] ip_rcv_finish+0x38/0x50
[ 30.700658] ip_rcv+0x50/0xd8
[ 30.703636] __netif_receive_skb_one_core+0x54/0x78
[ 30.708532] __netif_receive_skb+0x14/0x60
[ 30.712643] netif_receive_skb_internal+0x40/0x138
[ 30.717452] napi_gro_receive+0x64/0xc8
[ 30.721302] mvpp2_poll+0x384/0x6b8
[ 30.724803] net_rx_action+0x104/0x2c0
[ 30.728566] __do_softirq+0x10c/0x208
[ 30.732242] irq_exit+0xb8/0xc8
[ 30.735395] __handle_domain_irq+0x64/0xb8
[ 30.739506] gic_handle_irq+0x50/0xa0
[ 30.743182] el1_irq+0xb0/0x128
[ 30.746334] arch_cpu_idle+0x10/0x18
[ 30.749922] do_idle+0x208/0x280
[ 30.753161] cpu_startup_entry+0x24/0x28
[ 30.757099] rest_init+0xd0/0xdc
[ 30.760339] start_kernel+0x3d8/0x400
--
Jazz is not dead. It just smells funny...
View attachment ".config" of type "text/plain" (175190 bytes)
Powered by blists - more mailing lists