mt7615 crash log

[quarkysg]

Router: Linksys E8450

Running own custom master branch build (at commit 92ca322dd1f48158b8829fec59319a12e4ae4295)

Router crashed with the following captured in ramoops pstore:

<1>[235082.785489] Unable to handle kernel read from unreadable memory at virtual address 0000000000000001
<1>[235082.794656] Mem abort info:
<1>[235082.797527]   ESR = 0x0000000096000005
<1>[235082.801368]   EC = 0x25: DABT (current EL), IL = 32 bits
<1>[235082.806759]   SET = 0, FnV = 0
<1>[235082.809890]   EA = 0, S1PTW = 0
<1>[235082.813113]   FSC = 0x05: level 1 translation fault
<1>[235082.818068] Data abort info:
<1>[235082.821029]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
<1>[235082.826592]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
<1>[235082.831725]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
<1>[235082.837115] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000046658000
<1>[235082.843638] [0000000000000001] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
<0>[235082.852424] Internal error: Oops: 0000000096000005 [#1] SMP
<7>[235082.858076] Modules linked in: pppoe ppp_async iptable_nat xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_FLOWOFFLOAD wireguard pppox ppp_generic nft_redir nft_nat nft_masq nft_flow_offload nft_fib_inet nft_ct nft_chain_nat nf_nat nf_flow_table_inet nf_flow_table nf_conntrack mt7915e(O) mt7615e(O) mt7615_common(O) mt76_connac_lib(O) mt76(O) mac80211(O) libchacha20poly1305 ipt_REJECT ebtable_nat ebtable_filter ebtable_broute chacha_neon cfg80211(O) xt_time xt_tcpudp xt_tcpmss xt_statistic xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_ecn xt_dscp xt_comment xt_TCPMSS xt_LOG xt_HL xt_DSCP xt_CLASSIFY usbnet slhc poly1305_neon nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_quota nft_numgen nft_log nft_limit nft_hash nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_compat nf_tables nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 macvlan libcurve25519_generic libcrc32c libchacha iptable_mangle iptable_filter ipt_ECN ipheth ip_tables ebtables ebt_vlan ebt_stp ebt_redirect ebt_pkttype
<7>[235082.858295]  ebt_mark_m ebt_mark ebt_limit ebt_among ebt_802_3 compat(O) cls_flower act_vlan cls_bpf act_bpf sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred act_gact xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ipmac ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 ip6_gre ip_gre gre sit ipip ip6_tunnel tunnel6 tunnel4 ip_tunnel tun ovpn_dco_v2(O) udp_tunnel ip6_udp_tunnel sha512_arm64 seqiv geniv usb_storage leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd gpio_button_hotplug(O) usbcore usb_common mii
<7>[235083.026279] CPU: 0 PID: 1089 Comm: mt76-tx phy0 Tainted: G S         O       6.6.56 #0
<7>[235083.034277] Hardware name: Linksys E8450 (UBI) (DT)
<7>[235083.039233] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<7>[235083.046274] pc : mt7615_mac_set_rates+0x44/0x3cc [mt7615_common]
<7>[235083.052381] lr : mt7615_tx_prepare_skb+0x290/0x300 [mt7615e]
<7>[235083.058129] sp : ffffffc0810438e0
<7>[235083.061520] x29: ffffffc0810438e0 x28: fffffffe00000000 x27: 000000000000007f
<7>[235083.068740] x26: 0000000000000000 x25: ffffffc0792ba13c x24: ffffff8003dc2338
<7>[235083.075959] x23: ffffff800267ae30 x22: ffffff8003dc1fe8 x21: ffffff8003ded068
<7>[235083.083177] x20: ffffff8003dc1fe8 x19: ffffff8003de1fe0 x18: 0000000000000000
<7>[235083.090395] x17: ffffffbf9f30d000 x16: ffffffc080000000 x15: ffffff801fea2b80
<7>[235083.097614] x14: ffffffffffffffff x13: 0000000000000008 x12: 0101010101010101
<7>[235083.104833] x11: 00000000000002ad x10: 00000000000008a0 x9 : 0000000000000000
<7>[235083.112051] x8 : ffffffc081043cb0 x7 : 0000000000000000 x6 : ffffffc079139a78
<7>[235083.119268] x5 : ffffffc081043aa0 x4 : 0000000000000000 x3 : ffffff8003dc2338
<7>[235083.126486] x2 : ffffff800267ae30 x1 : 0000000000000000 x0 : 0000000000000000
<7>[235083.133705] Call trace:
<7>[235083.136228]  mt7615_mac_set_rates+0x44/0x3cc [mt7615_common]
<7>[235083.141978]  mt7615_tx_prepare_skb+0x290/0x300 [mt7615e]
<7>[235083.147379]  mt76_dma_cleanup+0x900/0xa44 [mt76]
<7>[235083.152091]  mt76_tx_check_agg_ssn+0xa0/0x114 [mt76]
<7>[235083.157147]  __mt76_tx_complete_skb+0x3e4/0x738 [mt76]
<7>[235083.162377]  __mt76_tx_complete_skb+0x6f8/0x738 [mt76]
<7>[235083.167606]  mt76_tx_worker_run+0x2c/0x60 [mt76]
<7>[235083.172315]  mt7615_tx_worker+0xa0/0x190 [mt7615_common]
<7>[235083.177718]  __mt76_worker_fn+0x8c/0xdc [mt76]
<7>[235083.182253]  kthread+0xd8/0xdc
<7>[235083.185392]  ret_from_fork+0x10/0x20
<0>[235083.189052] Code: 394e043a f9438a60 f9419421 b9403800 (39400439) 
<4>[235083.195223] ---[ end trace 0000000000000000 ]---

[quarkysg]

So I used gdb (with this command l *mt7615_mac_set_rates+0x44) and I get the following from gdb:

(gdb) l *mt7615_mac_set_rates+0x44
0x90c8 is in mt7615_mac_set_rates (/home/quarkysg/projects/firmware/openwrt-mt7622/build_dir/target-aarch64_cortex-a53_musl/linux-mediatek_mt7622/mt76-2024.10.28~c246fa54/mt7615/mac.c:1109).
1104	{
1105		int wcid = sta->wcid.idx, n_rates = sta->n_rates;
1106		struct mt7615_dev *dev = phy->dev;
1107		struct mt7615_rate_desc rd;
1108		u32 w5, w27, addr;
1109		u16 idx = sta->vif->mt76.omac_idx;
1110	
1111		if (!mt76_is_mmio(&dev->mt76)) {
1112			mt7615_mac_queue_rate_update(phy, sta, probe_rate, rates);
1113			return;

So it looks like the sta variable passed in by the calling function contains an invalid value (either for vif or mt76) in it's data structure that was used.

Anyone knows how this could have happened and how to check to prevent kernel crash?