Bug#887873: linux-image-4.9.0-5-marvell: frequent "usercopy: kernel memory overwrite attempt detected" on QNAP NAS (ARM)
Package: src:linux
Version: 4.9.65-3+deb9u2
Severity: critical
Justification: breaks the whole system
Dear Maintainer,
Rsyncing files between 2 HDDs on a QNAP 119p with a fresh, minimal install of
stretch NAS (armel) causes the kernel to fail after ~20mins with a kernel
memory overwrite attempt (full error below).
This happens reliably for any large rsync attempt. I have about 1TB of data to
copy between these 2 HDDs and have not managed to copy more than ~2% of the
total amount.
-- Package-specific info:
** Version:
Linux version 4.9.0-5-marvell (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 Debian 4.9.65-3+deb9u2 (2018-01-04)
** Command line:
console=ttyS0,115200 root=/dev/ram initrd=0xa00000,0x900000 ramdisk=34816
** Not tainted
** Kernel log:
[ 2775.213733] usercopy: kernel memory overwrite attempt detected to c29454e0 (<wrapped address>) (4294802208 bytes)
[ 2775.224095] ------------[ cut here ]------------
[ 2775.228728] kernel BUG at /build/linux-myVvPm/linux-4.9.65/mm/usercopy.c:75!
[ 2775.235800] Internal error: Oops - BUG: 0 [#1] ARM
[ 2775.240604] Modules linked in: marvell ehci_orion mvmdio mv643xx_eth ehci_hcd of_mdio fixed_phy xhci_pci xhci_hcd marvell_cesa des_generic sg usbcore libphy m25p80 spi_nor orion_wdt usb_common kirkwood_thermal evdev gpio_keys ip_tables x_tables ipv6 autofs4 ext4 crc16 jbd2 crc32c_generic fscrypto ecb mbcache sd_mod sata_mv libata scsi_mod
[ 2775.271023] CPU: 0 PID: 601 Comm: rsync Not tainted 4.9.0-5-marvell #1 Debian 4.9.65-3+deb9u2
[ 2775.279582] Hardware name: Marvell Kirkwood (Flattened Device Tree)
[ 2775.285870] task: c0d496c0 task.stack: d5ffe000
[ 2775.290418] PC is at __check_object_size+0x120/0x1d8
[ 2775.295401] LR is at __check_object_size+0x120/0x1d8
[ 2775.300382] pc : [<c0111908>] lr : [<c0111908>] psr: 60000013
sp : d5fffdb8 ip : 00000000 fp : d5ffff08
[ 2775.311908] r10: d5ffe000 r9 : fffd7b20 r8 : c29454e0
[ 2775.317148] r7 : c291d000 r6 : 00000000 r5 : fffd7b20 r4 : c29454e0
[ 2775.323697] r3 : c0554fa0 r2 : c055a20c r1 : c055094c r0 : 00000065
[ 2775.330247] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 2775.337405] Control: 0005397f Table: 14810000 DAC: 00000051
[ 2775.343168] Process rsync (pid: 601, stack limit = 0xd5ffe190)
[ 2775.349020] Stack: (0xd5fffdb8 to 0xd6000000)
[ 2775.353390] fda0: c04623b8 fffd7b20
[ 2775.361598] fdc0: 000294e8 fffd7b20 00001000 d5fffec0 c29454e0 c0202360 00000008 008eafe8
[ 2775.369812] fde0: dfc4a380 c291c000 00000051 69000008 d5fffec0 00008000 00000008 00000008
[ 2775.378026] fe00: 00001000 00000000 c0c26b40 00001008 c0495cf7 c02fc3d0 c0c26b40 d5fffec0
[ 2775.386240] fe20: d5fffec0 00000000 00008008 c0c26b40 df782d80 d5fffeb8 00000001 00000000
[ 2775.394445] fe40: df782b40 c03a21d0 d5fffe64 00000003 de65b2c0 00008000 00000008 00008008
[ 2775.402651] fe60: 5a644f89 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000
[ 2775.410866] fe80: d2bebb80 d5fffeb8 de65b2c0 de65b2c0 df79caa0 008c1b00 d5ffe000 00000000
[ 2775.419080] fea0: 00512e6c c02ee92c d5ffff10 d5ffff28 de65b2c0 c02ee9cc 00000000 00000000
[ 2775.427294] fec0: 00000001 00000008 00008000 d5ffff08 00000001 3b9aa9ee 00000000 00000000
[ 2775.435499] fee0: 00000040 d5ffff28 00000000 00000000 df79caa0 d5ffff88 00008008 c0114048
[ 2775.443705] ff00: 00008008 00000000 008c1b00 00008008 00000001 00000000 00008008 d5ffff08
[ 2775.451909] ff20: 00000001 3b9aa9ee df79caa0 00000000 00000000 00000000 00000000 00000000
[ 2775.460116] ff40: 00000000 00000000 00000000 df79caa0 00008008 00000000 d5ffff88 c0114cb4
[ 2775.468321] ff60: df79caa0 008c1b00 00008008 df79caa0 df79caa0 008c1b00 00008008 c000f704
[ 2775.476527] ff80: d5ffe000 c0115b68 00000000 00000000 00008008 00512e6c bedfb878 bedfb7f8
[ 2775.484733] ffa0: 00000004 c000f560 00512e6c bedfb878 00000004 008c1b00 00008008 008c1b00
[ 2775.492947] ffc0: 00512e6c bedfb878 bedfb7f8 00000004 00520a80 00512e84 0051095c 00512e6c
[ 2775.501161] ffe0: 00000000 bedfb69c 004c6978 b6ea3d1c 40000010 00000004 0000624f 0000624f
[ 2775.509384] [<c0111908>] (__check_object_size) from [<c0202360>] (copy_page_from_iter+0x2e8/0x3d0)
[ 2775.518388] [<c0202360>] (copy_page_from_iter) from [<c02fc3d0>] (skb_copy_datagram_from_iter+0xfc/0x188)
[ 2775.527997] [<c02fc3d0>] (skb_copy_datagram_from_iter) from [<c03a21d0>] (unix_stream_sendmsg+0x208/0x2f8)
[ 2775.537691] [<c03a21d0>] (unix_stream_sendmsg) from [<c02ee92c>] (sock_sendmsg+0x3c/0x50)
[ 2775.545903] [<c02ee92c>] (sock_sendmsg) from [<c02ee9cc>] (sock_write_iter+0x8c/0xb4)
[ 2775.553771] [<c02ee9cc>] (sock_write_iter) from [<c0114048>] (new_sync_write+0xc0/0xe4)
[ 2775.561810] [<c0114048>] (new_sync_write) from [<c0114cb4>] (vfs_write+0xc0/0x194)
[ 2775.569414] [<c0114cb4>] (vfs_write) from [<c0115b68>] (SyS_write+0x44/0x7c)
[ 2775.576497] [<c0115b68>] (SyS_write) from [<c000f560>] (ret_fast_syscall+0x0/0x38)
[ 2775.584098] Code: e59f10a0 01a01000 e59f009c ebff04bf (e7f001f2)
[ 2775.590218] ---[ end trace 9c6c6370c712b384 ]---
** Model information
Hardware : Marvell Kirkwood (Flattened Device Tree)
Revision : 0000
Device Tree model: QNAP TS219 family
** Loaded modules:
ehci_orion
marvell
ehci_hcd
xhci_pci
mvmdio
mv643xx_eth
xhci_hcd
of_mdio
fixed_phy
orion_wdt
marvell_cesa
des_generic
libphy
usbcore
sg
m25p80
spi_nor
usb_common
kirkwood_thermal
evdev
gpio_keys
ip_tables
x_tables
ipv6
autofs4
ext4
crc16
jbd2
crc32c_generic
fscrypto
ecb
mbcache
sd_mod
sata_mv
libata
scsi_mod
** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:08:9b:c8:50:26 brd ff:ff:ff:ff:ff:ff
inet 192.168.164.3/24 brd 192.168.164.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::208:9bff:fec8:5026/64 scope link
valid_lft forever preferred_lft forever
*** Device statistics:
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
eth0: 667374 2622 0 0 0 0 0 0 420218 1869 0 0 0 0 0 0
** PCI devices:
00:01.0 PCI bridge [0604]: Marvell Technology Group Ltd. Device [11ab:6282] (rev 01) (prog-if 00 [Normal decode])
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
Prefetchable memory behind bridge: 00000000-000fffff
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR- NoISA- VGA- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: [40] Express (v2) Root Port (Slot+), MSI 00
DevCap: MaxPayload 128 bytes, PhantFunc 0
ExtTag- RBE+
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr- UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <256ns, L1 unlimited
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 128 bytes Disabled- CommClk-
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
SltCap: AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug- Surprise-
Slot #0, PowerLimit 0.000W; Interlock- NoCompl-
SltCtl: Enable: AttnBtn- PwrFlt- MRL- PresDet- CmdCplt- HPIrq- LinkChg-
Control: AttnInd Unknown, PwrInd Unknown, Power- Interlock-
SltSta: Status: AttnBtn- PowerFlt- MRL- CmdCplt- PresDet+ Interlock-
Changed: MRL- PresDet- LinkState-
RootCtl: ErrCorrectable- ErrNon-Fatal- ErrFatal- PMEIntEna- CRSVisible-
RootCap: CRSVisible-
RootSta: PME ReqID 0000, PMEStatus- PMEPending-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR-, OBFF Not Supported ARIFwd-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled ARIFwd-
LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete-, EqualizationPhase1-
EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
00:02.0 PCI bridge [0604]: Marvell Technology Group Ltd. Device [11ab:6282] (rev 01) (prog-if 00 [Normal decode])
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Bus: primary=00, secondary=02, subordinate=02, sec-latency=0
Memory behind bridge: e0000000-e00fffff
Prefetchable memory behind bridge: 00000000-000fffff
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR- NoISA- VGA- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: [40] Express (v2) Root Port (Slot+), MSI 00
DevCap: MaxPayload 128 bytes, PhantFunc 0
ExtTag- RBE+
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
RlxdOrd- ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr- UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <256ns, L1 unlimited
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 128 bytes Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk- DLActive- BWMgmt- ABWMgmt-
SltCap: AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug- Surprise-
Slot #0, PowerLimit 0.000W; Interlock- NoCompl-
SltCtl: Enable: AttnBtn- PwrFlt- MRL- PresDet- CmdCplt- HPIrq- LinkChg-
Control: AttnInd Unknown, PwrInd Unknown, Power- Interlock-
SltSta: Status: AttnBtn- PowerFlt- MRL- CmdCplt- PresDet+ Interlock-
Changed: MRL- PresDet- LinkState-
RootCtl: ErrCorrectable- ErrNon-Fatal- ErrFatal- PMEIntEna- CRSVisible-
RootCap: CRSVisible-
RootSta: PME ReqID 0000, PMEStatus- PMEPending-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR-, OBFF Not Supported ARIFwd-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled ARIFwd-
LnkCtl2: Target Link Speed: 2.5GT/s, EnterCompliance- SpeedDis-
Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -6dB, EqualizationComplete-, EqualizationPhase1-
EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
02:00.0 USB controller [0c03]: Etron Technology, Inc. EJ168 USB 3.0 Host Controller [1b6f:7023] (rev 01) (prog-if 30 [XHCI])
Subsystem: Etron Technology, Inc. EJ168 USB 3.0 Host Controller [1b6f:7023]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 32 bytes
Interrupt: pin A routed to IRQ 36
Region 0: Memory at e0000000 (64-bit, non-prefetchable) [size=32K]
Capabilities: [50] Power Management version 3
Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA PME(D0+,D1+,D2+,D3hot+,D3cold-)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [70] MSI: Enable- Count=1/4 Maskable+ 64bit+
Address: 0000000000000000 Data: 0000
Masking: 000000f0 Pending: 00000000
Capabilities: [a0] Express (v2) Endpoint, MSI 00
DevCap: MaxPayload 1024 bytes, PhantFunc 0, Latency L0s <64ns, L1 <1us
ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset+ SlotPowerLimit 0.000W
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop+ FLReset-
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr- UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
LnkCap: Port #0, Speed 5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <1us, L1 <64us
ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp-
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR-, OBFF Not Supported
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled
LnkCtl2: Target Link Speed: 5GT/s, EnterCompliance- SpeedDis-
Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete-, EqualizationPhase1-
EqualizationPhase2-, EqualizationPhase3-, LinkEqualizationRequest-
Capabilities: [100 v1] Advanced Error Reporting
UESta: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UEMsk: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UESvrt: DLP+ SDES- TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
CESta: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr-
CEMsk: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
AERCap: First Error Pointer: 14, GenCap+ CGenEn- ChkCap+ ChkEn-
Capabilities: [190 v1] Device Serial Number 01-01-01-01-01-01-01-01
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
** USB devices:
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: armel (armv5tel)
Kernel: Linux 4.9.0-5-marvell
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages linux-image-4.9.0-5-marvell depends on:
ii initramfs-tools [linux-initramfs-tool] 0.130
ii kmod 23-2
ii linux-base 4.5
Versions of packages linux-image-4.9.0-5-marvell recommends:
ii firmware-linux-free 3.4
ii u-boot-tools 2016.11+dfsg1-4
Versions of packages linux-image-4.9.0-5-marvell suggests:
pn debian-kernel-handbook <none>
pn linux-doc-4.9 <none>
Versions of packages linux-image-4.9.0-5-marvell is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: