[Solved] WRT1900ACV1 reboots: kernel 4.9

nbd · April 18, 2017, 8:09am

I've reverted the removal of Linux 4.4 support. I currently don't have time to debug this myself, but please let me know if you guys make any progress in figuring out the root cause of this issue.

davidc502 · May 13, 2017, 2:03pm

Requesting update for this issue. 1900ac Version 1 users are still reporting reboot issues after installing latest lede snapshots with 4.9.x Kernels.

It's important we get V1 hardware fixed due to security issues running kernel 4.4.x.

northbound · May 13, 2017, 2:24pm

Still happens here. I may be up for 3 or 4 days then reboot twice in a few minutes no rhyme or reason.
4.9.27 and mwlwifi 10.3.4.0-20170512. And as usual no crash.log.

InkblotAdmirer · May 13, 2017, 3:54pm

David, what security issues are you worried about? Kernel 4.4 is still maintained (linux foundation, not LEDE) and you can submit patches (or just apply locally) to be pulled into the tree if the devs don't update fast enough -- nbd has made sure kernel 4.4 is still an option for mvebu.

IMO this is a nuisance for anyone building their own -- you just have to do two independent builds.

The bigger issue is that LEDE releases (or anything from the buildbot) are not really a viable option for the AC V1.

Borromini · May 13, 2017, 4:04pm

@davidc502 I'm on 4.4.67 for ar71xx, x86_64 and mt7621. I can post the patch if you want for 17.01.1. .68 is expected any minute now though.

davidc502 · May 13, 2017, 8:27pm

Kernels 4.5 down to 2.6 are vulnerable to remote code execution within the kernel as root. Maybe this has already been patched? The information about this vulnerability was just released last month.

Borromini · May 13, 2017, 9:36pm

I'm pretty sure it has. Thing is, the kernel devs don't explicitly refer to the CVEs in the changelogs, so you really need to track them down, you can't just grep the changelog for CVEs...

Just check the NIST entry and you'll see the Linux kernel was patched in January 2016 (!). On top of that, the page clearly states the vulnerability is in 4.4.60 and older kernels ;).

Mushoz · May 13, 2017, 10:01pm

You are running the DIR-860L as well, right? How's the 4.4.67 kernel treating you? Are you using SQM by any chance? The current master branch and 17.01 branch both have issues with SQM on the mt7621 devices. It can cause stack traces and crashes that result in a reboot. Kernel 4.9 seems to have fixed it for me, but it is causing other issues for me. Was wondering whether kernel 4.4.67 is any good on mt7621 devices with SQM enabled.

For further discussion on the aforementioned issues, please see the end of this thread:
https://forum.openwrt.org/t/optimized-build-for-the-d-link-dir-860l/

And this bug report (please vote for it if you would like to developers to focus on this bug):

github.com/openwrt/openwrt

FS#764 - MT7621: Any traffic shaping results in crashes/stack traces

opened 07:06AM - 06 May 17 UTC

closed 02:04PM - 11 Feb 18 UTC

openwrt-bot

flyspray

*Mushoz:* There has been a large number of reports of bugs with MT7621 devices …in combination with SQM. Debugging is difficult, because it often results in a hardcrash which leaves no log files. I believe I have some interesting details that might make it easier to debug. **Device:** DIR-860L rev B1, but according to reports all MT7621 devices are affected. **LEDE Version:** LEDE Reboot SNAPSHOT r4094-961c0ea **Steps to reproduce:** Run a dslreports.com speedtest with a large number of upload and download streams (32/32) with either SQM or QOS enabled on your WAN interface. **Observations:** * It happens both with SQM-scripts _and_ QOS. So I don't believe it is an issue with the SQM package specifically. These two packages have in common that they both shape traffic. * It seems to be **load dependent**. 100/100 and 200/200 mbit egress/ingress limits crash less often than 300/300 or higher limits * It happens with all qdiscs: Cake + piece of cake, fq_codel + simple, fq_codel + simplest **Crash log:** There is usually no crash log because the router hardlocks and then reboots. But I got very lucky once and managed to get a log of the event: <code>[ 710.140000] INFO: rcu_sched detected stalls on CPUs/tasks: [ 710.150000] 1-...: (257 GPs behind) idle=dfc/0/0 softirq=48167/48179 fqs=1 [ 710.160000] (detected by 2, t=6004 jiffies, g=13114, c=13113, q=1063) [ 710.170000] Task dump for CPU 1: [ 710.180000] swapper/1 R running 0 0 1 0x00100000 [ 710.190000] Stack : 00000000 5b6c286a 000000a3 ffffffff 00000090 773742c0 804df2a4 80490000 [ 710.190000] 8048c75c 00000001 00000001 8048c540 8048c724 80490000 00000000 800135e4 [ 710.190000] 00000000 00000001 87c70000 87c71ec0 80490000 8005ec74 1100fc03 00000001 [ 710.190000] 00000000 80490000 804df2a4 8005ec6c 80490000 8001b1a8 1100fc03 00000000 [ 710.190000] 00000004 8048c4a0 000000a0 8001b1b0 8c94e220 00008018 dc124877 a0020044 [ 710.190000] ... [ 710.260000] Call Trace: [ 710.270000] [<8000be98>] __schedule+0x574/0x758 [ 710.280000] [<800135e4>] r4k_wait_irqoff+0x0/0x20 [ 710.290000] [ 710.290000] rcu_sched kthread starved for 6016 jiffies! g13114 c13113 f0x0 s3 ->state=0x1 [ 782.470000] INFO: rcu_sched detected stalls on CPUs/tasks: [ 782.470000] 1-...: (0 ticks this GP) idle=12c/0/0 softirq=48179/48179 fqs=0 [ 782.470000] (detected by 0, t=6002 jiffies, g=13324, c=13323, q=1260) [ 782.470000] Task dump for CPU 1: [ 782.470000] swapper/1 R running 0 0 1 0x00100000 [ 782.470000] Stack : 00000000 00000001 0000000a 00000000 00000000 00000001 804df2a4 80490000 [ 782.470000] 8048c75c 00000001 00000001 8048c540 8048c724 80490000 00000000 800135e4 [ 782.470000] 00000000 00000001 87c70000 87c71ec0 80490000 8005ec74 1100fc03 00000001 [ 782.470000] 00000000 80490000 804df2a4 8005ec6c 80490000 8001b1a8 1100fc03 00000000 [ 782.470000] 00000004 8048c4a0 000000a0 8001b1b0 8c94e220 00008018 dc124877 a0020044 [ 782.470000] ... [ 782.470000] Call Trace: [ 782.470000] [<8000be98>] __schedule+0x574/0x758 [ 782.470000] [<800135e4>] r4k_wait_irqoff+0x0/0x20 [ 782.470000] [ 782.470000] rcu_sched kthread starved for 6002 jiffies! g13324 c13323 f0x0 s3 ->state=0x1 [ 860.040000] INFO: rcu_sched detected stalls on CPUs/tasks: [ 860.050000] 1-...: (0 ticks this GP) idle=5a8/0/0 softirq=48179/48179 fqs=0 [ 860.060000] (detected by 3, t=6004 jiffies, g=13501, c=13500, q=2389) [ 860.070000] Task dump for CPU 1: [ 860.080000] swapper/1 R running 0 0 1 0x00100000 [ 860.090000] Stack : 00000000 00002cd1 00000000 777882c0 00000000 00000000 804df2a4 80490000 [ 860.090000] 8048c75c 00000001 00000001 8048c540 8048c724 80490000 00000000 800135e4 [ 860.090000] 00000000 00000001 87c70000 87c71ec0 80490000 8005ec74 1100fc03 00000001 [ 860.090000] 00000000 80490000 804df2a4 8005ec6c 80490000 8001b1a8 1100fc03 00000000 [ 860.090000] 00000004 8048c4a0 000000a0 8001b1b0 8c94e220 00008018 dc124877 a0020044 [ 860.090000] ... [ 860.160000] Call Trace: [ 860.170000] [<8000be98>] __schedule+0x574/0x758 [ 860.180000] [<800135e4>] r4k_wait_irqoff+0x0/0x20 [ 860.190000] [ 860.190000] rcu_sched kthread starved for 6017 jiffies! g13501 c13500 f0x0 s3 ->state=0x1</code> I hope it contains useful information for tracking down this bug. If there is anything else I can supply or test in order to help the debugging process, please let me know.

Borromini · May 13, 2017, 10:22pm

I am, yes. But there's no difference between the 17.01.x 4.4 versions and the .67 one. I'm not switching to trunk until 4.9 is stable enough on ramips.

I already voted for your bug report as well

wongsyrone · May 21, 2017, 12:16am

Just notice crash dump is enabled for ARM via https://github.com/lede-project/source/commit/48d71ab5021e5238623bab2f87b6425b2609c60a, can anyone give it a try?

ListerWRT · May 27, 2017, 12:54pm

From the look of that it's enabled by default? I just tested r4228-43e4e1f and there was no crash log created at /sys/kernel/debug/ (unless it's supposed to be somewhere else now?). My uptime was ~2hrs before lockup/reboot

wongsyrone · May 28, 2017, 6:08am

Yes, it is enabled by default. I have no idea then.
nbd, can you help to find the root cause?

ListerWRT · May 29, 2017, 5:56am

@nbd Do you or anyone else have time to look into this now? I don't think we're making any progress on our own. Sorry to hassle you with a direct mention...

Borromini · June 3, 2017, 12:14pm

@Mushoz, thought this might be of interest to you. It might be a weird coincidence, but running on a recent 17.01 (pre 17.01.2, so to speak) branch with a GCC 6.3 build (instead of a GCC 5.4 build), I am looking at almost 4 days and 12 hours uptime. This is with kernel 4.4.70.

Fingers crossed of course, but remarkable (usually I have one or more reboots a day).

Sorry for the offtopic

Mushoz · June 3, 2017, 12:28pm

That sounds very good! Thank you very much for letting us know Is this with Cake enabled? And if so, have you tried heavy traffic to see if it doesn't crash?

ListerWRT · June 4, 2017, 6:57am

Yeah maybe move the DIR-860L chat elsewhere. We're already struggling to be noticed without being buried in our own topic.

FCS001FCS · June 6, 2017, 4:52pm

Anyone know if this WRT1900AC V1 Reboot on 4.9 Kernel build problem is being worked on by somebody?

I would like to go to the 4.9 Kernel builds but have experienced the reboots and reverted back to 4.4.70.

stmtpr · July 17, 2017, 7:24pm

DISTRIB_DESCRIPTION='LEDE Reboot SNAPSHOT r4512-f3ae0f8'
Kernel = 4.9.34
SQM enabled.

Spontaneous reboot during long large downloads. I have remote logging enabled but nothing collected.

oli · July 17, 2017, 8:25pm

I use Linksys wrt1900acs v2 with LEDE firmware version compiled by Daniel named SuperWRT, everything is working fine!

http://s.go.ro/8qfvfhf1

https://superwrt.download/firmware/

InkblotAdmirer · July 19, 2017, 2:46am

EDITED: sorry, prematurely posted from fat-finger

Even though I said I was dropping this... I can't let something like this go and I think I may be on to something.

Poring through changes from 4.4 to 4.9, the device tree changes appear straightforward enough but I decided to decompile the compiled device tree and voila... the mamba dts (decompiled) is very different on 4.9 than 4.4. Here is one excerpt:

			crypto@90000 {  // kernel 4.4
			compatible = "marvell,armada-xp-crypto";
			reg = <0x90000 0x10000>;
			reg-names = "regs";
			interrupts = <0x30 0x31>;
			clocks = <0x8 0x17 0x8 0x17>;
			clock-names = "cesa0", "cesa1";
			marvell,crypto-srams = <0xf 0x10>;
			marvell,crypto-sram-size = <0x800>;
		};


			
                    crypto@90000 {  // kernel 4.9
			compatible = "marvell,armada-xp-crypto";
			reg = <0x90000 0x10000>;
			reg-names = "regs";
			interrupts = <0x30 0x31>;
			clocks = <0x7 0x17 0x7 0x17>;
			clock-names = "cesa0", "cesa1";
			marvell,crypto-srams = <0xe 0xf>;
			marvell,crypto-sram-size = <0x800>;
		};

Clocks, interrupts, etc. are all varying from 4.4 to 4.9. Looking further, I think it's this commit:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/arch/arm/boot/dts/armada-370-xp.dtsi?h=linux-4.9.y&id=55877f58b0be83a4ffb4639a83f99c28df418e3e

I created a patch to undo a couple changes and the device tree is now nearly identical. Without completely reverting a few changes I'm not sure it can be made identical but I've got a mamba running on 4.9 now and I've been beating up the wifi with iperf for a few hours now and everything is looking OK. Keep your fingers crossed...

In case you want to build and expand on test hours more quickly (since the reboots can be pretty fickle) here is the patch:

--- /arch/arm/boot/dts/armada-xp.dtsi	2017-07-17 21:13:53.372001000 -0500
+++ /arch/arm/boot/dts/armada-xp.dtsi	2017-07-18 20:08:18.874801712 -0500
@@ -372,6 +372,4 @@
 
 &spi1 {
 	compatible = "marvell,armada-xp-spi", "marvell,orion-spi";
-	pinctrl-0 = <&spi1_pins>;
-	pinctrl-names = "default";
 };
--- /arch/arm/boot/dts/armada-370-xp.dtsi	2017-07-15 05:17:55.000000000 -0500
+++ /arch/arm/boot/dts/armada-370-xp.dtsi	2017-07-15 04:58:03.000000000 -0500
@@ -148,6 +148,26 @@
 				interrupts = <50>;
 	    		};
     
    +			spi0: spi@10600 {
    +				reg = <0x10600 0x28>;
    +				#address-cells = <1>;
    +				#size-cells = <0>;
    +				cell-index = <0>;
    +				interrupts = <30>;
    +				clocks = <&coreclk 0>;
    +				status = "disabled";
    +			};
    +
    +			spi1: spi@10680 {
    +				reg = <0x10680 0x28>;
    +				#address-cells = <1>;
    +				#size-cells = <0>;
    +				cell-index = <1>;
    +				interrupts = <92>;
    +				clocks = <&coreclk 0>;
    +				status = "disabled";
    +			};
    +
     			i2c0: i2c@11000 {
     				compatible = "marvell,mv64xxx-i2c";
     				#address-cells = <1>;
    @@ -300,42 +320,6 @@
     				status = "disabled";
     			};
     		};
-
-		spi0: spi@10600 {
-			reg = <MBUS_ID(0xf0, 0x01) 0x10600 0x28>, /* control */
-			      <MBUS_ID(0x01, 0x1e) 0 0xffffffff>, /* CS0 */
-			      <MBUS_ID(0x01, 0x5e) 0 0xffffffff>, /* CS1 */
-			      <MBUS_ID(0x01, 0x9e) 0 0xffffffff>, /* CS2 */
-			      <MBUS_ID(0x01, 0xde) 0 0xffffffff>, /* CS3 */
-			      <MBUS_ID(0x01, 0x1f) 0 0xffffffff>, /* CS4 */
-			      <MBUS_ID(0x01, 0x5f) 0 0xffffffff>, /* CS5 */
-			      <MBUS_ID(0x01, 0x9f) 0 0xffffffff>, /* CS6 */
-			      <MBUS_ID(0x01, 0xdf) 0 0xffffffff>; /* CS7 */
-			#address-cells = <1>;
-			#size-cells = <0>;
-			cell-index = <0>;
-			interrupts = <30>;
-			clocks = <&coreclk 0>;
-			status = "disabled";
-		};
-
-		spi1: spi@10680 {
-			reg = <MBUS_ID(0xf0, 0x01) 0x10680 0x28>, /* control */
-			      <MBUS_ID(0x01, 0x1a) 0 0xffffffff>, /* CS0 */
-			      <MBUS_ID(0x01, 0x5a) 0 0xffffffff>, /* CS1 */
-			      <MBUS_ID(0x01, 0x9a) 0 0xffffffff>, /* CS2 */
-			      <MBUS_ID(0x01, 0xda) 0 0xffffffff>, /* CS3 */
-			      <MBUS_ID(0x01, 0x1b) 0 0xffffffff>, /* CS4 */
-			      <MBUS_ID(0x01, 0x5b) 0 0xffffffff>, /* CS5 */
-			      <MBUS_ID(0x01, 0x9b) 0 0xffffffff>, /* CS6 */
-			      <MBUS_ID(0x01, 0xdb) 0 0xffffffff>; /* CS7 */
-			#address-cells = <1>;
-			#size-cells = <0>;
-			cell-index = <1>;
-			interrupts = <92>;
-			clocks = <&coreclk 0>;
-			status = "disabled";
-		};
 	};
 
 	clocks {

Here is the remaining diff in the compiled dts:

> 						linux,default-trigger = "disk-activity";
...
> 				};
> 
> 				spi1-pins {
> 					marvell,pins = "mpp13", "mpp14", "mpp16", "mpp17";
> 					marvell,function = "spi1";

Both are artifacts of further changes that I haven't undone yet, TBD whether they matter.

Best of luck...