[mt7915] Kernel panic (Data abort) at mt7915_mac_wtbl_lmac_addr on MT7986 (Redmi AX6000) #1067
Description
Environment:
- Device: Xiaomi Redmi Router AX6000 (MediaTek MT7986)
- Firmware: ImmortalWrt 24.10.5 (LuCI openwrt-24.10 branch 26.042.32088~3dc9a84)
- Kernel: 6.6.122
- Driver:
mt7915e/mt76
Symptom & Description:
The router experiences sudden network drops and kernel panics under certain wireless environments.
Right before the crash, hostapd logs a massive flood of handle_beacon - too short payload warnings. Shortly after, a kernel WARNING is triggered in the RX path (mt7915_rx_check -> mt7915_mac_wtbl_lmac_addr), followed by a fatal Oops (Data abort: Unable to handle kernel paging request), causing the device to freeze/reboot.
It appears that receiving specific malformed/short 802.11 management frames (beacons) in the air might be causing an invalid WTBL index lookup or out-of-bounds memory access in the driver's RX polling path.
Steps to Reproduce:
Happens randomly, likely triggered by specific environmental Wi-Fi traffic (malformed beacons) around the router.
Crash Logs (Extracted from remote syslogs):
1. The pre-crash beacon warnings:
Mar 15 12:41:38 R1 hostapd: handle_beacon - too short payload (len=32)
Mar 15 12:41:49 R1 hostapd: handle_beacon - too short payload (len=24)
... (Spamming continuously) ...
Mar 15 12:48:58 R1 hostapd: handle_beacon - too short payload (len=32)
2. The first WARNING in mt7915_mac_wtbl_lmac_addr (RX path):
Mar 15 12:49:00 R1 kernel: [269000.080134] ------------[ cut here ]------------
Mar 15 12:49:00 R1 kernel: [269000.085099] WARNING: CPU: 3 PID: 1163 at mt7915_mac_wtbl_lmac_addr+0x7e0/0x900 [mt7915e]
...
Mar 15 12:49:00 R1 kernel: [269000.273049] CPU: 3 PID: 1163 Comm: napi/phy0-7 Tainted: G O 6.6.122 #0
Mar 15 12:49:00 R1 kernel: [269000.296479] pc : mt7915_mac_wtbl_lmac_addr+0x7e0/0x900 [mt7915e]
Mar 15 12:49:00 R1 kernel: [269000.302827] lr : mt7915_mac_wtbl_lmac_addr+0x764/0x900 [mt7915e]
...
Mar 15 12:49:00 R1 kernel: [269000.387443] Call trace:
Mar 15 12:49:00 R1 kernel: [269000.390222] mt7915_mac_wtbl_lmac_addr+0x7e0/0x900 [mt7915e]
Mar 15 12:49:00 R1 kernel: [269000.396217] mt7915_rx_check+0x2c/0xc8 [mt7915e]
Mar 15 12:49:00 R1 kernel: [269000.401170] mt76_dma_rx_poll+0x3a0/0x700 [mt76]
Mar 15 12:49:00 R1 kernel: [269000.406130] __napi_poll+0x34/0x1b8
Mar 15 12:49:00 R1 kernel: [269000.409955] napi_threaded_poll_loop+0x1bc/0x1e4
Mar 15 12:49:00 R1 kernel: [269000.426542] ---[ end trace 0000000000000000 ]---
3. The second WARNING shortly after:
Mar 15 12:49:35 R1 kernel: [269034.309306] ------------[ cut here ]------------
Mar 15 12:49:35 R1 kernel: [269034.314272] WARNING: CPU: 3 PID: 1163 at mt7915_mac_wtbl_lmac_addr+0x8e8/0x900 [mt7915e]
...
Mar 15 12:49:35 R1 kernel: [269034.525648] pc : mt7915_mac_wtbl_lmac_addr+0x8e8/0x900 [mt7915e]
Mar 15 12:49:35 R1 kernel: [269034.531992] lr : mt7915_mac_wtbl_lmac_addr+0x864/0x900 [mt7915e]
...
Mar 15 12:49:35 R1 kernel: [269034.616605] Call trace:
Mar 15 12:49:35 R1 kernel: [269034.619384] mt7915_mac_wtbl_lmac_addr+0x8e8/0x900 [mt7915e]
Mar 15 12:49:35 R1 kernel: [269034.625379] mt7915_rx_check+0x44/0xc8 [mt7915e]
Mar 15 12:49:35 R1 kernel: [269034.630332] mt76_dma_rx_poll+0x3a0/0x700 [mt76]
Mar 15 12:49:35 R1 kernel: [269034.655700] ---[ end trace 0000000000000000 ]---
4. The final fatal Kernel Panic (Data Abort):
Mar 15 12:53:30 R1 kernel: [269269.518414] Unable to handle kernel paging request at virtual address ffffff88d5ab0010
Mar 15 12:53:30 R1 kernel: [269269.526686] Mem abort info:
Mar 15 12:53:30 R1 kernel: [269269.529813] ESR = 0x0000000096000005
Mar 15 12:53:30 R1 kernel: [269269.533904] EC = 0x25: DABT (current EL), IL = 32 bits
Mar 15 12:53:30 R1 kernel: [269269.539546] SET = 0, FnV = 0
Mar 15 12:53:30 R1 kernel: [269269.542944] EA = 0, S1PTW = 0
Mar 15 12:53:30 R1 kernel: [269269.546421] FSC = 0x05: level 1 translation fault
Mar 15 12:53:30 R1 kernel: [269269.551637] Data abort info:
Mar 15 12:53:30 R1 kernel: [269269.554850] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
Mar 15 12:53:30 R1 kernel: [269269.560678] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
Mar 15 12:53:30 R1 kernel: [269269.566059] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
Mar 15 12:53:30 R1 kernel: [269269.571710] swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000004906f000
Mar 15 12:53:30 R1 kernel: [269269.578741] [ffffff88d5ab0010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
Mar 15 12:53:30 R1 kernel: [269269.587780] Internal error: Oops: 0000000096000005 [#1] SMP