Bug 13906

Summary: Huawei E169 GPRS connection causes Ooops
Product: Drivers Reporter: Clemens Eisserer (linuxhippy)
Component: SerialAssignee: Greg Kroah-Hartman (greg)
Status: CLOSED CODE_FIX    
Severity: normal CC: akpm, gerald, rjw
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.31.rc5 Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 13615    

Description Clemens Eisserer 2009-08-04 09:02:13 UTC
I am using umtsmon to connect my Huawei-E169 to Internet.

When connecting to an UMTS network everything works fine, however when connecting to a GPRS network (fallback, if no umts network available), I get the following Ooops:

PPP generic driver version 2.4.2                                                                     
PPP Deflate Compression module registered                                                            
BUG: unable to handle kernel paging request at 6b6b6b87                                              
IP: [<f7cc3df9>] serial_do_free+0x30/0x7b [usbserial]                                                
*pde = 00000000                                                                                      
Oops: 0000 [#1] SMP                                                                                  
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.2/0000:02:00.0/ieee80211/phy0/rfkill1/uevent     
Modules linked in: ppp_deflate zlib_deflate ppp_async crc_ccitt ppp_generic slhc fuse option usbserial usb_storage sunrpc ipv6 cpufreq_ondemand acpi_cpufreq dm_multipath uinput snd_hda_codec_si3054 snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm arc4 ppdev btusb parport_pc ecb bluetooth firewire_ohci firewire_core iwl3945 sdhci_pci yenta_socket snd_timer iTCO_wdt sdhci snd parport rsrc_nonstatic crc_itu_t iTCO_vendor_support iwlcore mmc_core soundcore snd_page_alloc e1000e mac80211 toshiba_acpi cfg80211 joydev rfkill ata_generic pata_acpi i915 drm i2c_algo_bit i2c_core video output [last unloaded: microcode]

Pid: 1472, comm: umtsmon Not tainted (2.6.31-0.118.rc5.fc12.i686 #1) Tecra A8
EIP: 0060:[<f7cc3df9>] EFLAGS: 00010286 CPU: 0
EIP is at serial_do_free+0x30/0x7b [usbserial]
EAX: f259ca6c EBX: f63eca50 ECX: f7cc3e44 EDX: 6b6b6b6b
ESI: f63eca88 EDI: 00000000 EBP: f15d3e84 ESP: f15d3e74
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process umtsmon (pid: 1472, ti=f15d2000 task=f1602b80 task.ti=f15d2000)
Stack:
 ed87ae0e f259c860 f25872a0 00000000 f15d3ea0 f7cc3ed3 f15cc900 ed87ae0e
<0> f25872a0 00000000 00000000 f15d3f34 c0679747 f15d3ee4 f25960b0 00000000
<0> 00000000 ed87ae0e 00000000 ed87ae0e f15d3ee4 c046ec0c 00000000 00000000
Call Trace:
 [<f7cc3ed3>] ? serial_close+0x8f/0xa8 [usbserial]
 [<c0679747>] ? tty_release_dev+0x16a/0x3fa
 [<c046ec0c>] ? mark_lock+0x29/0x1f6
 [<c045c7ba>] ? autoremove_wake_function+0x0/0x55
 [<c04f524a>] ? sys_close+0x35/0xc2
 [<c06799fc>] ? tty_release+0x25/0x41
 [<c04f8a42>] ? __fput+0x101/0x1a2
 [<c04f8b0a>] ? fput+0x27/0x3a
 [<c04f51fa>] ? filp_close+0x64/0x7f
 [<c04f5291>] ? sys_close+0x7c/0xc2
 [<c0403a50>] ? syscall_call+0x7/0xb
Code: 53 83 ec 04 0f 1f 44 00 00 65 8b 15 14 00 00 00 89 55 f0 31 d2 80 b8 06 02 00 00 00 75 41 8b 18 05 0c 02 00 00 8b 53 04 8d 73 38 <8b> 7a 1c e8 14 03 9e c8 31 d2 89 f0 e8 54 80 b5 c8 f6 43 0c 01
EIP: [<f7cc3df9>] serial_do_free+0x30/0x7b [usbserial] SS:ESP 0068:f15d3e74
CR2: 000000006b6b6b87
---[ end trace 6c0877bfb04cdcd3 ]---


Later when I disconnect the device from the USB port, I get another one:
usb 2-1: USB disconnect, address 3                                                                   
option: option_instat_callback: error -108                                                           
BUG: unable to handle kernel paging request at 6b6b6b6b                                              
IP: [<c0600627>] __list_add+0x38/0x79                                                                
*pde = 00000000                                                                                      
Oops: 0000 [#2] SMP                                                                                  
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.2/0000:02:00.0/ieee80211/phy0/rfkill1/uevent     
Modules linked in: ppp_deflate zlib_deflate ppp_async crc_ccitt ppp_generic slhc fuse option usbserial usb_storage sunrpc ipv6 cpufreq_ondemand acpi_cpufreq dm_multipath uinput snd_hda_codec_si3054 snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm arc4 ppdev btusb parport_pc ecb bluetooth firewire_ohci firewire_core iwl3945 sdhci_pci yenta_socket snd_timer iTCO_wdt sdhci snd parport rsrc_nonstatic crc_itu_t iTCO_vendor_support iwlcore mmc_core soundcore snd_page_alloc e1000e mac80211 toshiba_acpi cfg80211 joydev rfkill ata_generic pata_acpi i915 drm i2c_algo_bit i2c_core video output [last unloaded: microcode]                                                                        

Pid: 26, comm: khubd Tainted: G      D    (2.6.31-0.118.rc5.fc12.i686 #1) Tecra A8
EIP: 0060:[<c0600627>] EFLAGS: 00010046 CPU: 1                                    
EIP is at __list_add+0x38/0x79                                                    
EAX: 6b6b6b6b EBX: f6dd1db0 ECX: f63ecab0 EDX: 6b6b6b6b                           
ESI: 6b6b6b6b EDI: f63ecab0 EBP: f6dd1d8c ESP: f6dd1d7c
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process khubd (pid: 26, ti=f6dd0000 task=f6dc95c0 task.ti=f6dd0000)
Stack:
 95051394 f63eca88 f6dc95c0 f63eca8c f6dd1dd0 c081bb88 f6dd1da8 c046eff8
<0> f63ecab0 00000002 f7cc3f39 f63ecac4 00000202 f6dd1db0 f6dd1db0 11111111
<0> f6dd1db0 95051394 f63eca88 00000000 f63eca88 f6dd1de8 c081be9f f7cc3f39
Call Trace:
 [<c081bb88>] ? __mutex_lock_common+0x107/0x32b
 [<c046eff8>] ? trace_hardirqs_on_caller+0x26/0x155
 [<f7cc3f39>] ? usb_serial_disconnect+0x4d/0x148 [usbserial]
 [<c081be9f>] ? mutex_lock_nested+0x41/0x5a
 [<f7cc3f39>] ? usb_serial_disconnect+0x4d/0x148 [usbserial]
 [<f7cc3f39>] ? usb_serial_disconnect+0x4d/0x148 [usbserial]
 [<c06fbf61>] ? usb_disable_interface+0x3e/0x5e
 [<c06fef51>] ? usb_unbind_interface+0x5e/0xe6
 [<c06a7f3d>] ? __device_release_driver+0x5c/0xa6
 [<c06a8061>] ? device_release_driver+0x2b/0x48
 [<c06a71ee>] ? bus_remove_device+0xa3/0xdd
 [<c06a5238>] ? device_del+0x108/0x15b
 [<c06fbe46>] ? usb_disable_device+0xb6/0x193
 [<c06f62e0>] ? usb_disconnect+0xd7/0x183
 [<c06f78df>] ? hub_events+0x533/0xf0a
 [<c06f82e4>] ? hub_thread+0x2e/0x17e
 [<c06f82e4>] ? hub_thread+0x2e/0x17e
 [<c045c7ba>] ? autoremove_wake_function+0x0/0x55
 [<c06f82b6>] ? hub_thread+0x0/0x17e
 [<c045c464>] ? kthread+0x76/0x7b
 [<c045c3ee>] ? kthread+0x0/0x7b
 [<c040463f>] ? kernel_thread_helper+0x7/0x10
Code: ec 04 65 a1 14 00 00 00 89 45 f0 31 c0 8b 41 04 39 d0 74 17 51 50 52 68 fe 29 95 c0 6a 1a 68 b3 29 95 c0 e8 41 3e e4 ff 83 c4 18 <8b> 06 39 f8 74 17 56 50 57 68 4b 2a 95 c0 6a 1e 68 b3 29 95 c0
EIP: [<c0600627>] __list_add+0x38/0x79 SS:ESP 0068:f6dd1d7c
CR2: 000000006b6b6b6b
---[ end trace 6c0877bfb04cdcd4 ]---
Comment 1 Andrew Morton 2009-08-04 09:17:11 UTC
(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Tue, 4 Aug 2009 09:02:16 GMT bugzilla-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=13906
> 
>            Summary: Huawei E169 GPRS connection causes Ooops
>            Product: Drivers
>            Version: 2.5
>     Kernel Version: 2.6.31.rc5
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Serial
>         AssignedTo: rmk@arm.linux.org.uk
>         ReportedBy: linuxhippy@gmail.com
>         Regression: No
> 

use-after-free in the tty/serial code, I expect.

I also expect that it's a regression - Clemens, are you able to say
whether any earlier kernel version worked OK?

Thanks.

> I am using umtsmon to connect my Huawei-E169 to Internet.
> 
> When connecting to an UMTS network everything works fine, however when
> connecting to a GPRS network (fallback, if no umts network available), I get
> the following Ooops:
> 
> PPP generic driver version 2.4.2                                              
> PPP Deflate Compression module registered                                     
> BUG: unable to handle kernel paging request at 6b6b6b87                       
> IP: [<f7cc3df9>] serial_do_free+0x30/0x7b [usbserial]                         
> *pde = 00000000                                                               
> Oops: 0000 [#1] SMP                                                           
> last sysfs file:
>
> /sys/devices/pci0000:00/0000:00:1c.2/0000:02:00.0/ieee80211/phy0/rfkill1/uevent 
> Modules linked in: ppp_deflate zlib_deflate ppp_async crc_ccitt ppp_generic
> slhc fuse option usbserial usb_storage sunrpc ipv6 cpufreq_ondemand
> acpi_cpufreq dm_multipath uinput snd_hda_codec_si3054 snd_hda_codec_realtek
> snd_hda_intel snd_hda_codec snd_hwdep snd_pcm arc4 ppdev btusb parport_pc ecb
> bluetooth firewire_ohci firewire_core iwl3945 sdhci_pci yenta_socket
> snd_timer
> iTCO_wdt sdhci snd parport rsrc_nonstatic crc_itu_t iTCO_vendor_support
> iwlcore
> mmc_core soundcore snd_page_alloc e1000e mac80211 toshiba_acpi cfg80211
> joydev
> rfkill ata_generic pata_acpi i915 drm i2c_algo_bit i2c_core video output
> [last
> unloaded: microcode]
> 
> Pid: 1472, comm: umtsmon Not tainted (2.6.31-0.118.rc5.fc12.i686 #1) Tecra A8
> EIP: 0060:[<f7cc3df9>] EFLAGS: 00010286 CPU: 0
> EIP is at serial_do_free+0x30/0x7b [usbserial]
> EAX: f259ca6c EBX: f63eca50 ECX: f7cc3e44 EDX: 6b6b6b6b
> ESI: f63eca88 EDI: 00000000 EBP: f15d3e84 ESP: f15d3e74
>  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
> Process umtsmon (pid: 1472, ti=f15d2000 task=f1602b80 task.ti=f15d2000)
> Stack:
>  ed87ae0e f259c860 f25872a0 00000000 f15d3ea0 f7cc3ed3 f15cc900 ed87ae0e
> <0> f25872a0 00000000 00000000 f15d3f34 c0679747 f15d3ee4 f25960b0 00000000
> <0> 00000000 ed87ae0e 00000000 ed87ae0e f15d3ee4 c046ec0c 00000000 00000000
> Call Trace:
>  [<f7cc3ed3>] ? serial_close+0x8f/0xa8 [usbserial]
>  [<c0679747>] ? tty_release_dev+0x16a/0x3fa
>  [<c046ec0c>] ? mark_lock+0x29/0x1f6
>  [<c045c7ba>] ? autoremove_wake_function+0x0/0x55
>  [<c04f524a>] ? sys_close+0x35/0xc2
>  [<c06799fc>] ? tty_release+0x25/0x41
>  [<c04f8a42>] ? __fput+0x101/0x1a2
>  [<c04f8b0a>] ? fput+0x27/0x3a
>  [<c04f51fa>] ? filp_close+0x64/0x7f
>  [<c04f5291>] ? sys_close+0x7c/0xc2
>  [<c0403a50>] ? syscall_call+0x7/0xb
> Code: 53 83 ec 04 0f 1f 44 00 00 65 8b 15 14 00 00 00 89 55 f0 31 d2 80 b8 06
> 02 00 00 00 75 41 8b 18 05 0c 02 00 00 8b 53 04 8d 73 38 <8b> 7a 1c e8 14 03
> 9e
> c8 31 d2 89 f0 e8 54 80 b5 c8 f6 43 0c 01
> EIP: [<f7cc3df9>] serial_do_free+0x30/0x7b [usbserial] SS:ESP 0068:f15d3e74
> CR2: 000000006b6b6b87
> ---[ end trace 6c0877bfb04cdcd3 ]---
Comment 2 Andrew Morton 2009-08-04 09:18:25 UTC
Assigned to Greg.  Sorry :(
Comment 3 Clemens Eisserer 2009-08-04 09:31:10 UTC
Hi Andrew,

> use-after-free in the tty/serial code, I expect.
>
> I also expect that it's a regression - Clemens, are you able to say
> whether any earlier kernel version worked OK?

2.6.30 worked fine, 2.6.31.rc2 already showed that problem.

- Clemens


2009/8/4, Andrew Morton <akpm@linux-foundation.org>:
>
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> On Tue, 4 Aug 2009 09:02:16 GMT bugzilla-daemon@bugzilla.kernel.org wrote:
>
>> http://bugzilla.kernel.org/show_bug.cgi?id=13906
>>
>>            Summary: Huawei E169 GPRS connection causes Ooops
>>            Product: Drivers
>>            Version: 2.5
>>     Kernel Version: 2.6.31.rc5
>>           Platform: All
>>         OS/Version: Linux
>>               Tree: Mainline
>>             Status: NEW
>>           Severity: normal
>>           Priority: P1
>>          Component: Serial
>>         AssignedTo: rmk@arm.linux.org.uk
>>         ReportedBy: linuxhippy@gmail.com
>>         Regression: No
>>
>
> use-after-free in the tty/serial code, I expect.
>
> I also expect that it's a regression - Clemens, are you able to say
> whether any earlier kernel version worked OK?
>
> Thanks.
>
>> I am using umtsmon to connect my Huawei-E169 to Internet.
>>
>> When connecting to an UMTS network everything works fine, however when
>> connecting to a GPRS network (fallback, if no umts network available), I
>> get
>> the following Ooops:
>>
>> PPP generic driver version 2.4.2
>>
>> PPP Deflate Compression module registered
>>
>> BUG: unable to handle kernel paging request at 6b6b6b87
>>
>> IP: [<f7cc3df9>] serial_do_free+0x30/0x7b [usbserial]
>>
>> *pde = 00000000
>>
>> Oops: 0000 [#1] SMP
>>
>> last sysfs file:
>>
>> /sys/devices/pci0000:00/0000:00:1c.2/0000:02:00.0/ieee80211/phy0/rfkill1/uevent
>>
>> Modules linked in: ppp_deflate zlib_deflate ppp_async crc_ccitt
>> ppp_generic
>> slhc fuse option usbserial usb_storage sunrpc ipv6 cpufreq_ondemand
>> acpi_cpufreq dm_multipath uinput snd_hda_codec_si3054
>> snd_hda_codec_realtek
>> snd_hda_intel snd_hda_codec snd_hwdep snd_pcm arc4 ppdev btusb parport_pc
>> ecb
>> bluetooth firewire_ohci firewire_core iwl3945 sdhci_pci yenta_socket
>> snd_timer
>> iTCO_wdt sdhci snd parport rsrc_nonstatic crc_itu_t iTCO_vendor_support
>> iwlcore
>> mmc_core soundcore snd_page_alloc e1000e mac80211 toshiba_acpi cfg80211
>> joydev
>> rfkill ata_generic pata_acpi i915 drm i2c_algo_bit i2c_core video output
>> [last
>> unloaded: microcode]
>>
>> Pid: 1472, comm: umtsmon Not tainted (2.6.31-0.118.rc5.fc12.i686 #1) Tecra
>> A8
>> EIP: 0060:[<f7cc3df9>] EFLAGS: 00010286 CPU: 0
>> EIP is at serial_do_free+0x30/0x7b [usbserial]
>> EAX: f259ca6c EBX: f63eca50 ECX: f7cc3e44 EDX: 6b6b6b6b
>> ESI: f63eca88 EDI: 00000000 EBP: f15d3e84 ESP: f15d3e74
>>  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
>> Process umtsmon (pid: 1472, ti=f15d2000 task=f1602b80 task.ti=f15d2000)
>> Stack:
>>  ed87ae0e f259c860 f25872a0 00000000 f15d3ea0 f7cc3ed3 f15cc900 ed87ae0e
>> <0> f25872a0 00000000 00000000 f15d3f34 c0679747 f15d3ee4 f25960b0
>> 00000000
>> <0> 00000000 ed87ae0e 00000000 ed87ae0e f15d3ee4 c046ec0c 00000000
>> 00000000
>> Call Trace:
>>  [<f7cc3ed3>] ? serial_close+0x8f/0xa8 [usbserial]
>>  [<c0679747>] ? tty_release_dev+0x16a/0x3fa
>>  [<c046ec0c>] ? mark_lock+0x29/0x1f6
>>  [<c045c7ba>] ? autoremove_wake_function+0x0/0x55
>>  [<c04f524a>] ? sys_close+0x35/0xc2
>>  [<c06799fc>] ? tty_release+0x25/0x41
>>  [<c04f8a42>] ? __fput+0x101/0x1a2
>>  [<c04f8b0a>] ? fput+0x27/0x3a
>>  [<c04f51fa>] ? filp_close+0x64/0x7f
>>  [<c04f5291>] ? sys_close+0x7c/0xc2
>>  [<c0403a50>] ? syscall_call+0x7/0xb
>> Code: 53 83 ec 04 0f 1f 44 00 00 65 8b 15 14 00 00 00 89 55 f0 31 d2 80 b8
>> 06
>> 02 00 00 00 75 41 8b 18 05 0c 02 00 00 8b 53 04 8d 73 38 <8b> 7a 1c e8 14
>> 03 9e
>> c8 31 d2 89 f0 e8 54 80 b5 c8 f6 43 0c 01
>> EIP: [<f7cc3df9>] serial_do_free+0x30/0x7b [usbserial] SS:ESP
>> 0068:f15d3e74
>> CR2: 000000006b6b6b87
>> ---[ end trace 6c0877bfb04cdcd3 ]---
>
>
Comment 4 Andrew Morton 2009-08-04 09:53:05 UTC
Marked as a regression.  Post-2.6.30.
Comment 5 Alan Stern 2009-08-04 14:25:23 UTC
On Tue, 4 Aug 2009, Andrew Morton wrote:

> > http://bugzilla.kernel.org/show_bug.cgi?id=13906
> > 
> >            Summary: Huawei E169 GPRS connection causes Ooops

There are a lot of serial fixes in Greg KH's queue.  Try applying:

http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/gregkh-all-2.6.31-rc5.patch

to your 2.6.31-rc5 kernel.  In particular, this one patch:

http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/gregkh-05-tty/tty-usb-shutdown

might solve your problem.

Alan Stern
Comment 6 Greg Kroah-Hartman 2009-08-04 15:15:14 UTC
On Tue, Aug 04, 2009 at 10:25:20AM -0400, Alan Stern wrote:
> On Tue, 4 Aug 2009, Andrew Morton wrote:
> 
> > > http://bugzilla.kernel.org/show_bug.cgi?id=13906
> > > 
> > >            Summary: Huawei E169 GPRS connection causes Ooops
> 
> There are a lot of serial fixes in Greg KH's queue.  Try applying:
> 
>
> http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/gregkh-all-2.6.31-rc5.patch
> 
> to your 2.6.31-rc5 kernel.  In particular, this one patch:
> 
>
> http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/gregkh-05-tty/tty-usb-shutdown
> 
> might solve your problem.

If it does, I need to know soon, as that isn't queued up for a .31 release.

thanks,

greg k-h
Comment 7 Clemens Eisserer 2009-08-04 15:55:48 UTC
I'll try to get that done soon, however its not easy sitting behind a
~56K GPRS connection which decides to break every 5min ;)

- Clemens

2009/8/4, Greg KH <greg@kroah.com>:
> On Tue, Aug 04, 2009 at 10:25:20AM -0400, Alan Stern wrote:
>> On Tue, 4 Aug 2009, Andrew Morton wrote:
>>
>> > > http://bugzilla.kernel.org/show_bug.cgi?id=13906
>> > >
>> > >            Summary: Huawei E169 GPRS connection causes Ooops
>>
>> There are a lot of serial fixes in Greg KH's queue.  Try applying:
>>
>>
>> http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/gregkh-all-2.6.31-rc5.patch
>>
>> to your 2.6.31-rc5 kernel.  In particular, this one patch:
>>
>>
>> http://www.kernel.org/pub/linux/kernel/people/gregkh/gregkh-2.6/gregkh-05-tty/tty-usb-shutdown
>>
>> might solve your problem.
>
> If it does, I need to know soon, as that isn't queued up for a .31 release.
>
> thanks,
>
> greg k-h
>
Comment 8 Clemens Eisserer 2009-10-30 18:15:08 UTC
2.6.31.5-96.fc12.i686 seems to work fine :)
Comment 9 Greg Kroah-Hartman 2009-10-30 18:21:11 UTC
Great, marking closed.