[FS#1382] crash in __slab_free.isra from kfree

LEDE Bugs lede-bugs at lists.infradead.org
Wed Feb 21 11:52:27 PST 2018 

A new Flyspray task has been opened.  Details are below. 

User who did this - Andy Burns (andyburns) 

Attached to Project - OpenWrt/LEDE Project
Summary - crash in __slab_free.isra  from kfree
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - Supply the following if possible:

 - Device problem occurs on

BT homehub 5a

 - Software versions of OpenWrt/LEDE release, packages, etc.

SNAPSHOT, r6182

kernel - 4.9.82-1-b3856355ef32057f204aaf8b7ab28ff3
kmod-usb-net-cdc-ncm - 4.9.82-1
kmod-usb-net-huawei-cdc-ncm - 4.9.82-1
kmod-usb-serial - 4.9.82-1
kmod-usb-serial-wwan - 4.9.82-1
usb-modeswitch - 2017-12-19-f40f84c2-1

 - Steps to reproduce

Trying to get Huawei E3372 4G dongle running in NCM mode
after usbmodes runs, the /etc/ncm-wdm0 is created, but does not communicate with modem on dongle

I have to run
echo "12d1 1506 ff" > /sys/bus/usb-serial/drivers/generic/new_id

which gives

[ 1003.351417] usbserial_generic 1-1:1.0: The "generic" usb-serial driver is only for testing and one-off prototypes.
[ 1003.360515] usbserial_generic 1-1:1.0: Tell linux-usb at vger.kernel.org to add your device to a proper driver.
[ 1003.370345] usbserial_generic 1-1:1.0: generic converter detected
[ 1003.377122] usb 1-1: generic converter now attached to ttyUSB0
[ 1003.382521] usbserial_generic 1-1:1.1: The "generic" usb-serial driver is only for testing and one-off prototypes.
[ 1003.392654] usbserial_generic 1-1:1.1: Tell linux-usb at vger.kernel.org to add your device to a proper driver.
[ 1003.402464] usbserial_generic 1-1:1.1: generic converter detected
[ 1003.409607] usb 1-1: generic converter now attached to ttyUSB1

I realize that forcing the generic usb serial in this way is not "proper" but it seems necessary for the moment to get any communication with the modem

this does create /dev/ttyUSB0 and ttyUSB1 devices, 

startimg the 4G interface with

ifup LTE 

will then communicate with the modem, the chat script gets responses to the AT commands

unfortunately as soon as
I run 

ifdown LTE 

I get a repeatable crash

root at hh5a:/# ifdown LTE
root at hh5a:/#
root at hh5a:/# [256467.571884] CPU 1 Unable to handle kernel paging request at virtual address 67901b30, epc == 800f33f8, ra == 800f3b94
[256467.581230] Oops[#1]:
[256467.583518] CPU: 1 PID: 14 Comm: ksoftirqd/1 Not tainted 4.9.82 #0
[256467.589782] task: 87c3d080 task.stack: 87c7a000
[256467.594379] $ 0   : 00000000 806f0004 67901b30 00000001
[256467.599688] $ 4   : 87c02b00 810fb560 67901a00 67901a00
[256467.605003] $ 8   : 805993f8 04efd20a d208b27a 0000008c
[256467.610310] $12   : 52016177 ffffffff 00000000 1a0004e4
[256467.615619] $16   : 810fb560 850d8008 000d001a 00000000
[256467.620930] $20   : 805990a0 00000000 87c02b00 00000000
[256467.626238] $24   : 00000000 875e36f8
[256467.631549] $28   : 87c7a000 87c7bcd8 00000018 800f3b94
[256467.636856] Hi    : 00000000
[256467.639814] Lo    : 0000c400
[256467.642811] epc   : 800f33f8 __slab_free.isra.13+0x64/0x334
[256467.648453] ra    : 800f3b94 kfree+0x194/0x1a4
[256467.652963] Status: 1100c303        KERNEL EXL IE
[256467.657223] Cause : 0080000c (ExcCode 03)
[256467.661312] BadVA : 67901b30
[256467.664274] PrId  : 00019556 (MIPS 34Kc)
[256467.668270] Modules linked in: ltq_ptm_vr9 ath9k ath9k_common ath9k_hw ath10k_pci ath10k_core ath usb_wwan pppoe nf_nat_pptp nf_conntrack_pptp nf_conntrack_ipv6 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE huawei_cdc_ncm cfg80211 cdc_ncm xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_DSCP xt_CT xt_CLASSIFY usbserial usbnet ts_fsm ts_bm pppox ppp_async owl_loader nf_reject_ipv4 nf_nat_tftp nf_nat_snmp_basic nf_nat_sip nf_nat_redirect nf_nat_proto_gre nf_nat_masquerade_ipv4 nf_nat_irc nf_conntrack_ipv4 nf_nat_ipv4 nf_nat_h323 nf_nat_amanda nf_nat nf_log_ipv4 nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_tftp nf_conntrack_snmp nf_conntrack_sip nf_conntrack_rtcache nf_conntrack_proto_gre nf_conntrack_irc nf_conntrack_h323 nf_conntrack_broadcast ts_kmp nf_conntrack_amanda ltq_deu_vr9 iptable_mangle iptable_filter ipt_ECN ip_tables crc_ccitt compat cdc_wdm sch_cake nf_conntrack act_skbedit act_mirred em_u32 cls_u32 cls_tcindex cls_flow cls_route cls_fw sch_tbf sch_htb sch_hfsc sch_ingress drv_dsl_cpe_api drv_mei_cpe ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables x_tables pppoatm ppp_generic slhc ifb br2684 atm mii drv_ifxos dwc2 gpio_button_hotplug
Process ksoftirqd/1 (pid: 14, threadinfo=87c7a000, task=87c3d080, tls=00000000)
[256467.798220] Stack : 00000000 00000001 00000000 00000000 67901a00 67901a00 00000001 805a0000
[256467.806661]         04f6d940 850d8008 00003fe0 00000002 67901a00 04efd20a d208b27a d20f920a
[256467.815103]         52016177 ffffffff 00000000 1a0004e4 876a8d00 850d8008 87d7b800 00000000
[256467.823546]         876a8d00 850d8008 87d7b800 00000000 805990a0 00010000 00000002 00000000
[256467.831989]         00000018 800f3b94 00000018 875e36bc 1100c303 00000000 00000001 04f6d940
[256467.840432]         ...
[256467.842959] Call Trace:
[256467.845511] [] __slab_free.isra.13+0x64/0x334
[256467.850826] [] kfree+0x194/0x1a4
[256467.854986] Code: 8e12000c  00621021  8fa30018  00121402  00431023  3042ffff  afb2002c  32570001
[256467.864804]
[256467.866497] ---[ end trace e77f91eef6b40e80 ]---

root at h[256467.872551] Kernel panic - not syncing: Fatal exception in interrupt
[256467.878975] Rebooting in 3 seconds..

 

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=1382

More information about the lede-bugs mailing list