Ubuntu
usb-modeswitch package

Mobile broadband device causes segfault when plugged in (segfault in libc6 when using usb-modeswitch)

Bug #927954 reported by Tom Haddon on 2012-02-06

This bug report is a duplicate of: Bug #1155975: usb_modeswitch_dispatcher crashed with SIGSEGV in __strlen_ia32(). Edit Remove

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	Usb Modeswitch	Fix Released	Unknown	debbugs #656688
	usb-modeswitch (Ubuntu)	Fix Released	Undecided	Mathieu Trudel-Lapierre

Bug Description

When I plug in my 02 (UK) mobile broadband dongle, I get the following in syslog:

Feb 6 22:03:06 mallory kernel: [34106.958301] usb_modeswitch_[9675]: segfault at 0 ip b766cfc1 sp bfb18bc0 error 4 in libc-2.13.so[b75f3000+179000]
Feb 6 22:03:07 mallory kernel: [34107.899586] scsi 8:0:0:0: CD-ROM HUAWEI Mass Storage 2.31 PQ: 0 ANSI: 2
Feb 6 22:03:07 mallory kernel: [34107.899666] scsi 9:0:0:0: Direct-Access HUAWEI SD Storage 2.31 PQ: 0 ANSI: 2
Feb 6 22:03:07 mallory kernel: [34107.900816] sd 9:0:0:0: Attached scsi generic sg1 type 0
Feb 6 22:03:07 mallory kernel: [34107.905205] sr0: scsi-1 drive
Feb 6 22:03:07 mallory kernel: [34107.905846] sd 9:0:0:0: [sdb] Attached SCSI removable disk
Feb 6 22:03:07 mallory kernel: [34107.905930] sr 8:0:0:0: Attached scsi CD-ROM sr0
Feb 6 22:03:07 mallory kernel: [34107.906017] sr 8:0:0:0: Attached scsi generic sg2 type 5

The device then doesn't get registered in network manager and I can't use it to connect to the Internet.

It was working fine in oneiric, this is the first time I've tried it since the precise upgrade.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: linux-image-3.2.0-12-generic-pae 3.2.0-12.21
ProcVersionSignature: Ubuntu 3.2.0-12.21-generic-pae 3.2.2
Uname: Linux 3.2.0-12-generic-pae i686
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 1.91-0ubuntu1
Architecture: i386
ArecordDevices:
**** List of CAPTURE Hardware Devices ****
card 0: PCH [HDA Intel PCH], device 0: CONEXANT Analog [CONEXANT Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: mthaddon 1575 F.... pulseaudio
Card0.Amixer.info:
Card hw:0 'PCH'/'HDA Intel PCH at 0xf2520000 irq 45'
   Mixer name : 'Intel CougarPoint HDMI'
   Components : 'HDA:14f1506e,17aa21da,00100002 HDA:80862805,80860101,00100000'
   Controls : 26
   Simple ctrls : 8
Card29.Amixer.info:
Card hw:29 'ThinkPadEC'/'ThinkPad Console Audio Control at EC reg 0x30, fw unknown'
   Mixer name : 'ThinkPad EC (unknown)'
   Components : ''
   Controls : 1
   Simple ctrls : 1
Card29.Amixer.values:
Simple mixer control 'Console',0
   Capabilities: pswitch pswitch-joined penum
   Playback channels: Mono
   Mono: Playback [on]
CheckboxSubmission: e9bd5d0c11367f73e7718b1ea675f7ba
CheckboxSystem: bb422ca46d02494cdbc459927a98bc2f
Date: Mon Feb 6 23:15:37 2012
HibernationDevice: RESUME=UUID=17b37d47-31ac-4a51-af71-4f3661ab426b
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Beta i386 (20110921.2)
Lsusb:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 003: ID 04f2:b217 Chicony Electronics Co., Ltd
MachineType: LENOVO 4287CTO
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.2.0-12-generic-pae root=UUID=0021680f-1924-4d38-986d-52d44d79c9fd ro quiet splash vt.handoff=7
RelatedPackageVersions:
linux-restricted-modules-3.2.0-12-generic-pae N/A
linux-backports-modules-3.2.0-12-generic-pae N/A
linux-firmware 1.68
SourcePackage: linux
StagingDrivers: mei
UpgradeStatus: Upgraded to precise on 2012-02-02 (4 days ago)
dmi.bios.date: 07/07/2011
dmi.bios.vendor: LENOVO
dmi.bios.version: 8DET50WW (1.20 )
dmi.board.asset.tag: Not Available
dmi.board.name: 4287CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr8DET50WW(1.20):bd07/07/2011:svnLENOVO:pn4287CTO:pvrThinkPadX220:rvnLENOVO:rn4287CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 4287CTO
dmi.product.version: ThinkPad X220
dmi.sys.vendor: LENOVO

Tags:

Revision history for this message

Tom Haddon (mthaddon) wrote on 2012-02-06:

AcpiTables.txt Edit (340.9 KiB, text/plain; charset="utf-8")
AlsaDevices.txt Edit (657 bytes, text/plain; charset="utf-8")
AplayDevices.txt Edit (469 bytes, text/plain; charset="utf-8")
BootDmesg.txt Edit (64.5 KiB, text/plain; charset="utf-8")
CRDA.txt Edit (257 bytes, text/plain; charset="utf-8")
Card0.Amixer.values.txt Edit (1.4 KiB, text/plain; charset="utf-8")
Card0.Codecs.codec.0.txt Edit (8.2 KiB, text/plain; charset="utf-8")
Card0.Codecs.codec.3.txt Edit (3.7 KiB, text/plain; charset="utf-8")
CurrentDmesg.txt Edit (92.3 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (1.9 KiB, text/plain; charset="utf-8")
IwConfig.txt Edit (578 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (10.3 KiB, text/plain; charset="utf-8")
PciMultimedia.txt Edit (620 bytes, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (3.7 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (141 bytes, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (1.9 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (3.2 KiB, text/plain; charset="utf-8")
PulseSinks.txt Edit (2.1 KiB, text/plain; charset="utf-8")
PulseSources.txt Edit (3.4 KiB, text/plain; charset="utf-8")
RfKill.txt Edit (128 bytes, text/plain; charset="utf-8")
UdevDb.txt Edit (115.6 KiB, text/plain; charset="utf-8")
UdevLog.txt Edit (269.4 KiB, text/plain; charset="utf-8")
WifiSyslog.txt Edit (914.6 KiB, text/plain; charset="utf-8")

Revision history for this message

Brad Figg (brad-figg) wrote on 2012-02-06: Test with newer development kernel (3.2.0-14.23)

Thank you for taking the time to file a bug report on this issue.

However, given the number of bugs that the Kernel Team receives during any development cycle it is impossible for us to review them all. Therefore, we occasionally resort to using automated bots to request further testing. This is such a request.

We have noted that there is a newer version of the development kernel than the one you last tested when this issue was found. Please test again with the newer kernel and indicate in the bug if this issue still exists or not.

You can update to the latest development kernel by simply running the following commands in a terminal window:

sudo apt-get update
sudo apt-get upgrade

If the bug still exists, change the bug status from Incomplete to Confirmed. If the bug no longer exists, change the bug status from Incomplete to Fix Released.

If you want this bot to quit automatically requesting kernel tests, add a tag named: bot-stop-nagging.

Thank you for your help, we really do appreciate it.

Changed in linux (Ubuntu):
status:	New → Confirmed
status:	Confirmed → Incomplete
tags:	added: kernel-request-3.2.0-14.23

Revision history for this message

Michael Basse (michael-alpha-unix) wrote on 2012-02-07: Re: Mobile broadband device causes segfault when plugged in

its still affecting the latest kernel, the latest libc6 version and so on (latest dist-upgrade)

[18408.672218] usb 1-2: new high-speed USB device number 4 using ehci_hcd
[18408.810652] scsi3 : usb-storage 1-2:1.0
[18408.983147] usb_modeswitch_[6148]: segfault at 0 ip 00b65fc1 sp bf9495a0 error 4 in libc-2.13.so[aec000+179000]

Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Michael Basse (michael-alpha-unix) wrote on 2012-02-07:

i am not sure if it is a kernel-issue or a libc6 issue, maybe someone can correct it if it is wrong

summary:

- Mobile broadband device causes segfault when plugged in
+ Mobile broadband device causes segfault when plugged in (segfault in
+ libc6 when using usb-modeswitch)

Revision history for this message

Michael Basse (michael-alpha-unix) wrote on 2012-02-07:

also see

http://us.generation-nt.com/answer/bug-657579-usb-modeswitch-usb-modeswitch-dispatcher-segmentation-fault-armhf-help-206212842.html (there is a workarounf for the build-process)

affects:

linux (Ubuntu) → usb-modeswitch (Ubuntu)

Revision history for this message

Michael Basse (michael-alpha-unix) wrote on 2012-02-07:

its fixed in debian (see bug-watcher) so we "just" need to pull the package from debian

tags:

added: patch-accepted-debian

Michael Basse (michael-alpha-unix) on 2012-02-07

tags:

removed: kernel-request-3.2.0-14.23 running-unity staging

Bug Watch Updater (bug-watch-updater) on 2012-02-08

Changed in usb-modeswitch:
status:	Unknown → Fix Released

Revision history for this message

Mathieu Trudel-Lapierre (cyphermox) wrote on 2012-02-08:

This has nothing to do with any fix in Debian -- we on purpose carry a different package, where we avoid using tcl for the dispatcher.

I'll fix this now.

Changed in usb-modeswitch (Ubuntu):
status:	Confirmed → In Progress
assignee:	nobody → Mathieu Trudel-Lapierre (mathieu-tl)

Revision history for this message

Mathieu Trudel-Lapierre (cyphermox) wrote on 2012-02-10:

Well, it's fixed:

usb-modeswitch (1.2.3+repack0-1ubuntu1) precise; urgency=low

  * Merge with Debian; remaining changes:
    - debian/control: Drop the dependency on tcl and Build-Depends on
      jimsh/libjim (another tcl implementation).
    - debian/control: add libudev-dev and libpipeline-dev to Build-Depends.
    - debian/patches/dispatcher-c-rewrite.patch: rewrite the dispatcher in C,
      to be able to drop the Tcl dependencies.
  * debian/patches/dispatcher-c-rewrite.patch: adapt C rewrite patch to take
    in the changes from 1.2.1-1.2.3.
  * debian/patches/redirect_dispatcher_output.patch: redirect all dispatcher
    output when called from udev to /dev/null.

I just fail at closing bugs :)

Michael Basse (michael-alpha-unix) on 2012-02-12

Changed in usb-modeswitch (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

udippel (udippel) wrote on 2013-02-05:

I get this likewise on 12.10; with a D-Link A6.
I wonder, is this different, should be filed as another bug, or is it a regression?

[94355.544213] usb 1-7: new high-speed USB device number 22 using ehci_hcd
[94355.677155] usb 1-7: New USB device found, idVendor=2001, idProduct=a80b
[94355.677176] usb 1-7: New USB device strings: Mfr=2, Product=3, SerialNumber=4
[94355.677192] usb 1-7: Product: D-Link DWM-156
[94355.677207] usb 1-7: Manufacturer: D-Link,Inc
[94355.677221] usb 1-7: SerialNumber: 532274409833040
[94355.692461] scsi22 : usb-storage 1-7:1.0
[94356.693348] scsi 22:0:0:0: CD-ROM HSPA USB SCSI CD-ROM 6229 PQ: 0 ANSI: 0 CCS
[94356.704318] sr0: scsi3-mmc drive: 0x/0x caddy
[94356.704917] sr 22:0:0:0: Attached scsi CD-ROM sr0
[94356.705432] sr 22:0:0:0: Attached scsi generic sg1 type 5
[94357.001545] usb 1-7: USB disconnect, device number 22
[94357.752123] usb 1-7: new high-speed USB device number 23 using ehci_hcd
[94357.885269] usb 1-7: New USB device found, idVendor=2001, idProduct=7d00
[94357.885278] usb 1-7: New USB device strings: Mfr=5, Product=6, SerialNumber=0
[94357.885285] usb 1-7: Product: D-Link DWM-156
[94357.885290] usb 1-7: Manufacturer: D-Link,Inc
[94357.896123] scsi23 : usb-storage 1-7:1.2
[94358.897250] scsi 23:0:0:0: Direct-Access HSPA USB SCSI CD-ROM 6229 PQ: 0 ANSI: 0 CCS
[94358.909151] sd 23:0:0:0: Attached scsi generic sg1 type 0
[94358.912420] sd 23:0:0:0: [sdb] Attached SCSI removable disk
[94360.204590] usb_modeswitch_[12749]: segfault at 0 ip b766eee1 sp bfb9bbec error 4 in libc-2.15.so[b75f1000+1a3000]

Thanks for answering,

Uwe

Revision history for this message

Pasha Orekhov (pashaorekhov) wrote on 2014-02-20:

#10

Mathieu Trudel-Lapierre (mathieu-tl) you are extreme optimistic:

Feb 20 13:42:41 oak kernel: [23799.840389] usb_modeswitch_[32188]: segfault at 4beeb4 ip b76160d6 sp bff20ba0 error 4 in libc-2.17.so[b759c000+1ae000]
Feb 20 13:50:02 oak kernel: [24240.638396] usb_modeswitch_[32254]: segfault at 4b0eb4 ip b75fa0d6 sp bfbc0040 error 4 in libc-2.17.so[b7580000+1ae000]
Feb 20 13:50:15 oak kernel: [24253.583514] usb_modeswitch_[32269]: segfault at 227eb4 ip b760a0d6 sp bffeddb0 error 4 in libc-2.17.so[b7590000+1ae000]

ubuntu 13.10, 12.LTS
huawei e171 (12d1/155b)
kernel 3.11.0-17-generic
usb-modem-manager 1.2.3+repack0

(gdb) bt (recompiled with -g)
#0 _IO_new_fclose (fp=0x392f68) at iofclose.c:49
#1 0x0804d670 in read_attrs (subsystem=0x8050334 "USB", dev_type=0x8052208 <usb>,
    attr_list=0x8052160 <usb_attrs>, dir=0x939a020 "/sys/bus/usb/devices/1-1")
    at usb_modeswitch_dispatcher.c:1717
#2 0x0804d794 in read_usb_attrs (dir=0x939a020 "/sys/bus/usb/devices/1-1", ifdir=0x0)
    at usb_modeswitch_dispatcher.c:1743
#3 0x0804961a in main (argc=4, argv=0xbf95f2c4) at usb_modeswitch_dispatcher.c:319

run diag:
   if ((rc = fopen(attr_path, "r")) != NULL) {
+ printf("f before =%p\n", rc);
    if (fgets(value, PATH_MAX, rc) != NULL) {
     dev_type[i]->value = strdup(rtrim(value));
    }
    else {
     dev_type[i]->value = 0;
    }
+ printf("f after =%p\n", rc);
    fclose(rc);
   }

run:
/home/opa/works/tst/vagon/huawei_e171/usb-modeswitch-1.2.3+repack0/usb_modeswitch_dispatcher --switch-mode /1-1:1.0 /lib/udev/usb_modeswitch
f before =0x9b66f68
f after =0x9b66f68
f before =0x9b66f68
f after =0x9b66f68
f before =0x9b66f68
f after =0xb66f68

Where is 9?

- while(isspace(*--back));
+ while(back>=s && isspace(*--back));

*(back+1) = '\0';

WTF: bus_id[strlen(bus_id)] = '\0';

Mathieu, please use php and never use c.

Mathieu Trudel-Lapierre (mathieu-tl) you are extreme optimistic:

ubuntu 13.10, 12.LTS
 huawei e171 (12d1/155b)
kernel 3.11.0-17-generic
usb-modem-manager 1.2.3+repack0

(gdb) bt (recompiled with -g)
#0  _IO_new_fclose (fp=0x392f68) at iofclose.c:49
#1  0x0804d670 in read_attrs (subsystem=0x8050334 "USB", dev_type=0x8052208 <usb>, 
    attr_list=0x8052160 <usb_attrs>, dir=0x939a020 "/sys/bus/usb/devices/1-1")
    at usb_modeswitch_dispatcher.c:1717
#2  0x0804d794 in read_usb_attrs (dir=0x939a020 "/sys/bus/usb/devices/1-1", ifdir=0x0)
    at usb_modeswitch_dispatcher.c:1743
#3  0x0804961a in main (argc=4, argv=0xbf95f2c4) at usb_modeswitch_dispatcher.c:319

run diag:
 		if ((rc = fopen(attr_path, "r")) != NULL) {
+			printf("f before =%p\n", rc);
 			if (fgets(value, PATH_MAX, rc) != NULL) {
 				dev_type[i]->value = strdup(rtrim(value));
 			}
 			else {
 				dev_type[i]->value = 0;
 			}
+			printf("f after =%p\n", rc);
 			fclose(rc);
 		}

Where is 9?

and fuck you  Mathieu Trudel-Lapierre :
--- usb_modeswitch_dispatcher.c.orig	2014-02-20 15:08:44.665397121 +0700
+++ usb_modeswitch_dispatcher.c	2014-02-20 17:04:27.269572144 +0700
@@ -838,7 +838,7 @@
 {
     char* back = s + strlen(s);
 
-    while(isspace(*--back));
+    while(back>=s && isspace(*--back));
 
     *(back+1) = '\0';

WTF: bus_id[strlen(bus_id)] = '\0';

Mathieu, please use php and never use c.