linux/drivers/net/usb
Bjørn Mork bbae08e592 qmi_wwan: fix NULL deref on disconnect
qmi_wwan_disconnect is called twice when disconnecting devices with
separate control and data interfaces.  The first invocation will set
the interface data to NULL for both interfaces to flag that the
disconnect has been handled.  But the matching NULL check was left
out when qmi_wwan_disconnect was added, resulting in this oops:

  usb 2-1.4: USB disconnect, device number 4
  qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-0000:00:1d.0-1.4, WWAN/QMI device
  BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
  IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  PGD 0
  P4D 0
  Oops: 0000 [#1] SMP
  Modules linked in: <stripped irrelevant module list>
  CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G            E   4.12.3-nr44-normandy-r1500619820+ #1
  Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 07/21/2017
  Workqueue: usb_hub_wq hub_event [usbcore]
  task: ffff8c882b716040 task.stack: ffffb8e800d84000
  RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  RSP: 0018:ffffb8e800d87b38 EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000000001 RSI: ffff8c8824f3f1d0 RDI: ffff8c8824ef6400
  RBP: ffff8c8824ef6400 R08: 0000000000000000 R09: 0000000000000000
  R10: ffffb8e800d87780 R11: 0000000000000011 R12: ffffffffc07ea0e8
  R13: ffff8c8824e2e000 R14: ffff8c8824e2e098 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff8c8835300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000000000e0 CR3: 0000000229ca5000 CR4: 00000000000406e0
  Call Trace:
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210
   ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
   ? usbnet_disconnect+0x6c/0xf0 [usbnet]
   ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210

Reported-and-tested-by: Nathaniel Roach <nroach44@gmail.com>
Fixes: c6adf77953 ("net: usb: qmi_wwan: add qmap mux protocol support")
Cc: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-08 21:14:16 -07:00
..
asix_common.c asix: Fix small memory leak in ax88772_unbind() 2017-08-07 10:10:19 -07:00
asix_devices.c asix: Fix small memory leak in ax88772_unbind() 2017-08-07 10:10:19 -07:00
asix.h asix: Fix small memory leak in ax88772_unbind() 2017-08-07 10:10:19 -07:00
ax88172a.c net: usbnet: support 64bit stats 2017-04-03 19:09:40 -07:00
ax88179_178a.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
catc.c net: usb: catc: use new api ethtool_{get|set}_link_ksettings 2017-03-13 15:25:53 -07:00
cdc_eem.c
cdc_ether.c cdc-ether: divorce initialisation with a filter reset and a generic method 2017-05-23 11:01:28 -04:00
cdc_mbim.c net: cdc_mbim: apply "NDP to end" quirk to HP lt4132 2017-07-03 02:19:36 -07:00
cdc_ncm.c cdc_ncm: Set NTB format again after altsetting switch for Huawei devices 2017-07-14 08:15:05 -07:00
cdc_subset.c
cdc-phonet.c networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
ch9200.c net: ch9200: add missing USB-descriptor endianness conversions 2017-05-12 12:15:46 -04:00
cx82310_eth.c cx82310_eth: use skb_cow_head() to deal with cloned skbs 2017-04-21 13:24:05 -04:00
dm9601.c net: usbnet: support 64bit stats 2017-04-03 19:09:40 -07:00
gl620a.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hso.c net: manual clean code which call skb_put_[data:zero] 2017-06-20 13:30:15 -04:00
huawei_cdc_ncm.c cdc_ncm: Set NTB format again after altsetting switch for Huawei devices 2017-07-14 08:15:05 -07:00
int51x1.c net: introduce __skb_put_[zero, data, u8] 2017-06-20 13:30:14 -04:00
ipheth.c networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
kalmia.c networking: convert many more places to skb_put_zero() 2017-06-16 11:48:35 -04:00
kaweth.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
Kconfig usb: plusb: Add support for PL-27A1 2017-04-25 10:08:16 -04:00
lan78xx.c lan78xx: Fix to handle hard_header_len update 2017-08-02 10:39:58 -07:00
lan78xx.h lan78xx: add LAN7801 MAC only support 2016-12-08 14:21:47 -05:00
lg-vl600.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
Makefile USB: cdc_subset: only build when one driver is enabled 2016-02-18 15:59:45 -05:00
mcs7830.c net: usbnet: support 64bit stats 2017-04-03 19:09:40 -07:00
net1080.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
pegasus.c usbnet: pegasus: Use net_device_stats from struct net_device 2017-04-07 07:03:33 -07:00
pegasus.h usbnet: pegasus: Use net_device_stats from struct net_device 2017-04-07 07:03:33 -07:00
plusb.c usb: plusb: Add support for PL-27A1 2017-04-25 10:08:16 -04:00
qmi_wwan.c qmi_wwan: fix NULL deref on disconnect 2017-08-08 21:14:16 -07:00
r8152.c r8152: correct the definition 2017-06-21 11:32:57 -04:00
rndis_host.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
rtl8150.c net: usb: rtl8150: use new api ethtool_{get|set}_link_ksettings 2017-03-13 15:25:54 -07:00
sierra_net.c net: usbnet: support 64bit stats 2017-04-03 19:09:40 -07:00
smsc75xx.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-21 20:23:53 -07:00
smsc75xx.h
smsc95xx.c smsc95xx: use ethtool_op_get_ts_info() 2017-07-14 08:54:03 -07:00
smsc95xx.h smsc95xx: Add comments to the registers definition 2017-04-17 13:04:52 -04:00
sr9700.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-04-21 20:23:53 -07:00
sr9700.h net: usb: sr9700: Use 'SR_' prefix for the common register macros 2015-02-04 13:53:02 -08:00
sr9800.c net: usbnet: support 64bit stats 2017-04-03 19:09:40 -07:00
sr9800.h
usbnet.c net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
zaurus.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00