From: David Miller <davem@davemloft.net>
To: bjorn@mork.no
Cc: netdev@vger.kernel.org, linux-usb@vger.kernel.org, dnlplm@gmail.com
Subject: Re: [PATCH net,stable] qmi_wwan: fix NULL deref on disconnect
Date: Tue, 08 Aug 2017 21:14:42 -0700 (PDT) [thread overview]
Message-ID: <20170808.211442.1758463645187832260.davem@davemloft.net> (raw)
In-Reply-To: <20170808160211.4777-1-bjorn@mork.no>
From: Bjørn Mork <bjorn@mork.no>
Date: Tue, 8 Aug 2017 18:02:11 +0200
> qmi_wwan_disconnect is called twice when disconnecting devices with
> separate control and data interfaces. The first invocation will set
> the interface data to NULL for both interfaces to flag that the
> disconnect has been handled. But the matching NULL check was left
> out when qmi_wwan_disconnect was added, resulting in this oops:
>
> usb 2-1.4: USB disconnect, device number 4
> qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-0000:00:1d.0-1.4, WWAN/QMI device
> BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
> IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
> PGD 0
> P4D 0
> Oops: 0000 [#1] SMP
> Modules linked in: <stripped irrelevant module list>
> CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G E 4.12.3-nr44-normandy-r1500619820+ #1
> Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 07/21/2017
> Workqueue: usb_hub_wq hub_event [usbcore]
> task: ffff8c882b716040 task.stack: ffffb8e800d84000
> RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
> RSP: 0018:ffffb8e800d87b38 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: ffff8c8824f3f1d0 RDI: ffff8c8824ef6400
> RBP: ffff8c8824ef6400 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffb8e800d87780 R11: 0000000000000011 R12: ffffffffc07ea0e8
> R13: ffff8c8824e2e000 R14: ffff8c8824e2e098 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff8c8835300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000000000e0 CR3: 0000000229ca5000 CR4: 00000000000406e0
> Call Trace:
> ? usb_unbind_interface+0x71/0x270 [usbcore]
> ? device_release_driver_internal+0x154/0x210
> ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
> ? usbnet_disconnect+0x6c/0xf0 [usbnet]
> ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
> ? usb_unbind_interface+0x71/0x270 [usbcore]
> ? device_release_driver_internal+0x154/0x210
>
> Reported-and-tested-by: Nathaniel Roach <nroach44@gmail.com>
> Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
> Cc: Daniele Palmas <dnlplm@gmail.com>
> Signed-off-by: Bjørn Mork <bjorn@mork.no>
Applied and queued up for -stable, thanks.
prev parent reply other threads:[~2017-08-09 4:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-08 16:02 [PATCH net,stable] qmi_wwan: fix NULL deref on disconnect Bjørn Mork
2017-08-09 4:14 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170808.211442.1758463645187832260.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=bjorn@mork.no \
--cc=dnlplm@gmail.com \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).