[PATCH net,stable] qmi_wwan: fix NULL deref on disconnect

[PATCH net,stable] qmi_wwan: fix NULL deref on disconnect

[Bjørn Mork]

qmi_wwan_disconnect is called twice when disconnecting devices with
separate control and data interfaces.  The first invocation will set
the interface data to NULL for both interfaces to flag that the
disconnect has been handled.  But the matching NULL check was left
out when qmi_wwan_disconnect was added, resulting in this oops:

  usb 2-1.4: USB disconnect, device number 4
  qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-0000:00:1d.0-1.4, WWAN/QMI device
  BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
  IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  PGD 0
  P4D 0
  Oops: 0000 [#1] SMP
  Modules linked in: <stripped irrelevant module list>
  CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G            E   4.12.3-nr44-normandy-r1500619820+ #1
  Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 07/21/2017
  Workqueue: usb_hub_wq hub_event [usbcore]
  task: ffff8c882b716040 task.stack: ffffb8e800d84000
  RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  RSP: 0018:ffffb8e800d87b38 EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000000001 RSI: ffff8c8824f3f1d0 RDI: ffff8c8824ef6400
  RBP: ffff8c8824ef6400 R08: 0000000000000000 R09: 0000000000000000
  R10: ffffb8e800d87780 R11: 0000000000000011 R12: ffffffffc07ea0e8
  R13: ffff8c8824e2e000 R14: ffff8c8824e2e098 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff8c8835300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000000000e0 CR3: 0000000229ca5000 CR4: 00000000000406e0
  Call Trace:
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210
   ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
   ? usbnet_disconnect+0x6c/0xf0 [usbnet]
   ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210

Reported-and-tested-by: Nathaniel Roach <nroach44@gmail.com>
Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
Cc: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
Needed for v4.12 and later


 drivers/net/usb/qmi_wwan.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index ff6f39fe6c00..8c3733608271 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1341,10 +1341,14 @@ static int qmi_wwan_probe(struct usb_interface *intf,
 static void qmi_wwan_disconnect(struct usb_interface *intf)
 {
 	struct usbnet *dev = usb_get_intfdata(intf);
-	struct qmi_wwan_state *info = (void *)&dev->data;
+	struct qmi_wwan_state *info;
 	struct list_head *iter;
 	struct net_device *ldev;
 
+	/* called twice if separate control and data intf */
+	if (!dev)
+		return;
+	info = (void *)&dev->data;
 	if (info->flags & QMI_WWAN_FLAG_MUX) {
 		if (!rtnl_trylock()) {
 			restart_syscall();
-- 
2.11.0

Re: [PATCH net,stable] qmi_wwan: fix NULL deref on disconnect

[David Miller]

From: Bjørn Mork <bjorn@mork.no>
Date: Tue,  8 Aug 2017 18:02:11 +0200

> qmi_wwan_disconnect is called twice when disconnecting devices with
> separate control and data interfaces.  The first invocation will set
> the interface data to NULL for both interfaces to flag that the
> disconnect has been handled.  But the matching NULL check was left
> out when qmi_wwan_disconnect was added, resulting in this oops:
> 
>   usb 2-1.4: USB disconnect, device number 4
>   qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-0000:00:1d.0-1.4, WWAN/QMI device
>   BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
>   IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
>   PGD 0
>   P4D 0
>   Oops: 0000 [#1] SMP
>   Modules linked in: <stripped irrelevant module list>
>   CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G            E   4.12.3-nr44-normandy-r1500619820+ #1
>   Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 07/21/2017
>   Workqueue: usb_hub_wq hub_event [usbcore]
>   task: ffff8c882b716040 task.stack: ffffb8e800d84000
>   RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
>   RSP: 0018:ffffb8e800d87b38 EFLAGS: 00010246
>   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
>   RDX: 0000000000000001 RSI: ffff8c8824f3f1d0 RDI: ffff8c8824ef6400
>   RBP: ffff8c8824ef6400 R08: 0000000000000000 R09: 0000000000000000
>   R10: ffffb8e800d87780 R11: 0000000000000011 R12: ffffffffc07ea0e8
>   R13: ffff8c8824e2e000 R14: ffff8c8824e2e098 R15: 0000000000000000
>   FS:  0000000000000000(0000) GS:ffff8c8835300000(0000) knlGS:0000000000000000
>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>   CR2: 00000000000000e0 CR3: 0000000229ca5000 CR4: 00000000000406e0
>   Call Trace:
>    ? usb_unbind_interface+0x71/0x270 [usbcore]
>    ? device_release_driver_internal+0x154/0x210
>    ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
>    ? usbnet_disconnect+0x6c/0xf0 [usbnet]
>    ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
>    ? usb_unbind_interface+0x71/0x270 [usbcore]
>    ? device_release_driver_internal+0x154/0x210
> 
> Reported-and-tested-by: Nathaniel Roach <nroach44@gmail.com>
> Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
> Cc: Daniele Palmas <dnlplm@gmail.com>
> Signed-off-by: Bjørn Mork <bjorn@mork.no>

Applied and queued up for -stable, thanks.