linux/drivers/net
Bjørn Mork bbae08e592 qmi_wwan: fix NULL deref on disconnect
qmi_wwan_disconnect is called twice when disconnecting devices with
separate control and data interfaces.  The first invocation will set
the interface data to NULL for both interfaces to flag that the
disconnect has been handled.  But the matching NULL check was left
out when qmi_wwan_disconnect was added, resulting in this oops:

  usb 2-1.4: USB disconnect, device number 4
  qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-0000:00:1d.0-1.4, WWAN/QMI device
  BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
  IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  PGD 0
  P4D 0
  Oops: 0000 [#1] SMP
  Modules linked in: <stripped irrelevant module list>
  CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: G            E   4.12.3-nr44-normandy-r1500619820+ #1
  Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 07/21/2017
  Workqueue: usb_hub_wq hub_event [usbcore]
  task: ffff8c882b716040 task.stack: ffffb8e800d84000
  RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  RSP: 0018:ffffb8e800d87b38 EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
  RDX: 0000000000000001 RSI: ffff8c8824f3f1d0 RDI: ffff8c8824ef6400
  RBP: ffff8c8824ef6400 R08: 0000000000000000 R09: 0000000000000000
  R10: ffffb8e800d87780 R11: 0000000000000011 R12: ffffffffc07ea0e8
  R13: ffff8c8824e2e000 R14: ffff8c8824e2e098 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff8c8835300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000000000e0 CR3: 0000000229ca5000 CR4: 00000000000406e0
  Call Trace:
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210
   ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
   ? usbnet_disconnect+0x6c/0xf0 [usbnet]
   ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210

Reported-and-tested-by: Nathaniel Roach <nroach44@gmail.com>
Fixes: c6adf77953 ("net: usb: qmi_wwan: add qmap mux protocol support")
Cc: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-08 21:14:16 -07:00
..
appletalk
arcnet arcnet: com20020-pci: Fix an error handling path in 'com20020pci_probe()' 2017-07-07 09:29:10 +01:00
bonding bonding: commit link status change after propose 2017-07-26 13:41:21 -07:00
caif Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
can net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
cris net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
dsa net: dsa: mediatek: add adjust link support for user ports 2017-08-08 18:01:25 -07:00
ethernet net/mlx4_en: don't set CHECKSUM_COMPLETE on SCTP packets 2017-08-08 17:59:57 -07:00
fddi
fjes networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
hamradio networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
hippi networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hyperv netvsc: fix race on sub channel creation 2017-08-06 21:23:21 -07:00
ieee802154 networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
ipvlan ipvlan: Fix 64-bit statistics seqcount initialization 2017-08-01 20:06:07 -07:00
irda mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled 2017-07-24 16:24:05 -07:00
phy net: phy: Correctly process PHY_HALTED in phy_stop_machine() 2017-07-31 17:27:10 -07:00
plip
ppp ppp: fix xmit recursion detection on ppp channels 2017-08-08 21:06:11 -07:00
slip networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
team team: use a larger struct for mac address 2017-07-29 11:25:05 -07:00
usb qmi_wwan: fix NULL deref on disconnect 2017-08-08 21:14:16 -07:00
vmxnet3 vmxnet3: avoid format strint overflow warning 2017-07-14 09:03:11 -07:00
wan networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
wimax networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
wireless brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice 2017-07-27 14:03:14 +03:00
xen-netback xen-netback: correctly schedule rate-limited queues 2017-06-22 11:15:42 -04:00
Kconfig
LICENSE.SRC
Makefile
Space.c
dummy.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
eql.c
geneve.c geneve: fix hlist corruption 2017-07-03 02:36:27 -07:00
gtp.c gtp: Initialize 64-bit per-cpu stats correctly 2017-08-01 20:06:07 -07:00
ifb.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
loopback.c net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
macsec.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
macvlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
macvtap.c net: add netlink_ext_ack argument to rtnl_link_ops.newlink 2017-06-26 23:13:21 -04:00
mdio.c
mii.c net/{mii, smsc}: Make mii_ethtool_get_link_ksettings and smc_netdev_get_ecmd return void 2017-06-05 11:00:42 -04:00
netconsole.c netconsole: Remove duplicate "netconsole: " logging prefix 2017-06-13 12:57:40 -04:00
nlmon.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ntb_netdev.c ntb_netdev: set the net_device's parent 2017-07-06 11:30:08 -04:00
rionet.c net: convert sk_buff.users from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
sb1000.c
sungem_phy.c drivers/net/sungem: add const to mii_phy_ops structures 2017-06-08 15:32:47 -04:00
tap.c tap: convert a mutex to a spinlock 2017-07-11 13:41:57 -07:00
tun.c tun/tap: Add the missed return value check of register_netdevice_notifier 2017-07-24 13:44:31 -07:00
veth.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-30 12:43:08 -04:00
virtio_net.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-07-31 22:36:42 -07:00
vrf.c vrf: fix bug_on triggered by rx when destroying a vrf 2017-07-06 16:46:07 +01:00
vsockmon.c net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
vxlan.c vxlan: fix remcsum when GRO on and CHECKSUM_PARTIAL boundary is outer UDP 2017-08-01 16:09:14 -07:00
xen-netfront.c