Re: [PATCH net,stable] qmi_wwan: fix NULL deref on disconnect

2017-08-08 Thread David Miller 
From: Bjørn Mork 
Date: Tue,  8 Aug 2017 18:02:11 +0200

> qmi_wwan_disconnect is called twice when disconnecting devices with
> separate control and data interfaces.  The first invocation will set
> the interface data to NULL for both interfaces to flag that the
> disconnect has been handled.  But the matching NULL check was left
> out when qmi_wwan_disconnect was added, resulting in this oops:
> 
>   usb 2-1.4: USB disconnect, device number 4
>   qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' 
> usb-:00:1d.0-1.4, WWAN/QMI device
>   BUG: unable to handle kernel NULL pointer dereference at 00e0
>   IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
>   PGD 0
>   P4D 0
>   Oops:  [#1] SMP
>   Modules linked in: 
>   CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: GE   
> 4.12.3-nr44-normandy-r1500619820+ #1
>   Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 
> 07/21/2017
>   Workqueue: usb_hub_wq hub_event [usbcore]
>   task: 8c882b716040 task.stack: b8e800d84000
>   RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
>   RSP: 0018:b8e800d87b38 EFLAGS: 00010246
>   RAX:  RBX:  RCX: 
>   RDX: 0001 RSI: 8c8824f3f1d0 RDI: 8c8824ef6400
>   RBP: 8c8824ef6400 R08:  R09: 
>   R10: b8e800d87780 R11: 0011 R12: c07ea0e8
>   R13: 8c8824e2e000 R14: 8c8824e2e098 R15: 
>   FS:  () GS:8c883530() knlGS:
>   CS:  0010 DS:  ES:  CR0: 80050033
>   CR2: 00e0 CR3: 000229ca5000 CR4: 000406e0
>   Call Trace:
>? usb_unbind_interface+0x71/0x270 [usbcore]
>? device_release_driver_internal+0x154/0x210
>? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
>? usbnet_disconnect+0x6c/0xf0 [usbnet]
>? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
>? usb_unbind_interface+0x71/0x270 [usbcore]
>? device_release_driver_internal+0x154/0x210
> 
> Reported-and-tested-by: Nathaniel Roach 
> Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
> Cc: Daniele Palmas 
> Signed-off-by: Bjørn Mork 

Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net,stable] qmi_wwan: fix NULL deref on disconnect

2017-08-08 Thread Bjørn Mork 
qmi_wwan_disconnect is called twice when disconnecting devices with
separate control and data interfaces.  The first invocation will set
the interface data to NULL for both interfaces to flag that the
disconnect has been handled.  But the matching NULL check was left
out when qmi_wwan_disconnect was added, resulting in this oops:

  usb 2-1.4: USB disconnect, device number 4
  qmi_wwan 2-1.4:1.6 wwp0s29u1u4i6: unregister 'qmi_wwan' usb-:00:1d.0-1.4, 
WWAN/QMI device
  BUG: unable to handle kernel NULL pointer dereference at 00e0
  IP: qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  PGD 0
  P4D 0
  Oops:  [#1] SMP
  Modules linked in: 
  CPU: 2 PID: 33 Comm: kworker/2:1 Tainted: GE   
4.12.3-nr44-normandy-r1500619820+ #1
  Hardware name: LENOVO 4291LR7/4291LR7, BIOS CBET4000 4.6-810-g50522254fb 
07/21/2017
  Workqueue: usb_hub_wq hub_event [usbcore]
  task: 8c882b716040 task.stack: b8e800d84000
  RIP: 0010:qmi_wwan_disconnect+0x25/0xc0 [qmi_wwan]
  RSP: 0018:b8e800d87b38 EFLAGS: 00010246
  RAX:  RBX:  RCX: 
  RDX: 0001 RSI: 8c8824f3f1d0 RDI: 8c8824ef6400
  RBP: 8c8824ef6400 R08:  R09: 
  R10: b8e800d87780 R11: 0011 R12: c07ea0e8
  R13: 8c8824e2e000 R14: 8c8824e2e098 R15: 
  FS:  () GS:8c883530() knlGS:
  CS:  0010 DS:  ES:  CR0: 80050033
  CR2: 00e0 CR3: 000229ca5000 CR4: 000406e0
  Call Trace:
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210
   ? qmi_wwan_unbind+0x6d/0xc0 [qmi_wwan]
   ? usbnet_disconnect+0x6c/0xf0 [usbnet]
   ? qmi_wwan_disconnect+0x87/0xc0 [qmi_wwan]
   ? usb_unbind_interface+0x71/0x270 [usbcore]
   ? device_release_driver_internal+0x154/0x210

Reported-and-tested-by: Nathaniel Roach 
Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support")
Cc: Daniele Palmas 
Signed-off-by: Bjørn Mork 
---
Needed for v4.12 and later


 drivers/net/usb/qmi_wwan.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index ff6f39fe6c00..8c3733608271 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1341,10 +1341,14 @@ static int qmi_wwan_probe(struct usb_interface *intf,
 static void qmi_wwan_disconnect(struct usb_interface *intf)
 {
struct usbnet *dev = usb_get_intfdata(intf);
-   struct qmi_wwan_state *info = (void *)>data;
+   struct qmi_wwan_state *info;
struct list_head *iter;
struct net_device *ldev;
 
+   /* called twice if separate control and data intf */
+   if (!dev)
+   return;
+   info = (void *)>data;
if (info->flags & QMI_WWAN_FLAG_MUX) {
if (!rtnl_trylock()) {
restart_syscall();
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html