Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758027Ab3J2Dar (ORCPT ); Mon, 28 Oct 2013 23:30:47 -0400 Received: from mga01.intel.com ([192.55.52.88]:25959 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753687Ab3J2Dap convert rfc822-to-8bit (ORCPT ); Mon, 28 Oct 2013 23:30:45 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.93,590,1378882800"; d="scan'208";a="418859741" From: "Du, ChangbinX" To: "oliver@neukum.org" CC: "linux-usb@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: [PATCH] net/cdc_ncm: fix null pointer panic at usbnet_link_change Thread-Topic: [PATCH] net/cdc_ncm: fix null pointer panic at usbnet_link_change Thread-Index: Ac7UVwwoHCI1JQViRZOXA6OeEZ/T7w== Date: Tue, 29 Oct 2013 03:30:42 +0000 Message-ID: <0C18FE92A7765D4EB9EE5D38D86A563A019F450F@SHSMSX103.ccr.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2921 Lines: 78 From: "Du, Changbin" In cdc_ncm_bind() function, it call cdc_ncm_bind_common() to setup usb. But cdc_ncm_bind_common() may meet error and cause usbnet_disconnect() be called which calls free_netdev(net). Thus usbnet structure(alloced with net_device structure) will be freed,too. So we cannot call usbnet_link_change() if cdc_ncm_bind_common() return error. BUG: unable to handle kernel NULL pointer dereference at 00000078 EIP is at usbnet_link_change+0x1e/0x80 Call Trace: [] cdc_ncm_bind+0x3a/0x50 [] usbnet_probe+0x282/0x7d0 [] ? sysfs_new_dirent+0x6c/0x100 [] ? mutex_lock+0x13/0x40 [] cdc_ncm_probe+0x8/0x10 [] usb_probe_interface+0x187/0x2c0 [] ? driver_sysfs_add+0x6a/0x90 [] ? __driver_attach+0x90/0x90 [] driver_probe_device+0x74/0x360 [] ? usb_match_id+0x41/0x60 [] ? usb_device_match+0x4e/0x90 [] ? __driver_attach+0x90/0x90 [] __device_attach+0x39/0x50 [] bus_for_each_drv+0x34/0x70 [] device_attach+0x7b/0x90 [] ? __driver_attach+0x90/0x90 [] bus_probe_device+0x6f/0x90 [] device_add+0x558/0x630 [] ? usb_create_ep_devs+0x71/0xd0 [] ? create_intf_ep_devs+0x4b/0x70 [] usb_set_configuration+0x4bf/0x800 [] ? __driver_attach+0x90/0x90 [] generic_probe+0x2b/0x90 [] usb_probe_device+0x2c/0x70 [] driver_probe_device+0x74/0x360 Signed-off-by: Du, Changbin --- drivers/net/usb/cdc_ncm.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 43afde8..af37ecf 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -603,14 +603,15 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf) /* NCM data altsetting is always 1 */ ret = cdc_ncm_bind_common(dev, intf, 1); - - /* - * We should get an event when network connection is "connected" or - * "disconnected". Set network connection in "disconnected" state - * (carrier is OFF) during attach, so the IP network stack does not - * start IPv6 negotiation and more. - */ - usbnet_link_change(dev, 0, 0); + if (!ret) { + /* + * We should get an event when network connection is "connected" + * or "disconnected". Set network connection in "disconnected" + * state (carrier is OFF) during attach, so the IP network stack + * does not start IPv6 negotiation and more. + */ + usbnet_link_change(dev, 0, 0); + } return ret; } -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/