https://bugzilla.kernel.org/show_bug.cgi?id=207871 --- Comment #2 from Tobias Diedrich (ranma+kernel@xxxxxxxxxxxx) --- Interestingly, usb_set_interface() already calls usb_ifnum_to_if() once, which did not fail. Then after calling usb_disable_interface() it calls usb_hcd_alloc_bandwidth(), which does another call to usb_ifnum_to_if(), which faulted with the null deref. The fault is at: mov rax, [rdx + 0x398] test rax, rax jz early_exit_since_config_is_null [...] mov rcx, [rax + rdx*8 + 0x98] inc rdx -> mov r8, [rcx] movzx r8d, byte ptr [r8 + 2] [...] So I think the fault is at [...] for (i = 0; i < config->desc.bNumInterfaces; i++) -> if (config->interface[i]->altsetting[0].desc.bInterfaceNumber == ifnum) ^^^^^^^^^^^^nullptr return config->interface[i]; [...] usb_set_interface() only checks for dev->state == USB_STATE_SUSPENDED, maybe it also needs to check for dev->state == USB_STATE_NOTATTACHED? The disconnect message indicates this would have been the state the device was in, from usb_disconnect(): [...] usb_set_device_state(udev, USB_STATE_NOTATTACHED); dev_info(&udev->dev, "USB disconnect, device number %d\n", udev->devnum); [...] -- You are receiving this mail because: You are watching the assignee of the bug.
