--- /dev/null
+From 2ad5692db72874f02b9ad551d26345437ea4f7f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 26 Apr 2021 10:11:49 +0200
+Subject: net: hso: fix NULL-deref on disconnect regression
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2ad5692db72874f02b9ad551d26345437ea4f7f3 upstream.
+
+Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device
+unregistration") fixed the racy minor allocation reported by syzbot, but
+introduced an unconditional NULL-pointer dereference on every disconnect
+instead.
+
+Specifically, the serial device table must no longer be accessed after
+the minor has been released by hso_serial_tty_unregister().
+
+Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration")
+Cc: stable@vger.kernel.org
+Cc: Anirudh Rayabharam <mail@anirudhrb.com>
+Reported-by: Leonardo Antoniazzi <leoanto@aruba.it>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/hso.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -3113,7 +3113,7 @@ static void hso_free_interface(struct us
+ cancel_work_sync(&serial_table[i]->async_put_intf);
+ cancel_work_sync(&serial_table[i]->async_get_intf);
+ hso_serial_tty_unregister(serial);
+- kref_put(&serial_table[i]->ref, hso_serial_ref_free);
++ kref_put(&serial->parent->ref, hso_serial_ref_free);
+ }
+ }
+
ia64-fix-discontig.c-section-mismatches.patch
ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch
x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch
+net-hso-fix-null-deref-on-disconnect-regression.patch
+usb-cdc-acm-fix-poison-unpoison-imbalance.patch
--- /dev/null
+From a8b3b519618f30a87a304c4e120267ce6f8dc68a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 21 Apr 2021 09:45:13 +0200
+Subject: USB: CDC-ACM: fix poison/unpoison imbalance
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit a8b3b519618f30a87a304c4e120267ce6f8dc68a upstream.
+
+suspend() does its poisoning conditionally, resume() does it
+unconditionally. On a device with combined interfaces this
+will balance, on a device with two interfaces the counter will
+go negative and resubmission will fail.
+
+Both actions need to be done conditionally.
+
+Fixes: 6069e3e927c8f ("USB: cdc-acm: untangle a circular dependency between callback and softint")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210421074513.4327-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1696,12 +1696,13 @@ static int acm_resume(struct usb_interfa
+ struct urb *urb;
+ int rv = 0;
+
+- acm_unpoison_urbs(acm);
+ spin_lock_irq(&acm->write_lock);
+
+ if (--acm->susp_count)
+ goto out;
+
++ acm_unpoison_urbs(acm);
++
+ if (tty_port_initialized(&acm->port)) {
+ rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
