From: Greg Kroah-Hartman Date: Tue, 27 Apr 2021 08:29:43 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.268~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c2fac30a9e5f113c9dbe64800629752031c1d3a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: net-hso-fix-null-deref-on-disconnect-regression.patch usb-cdc-acm-fix-poison-unpoison-imbalance.patch --- diff --git a/queue-4.14/net-hso-fix-null-deref-on-disconnect-regression.patch b/queue-4.14/net-hso-fix-null-deref-on-disconnect-regression.patch new file mode 100644 index 00000000000..5974eba2de9 --- /dev/null +++ b/queue-4.14/net-hso-fix-null-deref-on-disconnect-regression.patch @@ -0,0 +1,40 @@ +From 2ad5692db72874f02b9ad551d26345437ea4f7f3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 26 Apr 2021 10:11:49 +0200 +Subject: net: hso: fix NULL-deref on disconnect regression + +From: Johan Hovold + +commit 2ad5692db72874f02b9ad551d26345437ea4f7f3 upstream. + +Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device +unregistration") fixed the racy minor allocation reported by syzbot, but +introduced an unconditional NULL-pointer dereference on every disconnect +instead. + +Specifically, the serial device table must no longer be accessed after +the minor has been released by hso_serial_tty_unregister(). + +Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") +Cc: stable@vger.kernel.org +Cc: Anirudh Rayabharam +Reported-by: Leonardo Antoniazzi +Signed-off-by: Johan Hovold +Reviewed-by: Anirudh Rayabharam +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/hso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -3113,7 +3113,7 @@ static void hso_free_interface(struct us + cancel_work_sync(&serial_table[i]->async_put_intf); + cancel_work_sync(&serial_table[i]->async_get_intf); + hso_serial_tty_unregister(serial); +- kref_put(&serial_table[i]->ref, hso_serial_ref_free); ++ kref_put(&serial->parent->ref, hso_serial_ref_free); + } + } + diff --git a/queue-4.14/series b/queue-4.14/series index 48d3ba30f3a..e319bb9a451 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -47,3 +47,5 @@ cavium-liquidio-fix-duplicate-argument.patch ia64-fix-discontig.c-section-mismatches.patch ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch +net-hso-fix-null-deref-on-disconnect-regression.patch +usb-cdc-acm-fix-poison-unpoison-imbalance.patch diff --git a/queue-4.14/usb-cdc-acm-fix-poison-unpoison-imbalance.patch b/queue-4.14/usb-cdc-acm-fix-poison-unpoison-imbalance.patch new file mode 100644 index 00000000000..9ae0af7ff16 --- /dev/null +++ b/queue-4.14/usb-cdc-acm-fix-poison-unpoison-imbalance.patch @@ -0,0 +1,42 @@ +From a8b3b519618f30a87a304c4e120267ce6f8dc68a Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 21 Apr 2021 09:45:13 +0200 +Subject: USB: CDC-ACM: fix poison/unpoison imbalance + +From: Oliver Neukum + +commit a8b3b519618f30a87a304c4e120267ce6f8dc68a upstream. + +suspend() does its poisoning conditionally, resume() does it +unconditionally. On a device with combined interfaces this +will balance, on a device with two interfaces the counter will +go negative and resubmission will fail. + +Both actions need to be done conditionally. + +Fixes: 6069e3e927c8f ("USB: cdc-acm: untangle a circular dependency between callback and softint") +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20210421074513.4327-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1696,12 +1696,13 @@ static int acm_resume(struct usb_interfa + struct urb *urb; + int rv = 0; + +- acm_unpoison_urbs(acm); + spin_lock_irq(&acm->write_lock); + + if (--acm->susp_count) + goto out; + ++ acm_unpoison_urbs(acm); ++ + if (tty_port_initialized(&acm->port)) { + rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC); +