From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 27 Apr 2021 08:29:26 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.268~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=369a5cebf2281bce6d24dd35dbd0a2ea52ce7a54;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	net-hso-fix-null-deref-on-disconnect-regression.patch
---

diff --git a/queue-4.9/net-hso-fix-null-deref-on-disconnect-regression.patch b/queue-4.9/net-hso-fix-null-deref-on-disconnect-regression.patch
new file mode 100644
index 00000000000..41de5281266
--- /dev/null
+++ b/queue-4.9/net-hso-fix-null-deref-on-disconnect-regression.patch
@@ -0,0 +1,40 @@
+From 2ad5692db72874f02b9ad551d26345437ea4f7f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 26 Apr 2021 10:11:49 +0200
+Subject: net: hso: fix NULL-deref on disconnect regression
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2ad5692db72874f02b9ad551d26345437ea4f7f3 upstream.
+
+Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device
+unregistration") fixed the racy minor allocation reported by syzbot, but
+introduced an unconditional NULL-pointer dereference on every disconnect
+instead.
+
+Specifically, the serial device table must no longer be accessed after
+the minor has been released by hso_serial_tty_unregister().
+
+Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration")
+Cc: stable@vger.kernel.org
+Cc: Anirudh Rayabharam <mail@anirudhrb.com>
+Reported-by: Leonardo Antoniazzi <leoanto@aruba.it>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/hso.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -3115,7 +3115,7 @@ static void hso_free_interface(struct us
+ 			cancel_work_sync(&serial_table[i]->async_put_intf);
+ 			cancel_work_sync(&serial_table[i]->async_get_intf);
+ 			hso_serial_tty_unregister(serial);
+-			kref_put(&serial_table[i]->ref, hso_serial_ref_free);
++			kref_put(&serial->parent->ref, hso_serial_ref_free);
+ 		}
+ 	}
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 9845ea3d649..02f91120b69 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -35,3 +35,4 @@ cavium-liquidio-fix-duplicate-argument.patch
 ia64-fix-discontig.c-section-mismatches.patch
 ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch
 x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch
+net-hso-fix-null-deref-on-disconnect-regression.patch