From f173f297472cc047904d573c0a00eca3863aeed0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 27 Apr 2021 10:29:59 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	net-hso-fix-null-deref-on-disconnect-regression.patch
	usb-cdc-acm-fix-poison-unpoison-imbalance.patch
---
 ...-null-deref-on-disconnect-regression.patch | 40 ++++++++++++++++++
 queue-4.19/series                             |  2 +
 ...dc-acm-fix-poison-unpoison-imbalance.patch | 42 +++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 queue-4.19/net-hso-fix-null-deref-on-disconnect-regression.patch
 create mode 100644 queue-4.19/usb-cdc-acm-fix-poison-unpoison-imbalance.patch

diff --git a/queue-4.19/net-hso-fix-null-deref-on-disconnect-regression.patch b/queue-4.19/net-hso-fix-null-deref-on-disconnect-regression.patch
new file mode 100644
index 00000000000..eef54bca17f
--- /dev/null
+++ b/queue-4.19/net-hso-fix-null-deref-on-disconnect-regression.patch
@@ -0,0 +1,40 @@
+From 2ad5692db72874f02b9ad551d26345437ea4f7f3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 26 Apr 2021 10:11:49 +0200
+Subject: net: hso: fix NULL-deref on disconnect regression
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2ad5692db72874f02b9ad551d26345437ea4f7f3 upstream.
+
+Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device
+unregistration") fixed the racy minor allocation reported by syzbot, but
+introduced an unconditional NULL-pointer dereference on every disconnect
+instead.
+
+Specifically, the serial device table must no longer be accessed after
+the minor has been released by hso_serial_tty_unregister().
+
+Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration")
+Cc: stable@vger.kernel.org
+Cc: Anirudh Rayabharam <mail@anirudhrb.com>
+Reported-by: Leonardo Antoniazzi <leoanto@aruba.it>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/hso.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -3114,7 +3114,7 @@ static void hso_free_interface(struct us
+ 			cancel_work_sync(&serial_table[i]->async_put_intf);
+ 			cancel_work_sync(&serial_table[i]->async_get_intf);
+ 			hso_serial_tty_unregister(serial);
+-			kref_put(&serial_table[i]->ref, hso_serial_ref_free);
++			kref_put(&serial->parent->ref, hso_serial_ref_free);
+ 		}
+ 	}
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 91f9e1a5615..bb140d9ed91 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -55,3 +55,5 @@ cavium-liquidio-fix-duplicate-argument.patch
 ia64-fix-discontig.c-section-mismatches.patch
 ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch
 x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch
+net-hso-fix-null-deref-on-disconnect-regression.patch
+usb-cdc-acm-fix-poison-unpoison-imbalance.patch
diff --git a/queue-4.19/usb-cdc-acm-fix-poison-unpoison-imbalance.patch b/queue-4.19/usb-cdc-acm-fix-poison-unpoison-imbalance.patch
new file mode 100644
index 00000000000..648eb3ce02b
--- /dev/null
+++ b/queue-4.19/usb-cdc-acm-fix-poison-unpoison-imbalance.patch
@@ -0,0 +1,42 @@
+From a8b3b519618f30a87a304c4e120267ce6f8dc68a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 21 Apr 2021 09:45:13 +0200
+Subject: USB: CDC-ACM: fix poison/unpoison imbalance
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit a8b3b519618f30a87a304c4e120267ce6f8dc68a upstream.
+
+suspend() does its poisoning conditionally, resume() does it
+unconditionally. On a device with combined interfaces this
+will balance, on a device with two interfaces the counter will
+go negative and resubmission will fail.
+
+Both actions need to be done conditionally.
+
+Fixes: 6069e3e927c8f ("USB: cdc-acm: untangle a circular dependency between callback and softint")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210421074513.4327-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1682,12 +1682,13 @@ static int acm_resume(struct usb_interfa
+ 	struct urb *urb;
+ 	int rv = 0;
+ 
+-	acm_unpoison_urbs(acm);
+ 	spin_lock_irq(&acm->write_lock);
+ 
+ 	if (--acm->susp_count)
+ 		goto out;
+ 
++	acm_unpoison_urbs(acm);
++
+ 	if (tty_port_initialized(&acm->port)) {
+ 		rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC);
+ 
-- 
2.47.3