net: hso: fix null-ptr-deref during tty device unregistration
stable inclusion from stable-v4.19.187 commit 92028d7a31e55d53e41cff679156b9432cffcb36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I93LMH CVE: CVE-2021-46904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=92028d7a31e55d53e41cff679156b9432cffcb36 --------------------------- commit 8a12f883 upstream. Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call. Fixes: 72dc1c09 ("HSO: add option hso driver") Reported-by:<syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com> Tested-by:
Loading
Please sign in to comment