Commit ffa0d69d authored Feb 26, 2024 by Johan Hovold Committed by Liu Jian Feb 26, 2024

net: hso: fix NULL-deref on disconnect regression

stable inclusion
from stable-v4.19.189
commit 5c17cfe155d21954b4c7e2a78fa771cebcd86725
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I93LMH
CVE: CVE-2021-46904

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5c17cfe155d21954b4c7e2a78fa771cebcd86725



---------------------------

commit 2ad5692d upstream.

Commit 8a12f883 ("net: hso: fix null-ptr-deref during tty device
unregistration") fixed the racy minor allocation reported by syzbot, but
introduced an unconditional NULL-pointer dereference on every disconnect
instead.

Specifically, the serial device table must no longer be accessed after
the minor has been released by hso_serial_tty_unregister().

Fixes: 8a12f883 ("net: hso: fix null-ptr-deref during tty device unregistration")
Cc: stable@vger.kernel.org
Cc: Anirudh Rayabharam <mail@anirudhrb.com>
Reported-by: Leonardo Antoniazzi <leoanto@aruba.it>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Anirudh Rayabharam <mail@anirudhrb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Liu Jian <liujian56@huawei.com>

parent 176f58c1

drivers/net/usb/hso.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3126,7 +3126,7 @@ static void hso_free_interface(struct usb_interface *interface)
		cancel_work_sync(&serial_table[i]->async_put_intf);
		cancel_work_sync(&serial_table[i]->async_get_intf);
		hso_serial_tty_unregister(serial);
		kref_put(&serial_table[i]->ref, hso_serial_ref_free);
		kref_put(&serial->parent->ref, hso_serial_ref_free);
		}
		}