Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp3429155pxy; Mon, 26 Apr 2021 01:15:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxH6jL2flsQ0MRTHUa0PJ2aGZb6KcJrhxFCpUK9s4BsxtB7a3zoDcgKyUEcCOlo7gQV2NoJ X-Received: by 2002:a05:6402:698:: with SMTP id f24mr19540295edy.217.1619424925435; Mon, 26 Apr 2021 01:15:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619424925; cv=none; d=google.com; s=arc-20160816; b=acVC1zbc9BD3R9mZrLOEXQyjddoLhwRLCXHw15m7huCaNx31JZEmuIoh7pGmD5CUgt qeyGtseiKGtQh9uTqQFWsTTX3MiAnzNEa4Ue3CZIodAjranIacqjtqsrQqXEfzACXr03 7NtOs7PNXa8ROznw8vD8oVHI6a9UP9O/pojcmcKQCjCjcrXUs8RYoKbaV9ZWwkUCGM9d CpS9sEA0xFX+jZ3FZO5juJEYej0Mwy+MbaslHpqvSNiKty3ReJu9jWTXE0L38uVCaeUO rSdMKZmaMNG5wUJ2n0+f05m0SYhKYw+mmFOoYxmdhrcI4IRHZRUKD2T8KgMmqIpgY9OE GKdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=crtQ8UjqvgP/kcoFmcTW6vixuwBrl3RfZerCDbv35SU=; b=uJk/l9YMP45cfqjhR37x4wxXZ4PS0z0dL+5cxvSy+kzA1VGOOdbjyGWDOSHfvOtvzz 0KJASFbvJrc40M7ScFuHP0vCBUS6vxxGLJtuYM/LrC485mSI5o+wibLHyEdJFpWA5siV qLeI+CNB/fi6nmA/ZjNdxp4WBqh083IkqZ1OT8t8DJy535JmSrMSXKiniafj6B61Oh/H JXv5jF79RBRjy1j0yH8xhReSyqDjks+MID6EJO0sOJFpdz/YUoLnP7fq4Awk7Yo28GnN xEqzBsVjpudQRmhJa9XS+fZuF2+6mD56GndDW8lmkNmQHHl+f//XP/G3f9j+oAKF4ygN QAmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sAHUPcUa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bt1si3516656edb.12.2021.04.26.01.15.01; Mon, 26 Apr 2021 01:15:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=sAHUPcUa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232570AbhDZIMe (ORCPT + 99 others); Mon, 26 Apr 2021 04:12:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:56896 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232295AbhDZIMd (ORCPT ); Mon, 26 Apr 2021 04:12:33 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 807C261075; Mon, 26 Apr 2021 08:11:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1619424712; bh=b73sWLTfZ3rVYbqm01S+4HlwmIhgl+rHnAudGrlqVOc=; h=From:To:Cc:Subject:Date:From; b=sAHUPcUaaz3BS2w4HEwuPa2mq1C0zMCXoo9bkDnrEZTqbpKptfGNnS7vKhyufmaJ2 js6mtRYDJX2dQ+m+zzk4Op8xuOtoxNHMvk9l6c+o5+g+SLcwATOJ1hRHZUw8rP8FZG IsDIAYX5XWL+RAgz7btk5Ih+I3GgAN7SjBruykxN1w+zu9fpADrBahFGAKJP7tjqHE /V3WQamjw18E4HKmjq1cDTRO1oonK17VP62y8LjfxcXS+Y2VU+i4D3Dcf/H8fmR2Lu aEK3SXEl2NYQatlBP27uWbBGGaxSfydotdsRTpRkn3JDIhyeO/FYAz3nyF4nEURy1W 0LmuJjOl5Aq+w== Received: from johan by xi.lan with local (Exim 4.93.0.4) (envelope-from ) id 1lawLa-0002k5-5L; Mon, 26 Apr 2021 10:12:02 +0200 From: Johan Hovold To: "David S. Miller" , Jakub Kicinski Cc: Greg Kroah-Hartman , linux-usb@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org, Anirudh Rayabharam , Leonardo Antoniazzi Subject: [PATCH] net: hso: fix NULL-deref on disconnect regression Date: Mon, 26 Apr 2021 10:11:49 +0200 Message-Id: <20210426081149.10498-1-johan@kernel.org> X-Mailer: git-send-email 2.26.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead. Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister(). Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") Cc: stable@vger.kernel.org Cc: Anirudh Rayabharam Reported-by: Leonardo Antoniazzi Signed-off-by: Johan Hovold --- drivers/net/usb/hso.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 9bc58e64b5b7..3ef4b2841402 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -3104,7 +3104,7 @@ static void hso_free_interface(struct usb_interface *interface) cancel_work_sync(&serial_table[i]->async_put_intf); cancel_work_sync(&serial_table[i]->async_get_intf); hso_serial_tty_unregister(serial); - kref_put(&serial_table[i]->ref, hso_serial_ref_free); + kref_put(&serial->parent->ref, hso_serial_ref_free); } } -- 2.26.3