Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead.
Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister().
Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") Cc: stable@vger.kernel.org Cc: Anirudh Rayabharam mail@anirudhrb.com Reported-by: Leonardo Antoniazzi leoanto@aruba.it Signed-off-by: Johan Hovold johan@kernel.org --- drivers/net/usb/hso.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 9bc58e64b5b7..3ef4b2841402 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -3104,7 +3104,7 @@ static void hso_free_interface(struct usb_interface *interface) cancel_work_sync(&serial_table[i]->async_put_intf); cancel_work_sync(&serial_table[i]->async_get_intf); hso_serial_tty_unregister(serial); - kref_put(&serial_table[i]->ref, hso_serial_ref_free); + kref_put(&serial->parent->ref, hso_serial_ref_free); } }
On Mon, Apr 26, 2021 at 10:11:49AM +0200, Johan Hovold wrote:
Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead.
Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister().
Fixes: 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") Cc: stable@vger.kernel.org Cc: Anirudh Rayabharam mail@anirudhrb.com Reported-by: Leonardo Antoniazzi leoanto@aruba.it Signed-off-by: Johan Hovold johan@kernel.org
drivers/net/usb/hso.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c index 9bc58e64b5b7..3ef4b2841402 100644 --- a/drivers/net/usb/hso.c +++ b/drivers/net/usb/hso.c @@ -3104,7 +3104,7 @@ static void hso_free_interface(struct usb_interface *interface) cancel_work_sync(&serial_table[i]->async_put_intf); cancel_work_sync(&serial_table[i]->async_get_intf); hso_serial_tty_unregister(serial);
kref_put(&serial_table[i]->ref, hso_serial_ref_free);
kref_put(&serial->parent->ref, hso_serial_ref_free);
Ah, my bad. Thanks Johan for the fix!
Reviewed-by: Anirudh Rayabharam mail@anirudhrb.com
- Anirudh.
Hello:
This patch was applied to netdev/net-next.git (refs/heads/master):
On Mon, 26 Apr 2021 10:11:49 +0200 you wrote:
Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty device unregistration") fixed the racy minor allocation reported by syzbot, but introduced an unconditional NULL-pointer dereference on every disconnect instead.
Specifically, the serial device table must no longer be accessed after the minor has been released by hso_serial_tty_unregister().
[...]
Here is the summary with links: - net: hso: fix NULL-deref on disconnect regression https://git.kernel.org/netdev/net-next/c/2ad5692db728
You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
linux-stable-mirror@lists.linaro.org
-
Anirudh Rayabharam -
Johan Hovold -
patchwork-bot+netdevbpf@kernel.org