Fix NULL pointer dereference in tcp_nuke_addr.

tcp_nuke addr only grabs the bottom half socket lock, but not the userspace socket lock. This allows a userspace program to call close() while the socket is running, which causes a NULL pointer dereference in inet_put_port. Bug: 23663111 Bug: 24072792 Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
author: Lorenzo Colitti <lorenzo@google.com> 2015-09-15 00:14:23 +0900
committer: Mister Oyster <oysterized@gmail.com> 2017-04-17 10:57:31 +0200
commit: bcc91adb7f16e2a24a5a4c676b03e9c061c0f539 (patch)
tree: 3030db23c15fd598c58730db61b1afb9a22bd8ea /net
parent: 2dd0ccb74bc6162efd6723055f6b7d27d52f4ed8 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1bb6eaad1..e789e9217 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3622,8 +3622,11 @@ restart:
 			sock_hold(sk);
 			spin_unlock_bh(lock);
 
+			lock_sock(sk);
+			// TODO:
+			// Check for SOCK_DEAD again, it could have changed.
+			// Add a write barrier, see tcp_reset().
 			local_bh_disable();
-			bh_lock_sock(sk);
 			sk->sk_err = ETIMEDOUT;
 			sk->sk_error_report(sk);
 			count++;
@@ -3633,7 +3636,7 @@ restart:
 					printk(KERN_INFO "[mtk_net][tcp]skip ALPS01866438 Google Issue!\n");			 
 				}
 			tcp_done(sk);
-			bh_unlock_sock(sk);
+			release_sock(sk);
 			local_bh_enable();
 			sock_put(sk);
author	Lorenzo Colitti <lorenzo@google.com>	2015-09-15 00:14:23 +0900
committer	Mister Oyster <oysterized@gmail.com>	2017-04-17 10:57:31 +0200
commit	bcc91adb7f16e2a24a5a4c676b03e9c061c0f539 (patch)
tree	3030db23c15fd598c58730db61b1afb9a22bd8ea /net
parent	2dd0ccb74bc6162efd6723055f6b7d27d52f4ed8 (diff)