tcp_nuke addr only grabs the bottom half socket lock, but not the
userspace socket lock. This allows a userspace program to call
close() while the socket is running, which causes a NULL pointer
dereference in inet_put_port.
Bug:
23663111
Bug:
24072792
Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
(cherry picked from commit
74d66ee756afcc3269e4c1341f793c52be629af9)
sock_hold(sk);
spin_unlock_bh(lock);
+ lock_sock(sk);
+ // TODO:
+ // Check for SOCK_DEAD again, it could have changed.
+ // Add a write barrier, see tcp_reset().
local_bh_disable();
- bh_lock_sock(sk);
sk->sk_err = ETIMEDOUT;
sk->sk_error_report(sk);
tcp_done(sk);
- bh_unlock_sock(sk);
local_bh_enable();
+ release_sock(sk);
sock_put(sk);
goto restart;