From: Lorenzo Colitti <lorenzo@google.com>
Date: Mon, 14 Sep 2015 15:14:23 +0000 (+0900)
Subject: Fix NULL pointer dereference in tcp_nuke_addr.
X-Git-Tag: firefly_0821_release~3678^2~8
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=abe081915ca38fa25e51290ff0081c6a3489e990;p=firefly-linux-kernel-4.4.55.git

Fix NULL pointer dereference in tcp_nuke_addr.

tcp_nuke addr only grabs the bottom half socket lock, but not the
userspace socket lock. This allows a userspace program to call
close() while the socket is running, which causes a NULL pointer
dereference in inet_put_port.

Bug: 23663111
Bug: 24072792
Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
(cherry picked from commit 74d66ee756afcc3269e4c1341f793c52be629af9)
---

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 8cc9b5499013..72c04f7caf2b 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3568,14 +3568,17 @@ restart:
 			sock_hold(sk);
 			spin_unlock_bh(lock);
 
+			lock_sock(sk);
+			// TODO:
+			// Check for SOCK_DEAD again, it could have changed.
+			// Add a write barrier, see tcp_reset().
 			local_bh_disable();
-			bh_lock_sock(sk);
 			sk->sk_err = ETIMEDOUT;
 			sk->sk_error_report(sk);
 
 			tcp_done(sk);
-			bh_unlock_sock(sk);
 			local_bh_enable();
+			release_sock(sk);
 			sock_put(sk);
 
 			goto restart;