From abe081915ca38fa25e51290ff0081c6a3489e990 Mon Sep 17 00:00:00 2001 From: Lorenzo Colitti Date: Tue, 15 Sep 2015 00:14:23 +0900 Subject: [PATCH] Fix NULL pointer dereference in tcp_nuke_addr. tcp_nuke addr only grabs the bottom half socket lock, but not the userspace socket lock. This allows a userspace program to call close() while the socket is running, which causes a NULL pointer dereference in inet_put_port. Bug: 23663111 Bug: 24072792 Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f Signed-off-by: Lorenzo Colitti (cherry picked from commit 74d66ee756afcc3269e4c1341f793c52be629af9) --- net/ipv4/tcp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 8cc9b5499013..72c04f7caf2b 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3568,14 +3568,17 @@ restart: sock_hold(sk); spin_unlock_bh(lock); + lock_sock(sk); + // TODO: + // Check for SOCK_DEAD again, it could have changed. + // Add a write barrier, see tcp_reset(). local_bh_disable(); - bh_lock_sock(sk); sk->sk_err = ETIMEDOUT; sk->sk_error_report(sk); tcp_done(sk); - bh_unlock_sock(sk); local_bh_enable(); + release_sock(sk); sock_put(sk); goto restart; -- 2.34.1