diff options
author | Lorenzo Colitti <lorenzo@google.com> | 2015-09-15 00:14:23 +0900 |
---|---|---|
committer | Gaurav Shah <gauravsh@google.com> | 2015-10-26 09:37:20 -0700 |
commit | 2b17a02a69c6a0d4266c6ad6883e956bbc9be12f (patch) | |
tree | dc63b3b12699815656e71aba8602ae162dbd1cae /net/ipv4 | |
parent | 24c577fb8570d064902887ecb16c4993d5ccfdc4 (diff) | |
download | qcom-msm-v3.10-2b17a02a69c6a0d4266c6ad6883e956bbc9be12f.tar.gz |
Fix NULL pointer dereference in tcp_nuke_addr.
tcp_nuke addr only grabs the bottom half socket lock, but not the
userspace socket lock. This allows a userspace program to call
close() while the socket is running, which causes a NULL pointer
dereference in inet_put_port.
Bug: 23663111
Bug: 24072792
Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/tcp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index e39969cd822..f2f5d0bc629 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3583,14 +3583,17 @@ restart: sock_hold(sk); spin_unlock_bh(lock); + lock_sock(sk); + // TODO: + // Check for SOCK_DEAD again, it could have changed. + // Add a write barrier, see tcp_reset(). local_bh_disable(); - bh_lock_sock(sk); sk->sk_err = ETIMEDOUT; sk->sk_error_report(sk); tcp_done(sk); - bh_unlock_sock(sk); local_bh_enable(); + release_sock(sk); sock_put(sk); goto restart; |