Fix NULL pointer dereference in tcp_nuke_addr.

tcp_nuke addr only grabs the bottom half socket lock, but not the userspace socket lock. This allows a userspace program to call close() while the socket is running, which causes a NULL pointer dereference in inet_put_port. Bug: 23663111 Bug: 24072792 Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
author: Lorenzo Colitti <lorenzo@google.com> 2015-09-15 00:14:23 +0900
committer: Gaurav Shah <gauravsh@google.com> 2015-10-26 09:37:20 -0700
commit: 2b17a02a69c6a0d4266c6ad6883e956bbc9be12f (patch)
tree: dc63b3b12699815656e71aba8602ae162dbd1cae /net/ipv4
parent: 24c577fb8570d064902887ecb16c4993d5ccfdc4 (diff)
download: qcom-msm-v3.10-2b17a02a69c6a0d4266c6ad6883e956bbc9be12f.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e39969cd822..f2f5d0bc629 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3583,14 +3583,17 @@ restart:
 			sock_hold(sk);
 			spin_unlock_bh(lock);
 
+			lock_sock(sk);
+			// TODO:
+			// Check for SOCK_DEAD again, it could have changed.
+			// Add a write barrier, see tcp_reset().
 			local_bh_disable();
-			bh_lock_sock(sk);
 			sk->sk_err = ETIMEDOUT;
 			sk->sk_error_report(sk);
 
 			tcp_done(sk);
-			bh_unlock_sock(sk);
 			local_bh_enable();
+			release_sock(sk);
 			sock_put(sk);
 
 			goto restart;
author	Lorenzo Colitti <lorenzo@google.com>	2015-09-15 00:14:23 +0900
committer	Gaurav Shah <gauravsh@google.com>	2015-10-26 09:37:20 -0700
commit	2b17a02a69c6a0d4266c6ad6883e956bbc9be12f (patch)
tree	dc63b3b12699815656e71aba8602ae162dbd1cae /net/ipv4
parent	24c577fb8570d064902887ecb16c4993d5ccfdc4 (diff)
download	qcom-msm-v3.10-2b17a02a69c6a0d4266c6ad6883e956bbc9be12f.tar.gz