Commit 7d4e1b75 authored Sep 15, 2015 by Lorenzo Colitti Committed by Subash Abhinov Kasiviswanathan Dec 15, 2015

Fix NULL pointer dereference in tcp_nuke_addr.



tcp_nuke addr only grabs the bottom half socket lock, but not the
userspace socket lock. This allows a userspace program to call
close() while the socket is running, which causes a NULL pointer
dereference in inet_put_port.

Bug: 23663111
Bug: 24072792
Change-Id: Iecb63af68c2db4764c74785153d1c9054f76b94f
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Git-commit: 74d66ee756afcc3269e4c1341f793c52be629af9
Git-repo: https://android.googlesource.com/kernel/common/


Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

parent 2f867742

net/ipv4/tcp.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -3255,14 +3255,17 @@ restart:
		sock_hold(sk);
		spin_unlock_bh(lock);

		lock_sock(sk);
		// TODO:
		// Check for SOCK_DEAD again, it could have changed.
		// Add a write barrier, see tcp_reset().
		local_bh_disable();
		bh_lock_sock(sk);
		sk->sk_err = ETIMEDOUT;
		sk->sk_error_report(sk);

		tcp_done(sk);
		bh_unlock_sock(sk);
		local_bh_enable();
		release_sock(sk);
		sock_put(sk);

		goto restart;