Merge 4.4.279 into android-4.4-p

Changes in 4.4.279
	btrfs: mark compressed range uptodate only if all bio succeed
	regulator: rt5033: Fix n_voltages settings for BUCK and LDO
	r8152: Fix potential PM refcount imbalance
	net: Fix zero-copy head len calculation.
	Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
	can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
	Linux 4.4.279

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3e6cadbc9c8291c2be61e0a3427225458891c18

1 files changed, 18 insertions, 2 deletions

diff --git a/net/can/raw.c b/net/can/raw.c
index 2e1d850a7f2a..1c2bf97ca168 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -541,10 +541,18 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
 				return -EFAULT;
 		}
 
+		rtnl_lock();
 		lock_sock(sk);
 
-		if (ro->bound && ro->ifindex)
+		if (ro->bound && ro->ifindex) {
 			dev = dev_get_by_index(&init_net, ro->ifindex);
+			if (!dev) {
+				if (count > 1)
+					kfree(filter);
+				err = -ENODEV;
+				goto out_fil;
+			}
+		}
 
 		if (ro->bound) {
 			/* (try to) register the new filters */
@@ -581,6 +589,7 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
 			dev_put(dev);
 
 		release_sock(sk);
+		rtnl_unlock();
 
 		break;
 
@@ -593,10 +602,16 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
 
 		err_mask &= CAN_ERR_MASK;
 
+		rtnl_lock();
 		lock_sock(sk);
 
-		if (ro->bound && ro->ifindex)
+		if (ro->bound && ro->ifindex) {
 			dev = dev_get_by_index(&init_net, ro->ifindex);
+			if (!dev) {
+				err = -ENODEV;
+				goto out_err;
+			}
+		}
 
 		/* remove current error mask */
 		if (ro->bound) {
@@ -618,6 +633,7 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
 			dev_put(dev);
 
 		release_sock(sk);
+		rtnl_unlock();
 
 		break;