CVE-2022-50459

In the Linux kernel, the following vulnerability has been resolved:

scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()

Fix a NULL pointer crash that occurs when we are freeing the socket at the same time we access it via sysfs.

The problem is that:

1. iscsiswtcpconngetparam() and iscsiswtcphostgetparam() take the frwdlock and do sockhold() then drop the frwdlock. sockhold() does a get on the "struct sock".

2. iscsiswtcpreleaseconn() does sockfd_put() which does the last put on the "struct socket" and that does _sockrelease() which sets the sock->ops to NULL.

3. iscsiswtcpconngetparam() and iscsiswtcphostgetparam() then call kernel_getpeername() which accesses the NULL sock->ops.

Above we do a get on the "struct sock", but we needed a get on the "struct socket". Originally, we just held the frwdlock the entire time but in commit bcf3a2953d36 ("scsi: iscsi: iscsitcp: Avoid holding spinlock while calling getpeername()") we switched to refcount based because the network layer changed and started taking a mutex in that path, so we could no longer hold the frwd_lock.

Instead of trying to maintain multiple refcounts, this just has us use a mutex for accessing the socket in the interface code paths.