tcp: tcp_child_process() related UAF

int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)

{

	enum skb_drop_reason reason;

	struct sock *rsk;

	reason = psp_sk_rx_policy_check(sk, skb);

	if (reason)

			return 0;

		if (nsk != sk) {

			reason = tcp_child_process(sk, nsk, skb);

			if (reason) {

				rsk = nsk;

			sock_put(nsk);

			if (reason)

				goto reset;

			}

			return 0;

		}

	} else

		sock_rps_save_rxhash(sk, skb);

	reason = tcp_rcv_state_process(sk, skb);

	if (reason) {

		rsk = sk;

	if (reason)

		goto reset;

	}

	return 0;

reset:

	tcp_v4_send_reset(rsk, skb, sk_rst_convert_drop_reason(reason));

	tcp_v4_send_reset(sk, skb, sk_rst_convert_drop_reason(reason));

discard:

	sk_skb_reason_drop(sk, skb, reason);

	/* Be careful here. If this function gets more complicated and

				rst_reason = sk_rst_convert_drop_reason(drop_reason);

				tcp_v4_send_reset(nsk, skb, rst_reason);

				sock_put(nsk);

				goto discard_and_relse;

			}

			sock_put(nsk);

			sock_put(sk);

			return 0;

		}

	}

	bh_unlock_sock(child);

	sock_put(child);

	return reason;

}

	if (sk->sk_state == TCP_LISTEN) {

		struct sock *nsk = tcp_v6_cookie_check(sk, skb);

		if (!nsk)

			return 0;

		if (nsk != sk) {

			if (nsk) {

			reason = tcp_child_process(sk, nsk, skb);

			sock_put(nsk);

			if (reason)

				goto reset;

			}

			return 0;

		}

	} else

				rst_reason = sk_rst_convert_drop_reason(drop_reason);

				tcp_v6_send_reset(nsk, skb, rst_reason);

				sock_put(nsk);

				goto discard_and_relse;

			}

			sock_put(nsk);

			sock_put(sk);

			return 0;

		}