net: fix possible NULL deref in sock_reserve_memory

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2028420
Tested: LNST, Tier1

Upstream commit:
commit d00c8ee31729248ba40b4ab25cd3b3b580c6f87c
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Nov 3 16:49:11 2021 -0700

    net: fix possible NULL deref in sock_reserve_memory

    Sanity check in sock_reserve_memory() was not enough to prevent malicious
    user to trigger a NULL deref.

    In this case, the isse is that sk_prot->memory_allocated is NULL.

    Use standard sk_has_account() helper to deal with this.

    BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
    BUG: KASAN: null-ptr-deref in atomic_long_add_return include/linux/atomic/atomic-instrumented.h:1218 [inline]
    BUG: KASAN: null-ptr-deref in sk_memory_allocated_add include/net/sock.h:1371 [inline]
    BUG: KASAN: null-ptr-deref in sock_reserve_memory net/core/sock.c:994 [inline]
    BUG: KASAN: null-ptr-deref in sock_setsockopt+0x22ab/0x2b30 net/core/sock.c:1443
    Write of size 8 at addr 0000000000000000 by task syz-executor.0/11270

    CPU: 1 PID: 11270 Comm: syz-executor.0 Not tainted 5.15.0-syzkaller #0
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
     __kasan_report mm/kasan/report.c:446 [inline]
     kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
     check_region_inline mm/kasan/generic.c:183 [inline]
     kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
     instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
     atomic_long_add_return include/linux/atomic/atomic-instrumented.h:1218 [inline]
     sk_memory_allocated_add include/net/sock.h:1371 [inline]
     sock_reserve_memory net/core/sock.c:994 [inline]
     sock_setsockopt+0x22ab/0x2b30 net/core/sock.c:1443
     __sys_setsockopt+0x4f8/0x610 net/socket.c:2172
     __do_sys_setsockopt net/socket.c:2187 [inline]
     __se_sys_setsockopt net/socket.c:2184 [inline]
     __x64_sys_setsockopt+0xba/0x150 net/socket.c:2184
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7f56076d5ae9
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f5604c4b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
    RAX: ffffffffffffffda RBX: 00007f56077e8f60 RCX: 00007f56076d5ae9
    RDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000003
    RBP: 00007f560772ff25 R08: 000000000000fec7 R09: 0000000000000000
    R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 00007fffb61a100f R14: 00007f5604c4b300 R15: 0000000000022000
     </TASK>

    Fixes: 2bb2f5fb21b0 ("net: add new socket option SO_RESERVE_MEM")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Acked-by: Wei Wang <weiwan@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Paolo Abeni <pabeni@redhat.com>

net/core/sock.c

@@ -962,7 +962,7 @@ static int sock_reserve_memory(struct sock *sk, int bytes)
 	bool charged;
 	int pages;
 
-	if (!mem_cgroup_sockets_enabled || !sk->sk_memcg)
+	if (!mem_cgroup_sockets_enabled || !sk->sk_memcg || !sk_has_account(sk))
 		return -EOPNOTSUPP;
 
 	if (!bytes)