net/appletalk: fix atalk_release use after free
The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
674f211599
commit
b20e7bbfc7
1 changed files with 3 additions and 0 deletions
|
@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
|
||||||
{
|
{
|
||||||
struct sock *sk = sock->sk;
|
struct sock *sk = sock->sk;
|
||||||
|
|
||||||
|
sock_hold(sk);
|
||||||
lock_sock(sk);
|
lock_sock(sk);
|
||||||
if (sk) {
|
if (sk) {
|
||||||
sock_orphan(sk);
|
sock_orphan(sk);
|
||||||
|
@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
|
||||||
atalk_destroy_socket(sk);
|
atalk_destroy_socket(sk);
|
||||||
}
|
}
|
||||||
release_sock(sk);
|
release_sock(sk);
|
||||||
|
sock_put(sk);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue