net/appletalk: fix atalk_release use after free

The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: N Arnd Bergmann <arnd@arndb.de> Signed-off-by: N David S. Miller <davem@davemloft.net>

net/appletalk: fix atalk_release use after free
The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: N Arnd Bergmann <arnd@arndb.de> Signed-off-by: N David S. Miller <davem@davemloft.net>
b20e7bbf · Arnd Bergmann · David S. Miller · 674f2115 · b20e7bbf
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

net/appletalk/ddp.c net/appletalk/ddp.c +3 -0

未找到文件。
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
+	sock_hold(sk);
 	lock_sock(sk);
 	if (sk) {
 		sock_orphan(sk);
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
 		atalk_destroy_socket(sk);
 	}
 	release_sock(sk);
+	sock_put(sk);
 	return 0;
 }