From: Arnd Bergmann Date: Tue, 22 Mar 2011 01:18:00 +0000 (-0700) Subject: net/appletalk: fix atalk_release use after free X-Git-Tag: firefly_0821_release~7613^2~1737^2~80 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=b20e7bbfc7a15a4182730f0936433145992b4b06;p=firefly-linux-kernel-4.4.55.git net/appletalk: fix atalk_release use after free The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller --- diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c index 3d4f4b043406..206e771e82d1 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c @@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock) { struct sock *sk = sock->sk; + sock_hold(sk); lock_sock(sk); if (sk) { sock_orphan(sk); @@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock) atalk_destroy_socket(sk); } release_sock(sk); + sock_put(sk); + return 0; }