net/appletalk: fix atalk_release use after free

The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
DX37 · Mar 22, 2011 · b20e7bb · b20e7bb
1 parent 674f211
commit b20e7bb
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
@@ -1051,13 +1051,16 @@ static int atalk_release(struct socket *sock)
 {
 	struct sock *sk = sock->sk;
 
+	sock_hold(sk);
 	lock_sock(sk);
 	if (sk) {
 		sock_orphan(sk);
 		sock->sk = NULL;
 		atalk_destroy_socket(sk);
 	}
 	release_sock(sk);
+	sock_put(sk);
+
 	return 0;
 }