net/appletalk: fix atalk_release use after free
The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Arnd Bergmann
David S. Miller
Родитель
674f211599
Коммит
b20e7bbfc7
|
|
@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
|
|||
{
|
||||
struct sock *sk = sock->sk;
|
||||
|
||||
sock_hold(sk);
|
||||
lock_sock(sk);
|
||||
if (sk) {
|
||||
sock_orphan(sk);
|
||||
|
|
@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
|
|||
atalk_destroy_socket(sk);
|
||||
}
|
||||
release_sock(sk);
|
||||
sock_put(sk);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче