diff options
author | Arnd Bergmann <arnd@arndb.de> | 2011-03-21 21:18:00 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-03-21 21:18:00 -0400 |
commit | b20e7bbfc7a15a4182730f0936433145992b4b06 (patch) | |
tree | 81df1570eb7840b9ed5b981ad2e437b773448f5a /net/appletalk | |
parent | 674f2115995b7b588cbf3540c9f9b2448a8c7ea8 (diff) |
net/appletalk: fix atalk_release use after free
The BKL removal in appletalk introduced a use-after-free problem,
where atalk_destroy_socket frees a sock, but we still release
the socket lock on it.
An easy fix is to take an extra reference on the sock and sock_put
it when returning from atalk_release.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/appletalk')
-rw-r--r-- | net/appletalk/ddp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c index 3d4f4b043406..206e771e82d1 100644 --- a/net/appletalk/ddp.c +++ b/net/appletalk/ddp.c | |||
@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock) | |||
1051 | { | 1051 | { |
1052 | struct sock *sk = sock->sk; | 1052 | struct sock *sk = sock->sk; |
1053 | 1053 | ||
1054 | sock_hold(sk); | ||
1054 | lock_sock(sk); | 1055 | lock_sock(sk); |
1055 | if (sk) { | 1056 | if (sk) { |
1056 | sock_orphan(sk); | 1057 | sock_orphan(sk); |
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock) | |||
1058 | atalk_destroy_socket(sk); | 1059 | atalk_destroy_socket(sk); |
1059 | } | 1060 | } |
1060 | release_sock(sk); | 1061 | release_sock(sk); |
1062 | sock_put(sk); | ||
1063 | |||
1061 | return 0; | 1064 | return 0; |
1062 | } | 1065 | } |
1063 | 1066 | ||