aboutsummaryrefslogtreecommitdiffstats
path: root/net/appletalk
diff options
context:
space:
mode:
authorArnd Bergmann <arnd@arndb.de>2011-03-21 21:18:00 -0400
committerDavid S. Miller <davem@davemloft.net>2011-03-21 21:18:00 -0400
commitb20e7bbfc7a15a4182730f0936433145992b4b06 (patch)
tree81df1570eb7840b9ed5b981ad2e437b773448f5a /net/appletalk
parent674f2115995b7b588cbf3540c9f9b2448a8c7ea8 (diff)
net/appletalk: fix atalk_release use after free
The BKL removal in appletalk introduced a use-after-free problem, where atalk_destroy_socket frees a sock, but we still release the socket lock on it. An easy fix is to take an extra reference on the sock and sock_put it when returning from atalk_release. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/appletalk')
-rw-r--r--net/appletalk/ddp.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 3d4f4b043406..206e771e82d1 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
1051{ 1051{
1052 struct sock *sk = sock->sk; 1052 struct sock *sk = sock->sk;
1053 1053
1054 sock_hold(sk);
1054 lock_sock(sk); 1055 lock_sock(sk);
1055 if (sk) { 1056 if (sk) {
1056 sock_orphan(sk); 1057 sock_orphan(sk);
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
1058 atalk_destroy_socket(sk); 1059 atalk_destroy_socket(sk);
1059 } 1060 }
1060 release_sock(sk); 1061 release_sock(sk);
1062 sock_put(sk);
1063
1061 return 0; 1064 return 0;
1062} 1065}
1063 1066