lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

net/appletalk: fix atalk_release use after free

Browse Source 
The BKL removal in appletalk introduced a use-after-free problem,
where atalk_destroy_socket frees a sock, but we still release
the socket lock on it.

An easy fix is to take an extra reference on the sock and sock_put
it when returning from atalk_release.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Arnd Bergmann
2011-03-21 18:18:00 -07:00
committed by David S. Miller
parent 674f211599
commit b20e7bbfc7
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
net/appletalk/ddp.c
View File

@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
{ {
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
sock_hold(sk);
lock_sock(sk); lock_sock(sk);
if (sk) { if (sk) {
sock_orphan(sk); sock_orphan(sk);
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
atalk_destroy_socket(sk); atalk_destroy_socket(sk);
} }
release_sock(sk); release_sock(sk);
sock_put(sk);
return 0; return 0;
} }