44 lines
1.1 KiB
Diff
44 lines
1.1 KiB
Diff
From: Arnd Bergmann <arnd@arndb.de>
|
|
Date: Mon, 21 Mar 2011 18:18:00 -0700
|
|
Subject: [PATCH 2/3] net/appletalk: fix atalk_release use after free
|
|
|
|
commit b20e7bbfc7a15a4182730f0936433145992b4b06 upstream.
|
|
|
|
The BKL removal in appletalk introduced a use-after-free problem,
|
|
where atalk_destroy_socket frees a sock, but we still release
|
|
the socket lock on it.
|
|
|
|
An easy fix is to take an extra reference on the sock and sock_put
|
|
it when returning from atalk_release.
|
|
|
|
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
---
|
|
net/appletalk/ddp.c | 3 +++
|
|
1 files changed, 3 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
|
|
index 3d4f4b0..206e771 100644
|
|
--- a/net/appletalk/ddp.c
|
|
+++ b/net/appletalk/ddp.c
|
|
@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
|
|
{
|
|
struct sock *sk = sock->sk;
|
|
|
|
+ sock_hold(sk);
|
|
lock_sock(sk);
|
|
if (sk) {
|
|
sock_orphan(sk);
|
|
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
|
|
atalk_destroy_socket(sk);
|
|
}
|
|
release_sock(sk);
|
|
+ sock_put(sk);
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
1.7.4.1
|
|
|