net/appletalk: fix atalk_release use after free

The BKL removal in appletalk introduced a use-after-free problem,
where atalk_destroy_socket frees a sock, but we still release
the socket lock on it.

An easy fix is to take an extra reference on the sock and sock_put
it when returning from atalk_release.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 3d4f4b04340661e94f25c35a8c123e884e8d8922..206e771e82d17ce77b7c99447f12437f4fd300c5 100644 (file)
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1051,6 +1051,7 @@ static int atalk_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
 
+       sock_hold(sk);
        lock_sock(sk);
        if (sk) {
                sock_orphan(sk);
@@ -1058,6 +1059,8 @@ static int atalk_release(struct socket *sock)
                atalk_destroy_socket(sk);
        }
        release_sock(sk);
+       sock_put(sk);
+
        return 0;
 }