[NET] Fix X.25 use after free.

The conversion from cli/sti to locking in X.25 must not have been tested on a real SMP with memory debugging enabled. It OOPS right away if I do: modprobe x25; ifconfig -a The problem is that it dereferences the socket after it has already been freed. The fix for this is to make the call to sock_put, later in x25_destroy_socket do the free. Also, need a go to avoid references in x25_release.

[NET] Fix X.25 use after free.
The conversion from cli/sti to locking in X.25 must not have been tested on a real SMP with memory debugging enabled. It OOPS right away if I do: modprobe x25; ifconfig -a The problem is that it dereferences the socket after it has already been freed. The fix for this is to make the call to sock_put, later in x25_destroy_socket do the free. Also, need a go to avoid references in x25_release.
ee1dc142 · Stephen Hemminger · ca8c5e0e · ee1dc142
Commit ee1dc142 authored Aug 07, 2003 by Stephen Hemminger
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

net/x25/af_x25.c net/x25/af_x25.c +6 -3

No files found.
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -350,8 +350,11 @@ void x25_destroy_socket(struct sock *sk)
 		sk->sk_timer.function = x25_destroy_timer;
 		sk->sk_timer.data     = (unsigned long)sk;
 		add_timer(&sk->sk_timer);
-	} else
-		sk_free(sk);
+	} else {
+		/* drop last reference so sock_put will free */
+		__sock_put(sk);
+	}
+
 	release_sock(sk);
 	sock_put(sk);
 }
@@ -553,7 +556,7 @@ static int x25_release(struct socket *sock)
 		case X25_STATE_2:
 			x25_disconnect(sk, 0, 0, 0);
 			x25_destroy_socket(sk);
-			break;
+			goto out;

 		case X25_STATE_1:
 		case X25_STATE_3: