• Patrick McHardy's avatar
    [NETLINK]: Fix module refcounting problems · 77247bbb
    Patrick McHardy authored
    Use-after-free: the struct proto_ops containing the module pointer
    is freed when a socket with pid=0 is released, which besides for kernel
    sockets is true for all unbound sockets.
    
    Module refcount leak: when the kernel socket is closed before all user
    sockets have been closed the proto_ops struct for this family is
    replaced by the generic one and the module refcount can't be dropped.
    
    The second problem can't be solved cleanly using module refcounting in the
    generic socket code, so this patch adds explicit refcounting to
    netlink_create/netlink_release.
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    77247bbb
af_netlink.c 32.1 KB