[NET] Fix X.25 use after free.

The conversion from cli/sti to locking in X.25 must not have been tested
on a real SMP with memory debugging enabled.  It OOPS right away if
I do:
        modprobe x25; ifconfig -a

The problem is that it dereferences the socket after it has already been
freed.  The fix for this is to make the call to sock_put, later in
x25_destroy_socket do the free.  Also, need a go to avoid references
in x25_release.

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 5d0a21917be424b13dfded0a27518030b411f95a..718cf37aade286ccd34ca5e622a6477d519234e7 100644 (file)
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -350,8 +350,11 @@ void x25_destroy_socket(struct sock *sk)
                sk->sk_timer.function = x25_destroy_timer;
                sk->sk_timer.data     = (unsigned long)sk;
                add_timer(&sk->sk_timer);
-       } else
-               sk_free(sk);
+       } else {
+               /* drop last reference so sock_put will free */
+               __sock_put(sk);
+       }
+
        release_sock(sk);
        sock_put(sk);
 }
@@ -553,7 +556,7 @@ static int x25_release(struct socket *sock)
                case X25_STATE_2:
                        x25_disconnect(sk, 0, 0, 0);
                        x25_destroy_socket(sk);
-                       break;
+                       goto out;
 
                case X25_STATE_1:
                case X25_STATE_3: