netrom: hold sock when setting skb->destructor

sock_efree() releases the sock refcnt, if we don't hold this refcnt when setting skb->destructor to it, the refcnt would not be balanced. This leads to several bug reports from syzbot. I have checked other users of sock_efree(), all of them hold the sock refcnt. Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()") Reported-and-tested-by: <[email protected]> Reported-and-tested-by: <[email protected]> Reported-and-tested-by: <[email protected]> Reported-and-tested-by: <[email protected]> Cc: Ralf Baechle <[email protected]> Signed-off-by: Cong Wang <[email protected]> Signed-off-by: David S. Miller <[email protected]>
author: Cong Wang <[email protected]> 2019-07-22 20:41:22 -0700
committer: David S. Miller <[email protected]> 2019-07-24 15:49:05 -0700
commit: 4638faac032756f7eab5524be7be56bee77e426b (patch)
tree: 38618815779fbe9dd5aec1b2f3c4fab4ed23a9c3
parent: 260637903f47f20c5918bb5c1eea52b2a28ea863 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 96740d389377..c4f54ad2b98a 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -967,6 +967,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 
 	window = skb->data[20];
 
+	sock_hold(make);
 	skb->sk             = make;
 	skb->destructor     = sock_efree;
 	make->sk_state	    = TCP_ESTABLISHED;
author	Cong Wang <[email protected]>	2019-07-22 20:41:22 -0700
committer	David S. Miller <[email protected]>	2019-07-24 15:49:05 -0700
commit	4638faac032756f7eab5524be7be56bee77e426b (patch)
tree	38618815779fbe9dd5aec1b2f3c4fab4ed23a9c3
parent	260637903f47f20c5918bb5c1eea52b2a28ea863 (diff)