Ignat Korchagin wrote: > After sock_init_data() the allocated sk object is attached to the provided > sock object. On error, packet_create() frees the sk object leaving the > dangling pointer in the sock object on return. Some other code may try > to use this pointer and cause use-after-free. > > Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx> > Signed-off-by: Ignat Korchagin <ignat@xxxxxxxxxxxxxx> Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
