qrtr: orphan socket in qrtr_release()

We have to detach sock from socket in qrtr_release(),
otherwise skb->sk may still reference to this socket
when the skb is released in tun->queue, particularly
sk->sk_wq still points to &sock->wq, which leads to
a UAF.

Reported-and-tested-by: [email protected]
Fixes: 28fb4e5 ("net: qrtr: Expose tunneling endpoint to user space")
Cc: Bjorn Andersson <[email protected]>
Cc: Eric Dumazet <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

Author: congwang

net/qrtr/qrtr.c

@@ -1180,6 +1180,7 @@ static int qrtr_release(struct socket *sock)
 		sk->sk_state_change(sk);
 
 	sock_set_flag(sk, SOCK_DEAD);
+	sock_orphan(sk);
 	sock->sk = NULL;
 
 	if (!sock_flag(sk, SOCK_ZAPPED))