rose_find_socket() returns a raw socket pointer after releasing
rose_list_lock. The socket can be freed by a concurrent close()
between the unlock and the caller's use of the pointer, leading
to a use-after-free.

Add sock_hold() before returning the found socket, and update
callers to sock_put() when done.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
---
 net/rose/af_rose.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index ba56213e0a2a..b32b136f80aa 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -1,4 +1,5 @@
-// SPDX-License-Identifier: GPL-2.0-or-later
+	if (s)
+		sock_hold(s);// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  *
  * Copyright (C) Jonathan Naylor G4KLX (g4klx@g4klx.demon.co.uk)
-- 
2.39.3 (Apple Git-145)