From e53b671b4f75fe86ace1cb78566ccdbdb56aad01 Mon Sep 17 00:00:00 2001
From: Lv Yunlong <lylgood@foxmail.com>
Date: Tue, 18 May 2021 15:23:15 -0400
Subject: [PATCH] socket: Release cred reference later in sodealloc()

We dereference so->so_cred to update the per-uid socket buffer
accounting, so the crfree() call must be deferred until after that
point.

PR:		255869

(cherry picked from commit b295c5ddcef4744ef7044d2327b4258b6ad055f0)
---
 sys/kern/uipc_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 7f06b51cf09..3436004b53a 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -475,7 +475,6 @@ sodealloc(struct socket *so)
 #endif
 	hhook_run_socket(so, NULL, HHOOK_SOCKET_CLOSE);
 
-	crfree(so->so_cred);
 	khelp_destroy_osd(&so->osd);
 	if (SOLISTENING(so)) {
 		if (so->sol_accept_filter != NULL)
@@ -492,6 +491,7 @@ sodealloc(struct socket *so)
 		SOCKBUF_LOCK_DESTROY(&so->so_snd);
 		SOCKBUF_LOCK_DESTROY(&so->so_rcv);
 	}
+	crfree(so->so_cred);
 	mtx_destroy(&so->so_lock);
 	uma_zfree(socket_zone, so);
 }