Phonet: fix potential use-after-free in pep_sock_close()

[safe/jmp/linux-2.6] / net / phonet / pep.c

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index af4d38b..7b048a3 100644 (file)
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -626,6 +626,7 @@ static void pep_sock_close(struct sock *sk, long timeout)
        struct pep_sock *pn = pep_sk(sk);
        int ifindex = 0;
 
+       sock_hold(sk); /* keep a reference after sk_common_release() */
        sk_common_release(sk);
 
        lock_sock(sk);
@@ -644,6 +645,7 @@ static void pep_sock_close(struct sock *sk, long timeout)
 
        if (ifindex)
                gprs_detach(sk);
+       sock_put(sk);
 }
 
 static int pep_wait_connreq(struct sock *sk, int noblock)