Phonet: listening socket lock protects the connected socket list

The accept()'d socket need to be unhashed while the (listen()'ing)
socket lock is held. This fixes a race condition that could lead to an
OOPS.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 7b048a3..94d72e8 100644 (file)
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -1045,12 +1045,12 @@ static void pep_sock_unhash(struct sock *sk)
        lock_sock(sk);
        if ((1 << sk->sk_state) & ~(TCPF_CLOSE|TCPF_LISTEN)) {
                skparent = pn->listener;
-               sk_del_node_init(sk);
                release_sock(sk);
 
-               sk = skparent;
                pn = pep_sk(skparent);
-               lock_sock(sk);
+               lock_sock(skparent);
+               sk_del_node_init(sk);
+               sk = skparent;
        }
        /* Unhash a listening sock only when it is closed
         * and all of its active connected pipes are closed. */