Phonet: listening socket lock protects the connected socket list

The accept()'d socket need to be unhashed while the (listen()'ing)
socket lock is held. This fixes a race condition that could lead to an
OOPS.

Signed-off-by: Rémi Denis-Courmont <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 7b048a35ca5837368e4ace101a57564eacbb51fc..94d72e85a475ae094d14f8df5f4f54a936f0db15 100644 (file)
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -1045,12 +1045,12 @@ static void pep_sock_unhash(struct sock *sk)
        lock_sock(sk);
        if ((1 << sk->sk_state) & ~(TCPF_CLOSE|TCPF_LISTEN)) {
                skparent = pn->listener;
-               sk_del_node_init(sk);
                release_sock(sk);
 
-               sk = skparent;
                pn = pep_sk(skparent);
-               lock_sock(sk);
+               lock_sock(skparent);
+               sk_del_node_init(sk);
+               sk = skparent;
        }
        /* Unhash a listening sock only when it is closed
         * and all of its active connected pipes are closed. */