ipx: fix ipx_release()

Commit b0d0d915d1d1a0 (remove the BKL) added a regression, because
sock_put() can free memory while we are going to use it later.

Fix is to delay sock_put() _after_ release_sock().

Reported-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index 2731b51923d1f964e3446f0a39ceb5221cd74a56..9680226640ef783c164618f2f2f8fd5504259f4a 100644 (file)
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -148,7 +148,6 @@ static void ipx_destroy_socket(struct sock *sk)
        ipx_remove_socket(sk);
        skb_queue_purge(&sk->sk_receive_queue);
        sk_refcnt_debug_dec(sk);
-       sock_put(sk);
 }
 
 /*
@@ -1404,6 +1403,7 @@ static int ipx_release(struct socket *sock)
        sk_refcnt_debug_release(sk);
        ipx_destroy_socket(sk);
        release_sock(sk);
+       sock_put(sk);
 out:
        return 0;
 }