Fix use-after-free oops in Bluetooth HID.

[powerpc.git] / net / bluetooth / hidp / core.c

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index ceadfcf..450eb02 100644 (file)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -581,15 +581,6 @@ static int hidp_session(void *arg)
 
        hidp_del_timer(session);
 
-       fput(session->intr_sock->file);
-
-       wait_event_timeout(*(ctrl_sk->sk_sleep),
-               (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
-
-       fput(session->ctrl_sock->file);
-
-       __hidp_unlink_session(session);
-
        if (session->input) {
                input_unregister_device(session->input);
                session->input = NULL;
@@ -601,6 +592,15 @@ static int hidp_session(void *arg)
                hid_free_device(session->hid);
        }
 
+       fput(session->intr_sock->file);
+
+       wait_event_timeout(*(ctrl_sk->sk_sleep),
+               (ctrl_sk->sk_state == BT_CLOSED), msecs_to_jiffies(500));
+
+       fput(session->ctrl_sock->file);
+
+       __hidp_unlink_session(session);
+
        up_write(&hidp_session_sem);
 
        kfree(session);