[ATM] CLIP: Do not refer freed skbuff in clip_mkip().

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/atm/clip.c

@@ -500,9 +500,11 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
 		} else {
 			unsigned int len = skb->len;
 
+			skb_get(skb);
 			clip_push(vcc, skb);
 			PRIV(skb->dev)->stats.rx_packets--;
 			PRIV(skb->dev)->stats.rx_bytes -= len;
+			kfree_skb(skb);
 		}
 	return 0;
 }