soclose() & so->so_upcall() = race?

[Alexander Motin]

Hi.

As I can see so_upcall() callback is called with SOCKBUF_MTX unlocked. 
It means that SB_UPCALL flag can be removed during call and socket can 
be closed and deallocated with soclose() while callback is running. Am I 
right or I have missed something? How in that situation socket pointer 
protected from being used after free?

-- 
Alexander Motin