ax25: netrom: rose: Fix timer oopses

Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can
cause timer oopses (first reported with 2.6.29.6 kernel).

Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905

Reported-by: Bernard Pidoux <bpidoux@free.fr>
Tested-by: Bernard Pidoux <bpidoux@free.fr>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Jarek Poplawski 2010-01-16 01:04:04 -08:00 committed by David S. Miller
parent 2a04cd4c7d
commit d00c362f1b
5 changed files with 27 additions and 5 deletions

View File

@ -132,6 +132,8 @@ static __inline__ void nr_node_put(struct nr_node *nr_node)
static __inline__ void nr_neigh_put(struct nr_neigh *nr_neigh) static __inline__ void nr_neigh_put(struct nr_neigh *nr_neigh)
{ {
if (atomic_dec_and_test(&nr_neigh->refcount)) { if (atomic_dec_and_test(&nr_neigh->refcount)) {
if (nr_neigh->ax25)
ax25_cb_put(nr_neigh->ax25);
kfree(nr_neigh->digipeat); kfree(nr_neigh->digipeat);
kfree(nr_neigh); kfree(nr_neigh);
} }

View File

@ -92,6 +92,12 @@ ax25_cb *ax25_send_frame(struct sk_buff *skb, int paclen, ax25_address *src, ax2
#endif #endif
} }
/*
* There is one ref for the state machine; a caller needs
* one more to put it back, just like with the existing one.
*/
ax25_cb_hold(ax25);
ax25_cb_add(ax25); ax25_cb_add(ax25);
ax25->state = AX25_STATE_1; ax25->state = AX25_STATE_1;

View File

@ -843,12 +843,13 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
dptr = skb_push(skb, 1); dptr = skb_push(skb, 1);
*dptr = AX25_P_NETROM; *dptr = AX25_P_NETROM;
ax25s = ax25_send_frame(skb, 256, (ax25_address *)dev->dev_addr, &nr_neigh->callsign, nr_neigh->digipeat, nr_neigh->dev); ax25s = nr_neigh->ax25;
if (nr_neigh->ax25 && ax25s) { nr_neigh->ax25 = ax25_send_frame(skb, 256,
/* We were already holding this ax25_cb */ (ax25_address *)dev->dev_addr,
&nr_neigh->callsign,
nr_neigh->digipeat, nr_neigh->dev);
if (ax25s)
ax25_cb_put(ax25s); ax25_cb_put(ax25s);
}
nr_neigh->ax25 = ax25s;
dev_put(dev); dev_put(dev);
ret = (nr_neigh->ax25 != NULL); ret = (nr_neigh->ax25 != NULL);

View File

@ -101,13 +101,17 @@ static void rose_t0timer_expiry(unsigned long param)
static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh) static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh)
{ {
ax25_address *rose_call; ax25_address *rose_call;
ax25_cb *ax25s;
if (ax25cmp(&rose_callsign, &null_ax25_address) == 0) if (ax25cmp(&rose_callsign, &null_ax25_address) == 0)
rose_call = (ax25_address *)neigh->dev->dev_addr; rose_call = (ax25_address *)neigh->dev->dev_addr;
else else
rose_call = &rose_callsign; rose_call = &rose_callsign;
ax25s = neigh->ax25;
neigh->ax25 = ax25_send_frame(skb, 260, rose_call, &neigh->callsign, neigh->digipeat, neigh->dev); neigh->ax25 = ax25_send_frame(skb, 260, rose_call, &neigh->callsign, neigh->digipeat, neigh->dev);
if (ax25s)
ax25_cb_put(ax25s);
return (neigh->ax25 != NULL); return (neigh->ax25 != NULL);
} }
@ -120,13 +124,17 @@ static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh)
static int rose_link_up(struct rose_neigh *neigh) static int rose_link_up(struct rose_neigh *neigh)
{ {
ax25_address *rose_call; ax25_address *rose_call;
ax25_cb *ax25s;
if (ax25cmp(&rose_callsign, &null_ax25_address) == 0) if (ax25cmp(&rose_callsign, &null_ax25_address) == 0)
rose_call = (ax25_address *)neigh->dev->dev_addr; rose_call = (ax25_address *)neigh->dev->dev_addr;
else else
rose_call = &rose_callsign; rose_call = &rose_callsign;
ax25s = neigh->ax25;
neigh->ax25 = ax25_find_cb(rose_call, &neigh->callsign, neigh->digipeat, neigh->dev); neigh->ax25 = ax25_find_cb(rose_call, &neigh->callsign, neigh->digipeat, neigh->dev);
if (ax25s)
ax25_cb_put(ax25s);
return (neigh->ax25 != NULL); return (neigh->ax25 != NULL);
} }

View File

@ -235,6 +235,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
if ((s = rose_neigh_list) == rose_neigh) { if ((s = rose_neigh_list) == rose_neigh) {
rose_neigh_list = rose_neigh->next; rose_neigh_list = rose_neigh->next;
if (rose_neigh->ax25)
ax25_cb_put(rose_neigh->ax25);
kfree(rose_neigh->digipeat); kfree(rose_neigh->digipeat);
kfree(rose_neigh); kfree(rose_neigh);
return; return;
@ -243,6 +245,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
while (s != NULL && s->next != NULL) { while (s != NULL && s->next != NULL) {
if (s->next == rose_neigh) { if (s->next == rose_neigh) {
s->next = rose_neigh->next; s->next = rose_neigh->next;
if (rose_neigh->ax25)
ax25_cb_put(rose_neigh->ax25);
kfree(rose_neigh->digipeat); kfree(rose_neigh->digipeat);
kfree(rose_neigh); kfree(rose_neigh);
return; return;
@ -812,6 +816,7 @@ void rose_link_failed(ax25_cb *ax25, int reason)
if (rose_neigh != NULL) { if (rose_neigh != NULL) {
rose_neigh->ax25 = NULL; rose_neigh->ax25 = NULL;
ax25_cb_put(ax25);
rose_del_route_by_neigh(rose_neigh); rose_del_route_by_neigh(rose_neigh);
rose_kill_by_neigh(rose_neigh); rose_kill_by_neigh(rose_neigh);