diff options
| author | Jarek Poplawski <jarkao2@gmail.com> | 2010-01-16 04:04:04 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-01-16 04:04:04 -0500 |
| commit | d00c362f1b0ff54161e0a42b4554ac621a9ef92d (patch) | |
| tree | 33ffeef90727309ad67690b2b7b63e1161b052ec /net/netrom | |
| parent | 2a04cd4c7d41c4549764734dcf5a883d304e3229 (diff) | |
ax25: netrom: rose: Fix timer oopses
Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can
cause timer oopses (first reported with 2.6.29.6 kernel).
Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905
Reported-by: Bernard Pidoux <bpidoux@free.fr>
Tested-by: Bernard Pidoux <bpidoux@free.fr>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netrom')
| -rw-r--r-- | net/netrom/nr_route.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index aacba76070fc..e2e2d33cafdf 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c | |||
| @@ -843,12 +843,13 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) | |||
| 843 | dptr = skb_push(skb, 1); | 843 | dptr = skb_push(skb, 1); |
| 844 | *dptr = AX25_P_NETROM; | 844 | *dptr = AX25_P_NETROM; |
| 845 | 845 | ||
| 846 | ax25s = ax25_send_frame(skb, 256, (ax25_address *)dev->dev_addr, &nr_neigh->callsign, nr_neigh->digipeat, nr_neigh->dev); | 846 | ax25s = nr_neigh->ax25; |
| 847 | if (nr_neigh->ax25 && ax25s) { | 847 | nr_neigh->ax25 = ax25_send_frame(skb, 256, |
| 848 | /* We were already holding this ax25_cb */ | 848 | (ax25_address *)dev->dev_addr, |
| 849 | &nr_neigh->callsign, | ||
| 850 | nr_neigh->digipeat, nr_neigh->dev); | ||
| 851 | if (ax25s) | ||
| 849 | ax25_cb_put(ax25s); | 852 | ax25_cb_put(ax25s); |
| 850 | } | ||
| 851 | nr_neigh->ax25 = ax25s; | ||
| 852 | 853 | ||
| 853 | dev_put(dev); | 854 | dev_put(dev); |
| 854 | ret = (nr_neigh->ax25 != NULL); | 855 | ret = (nr_neigh->ax25 != NULL); |