ax25: netrom: rose: Fix timer oopses

Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can cause timer oopses (first reported with 2.6.29.6 kernel). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905 Reported-by: Bernard Pidoux <bpidoux@free.fr> Tested-by: Bernard Pidoux <bpidoux@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Jarek Poplawski <jarkao2@gmail.com> 2010-01-16 04:04:04 -0500
committer: David S. Miller <davem@davemloft.net> 2010-01-16 04:04:04 -0500
commit: d00c362f1b0ff54161e0a42b4554ac621a9ef92d (patch)
tree: 33ffeef90727309ad67690b2b7b63e1161b052ec /net/rose
parent: 2a04cd4c7d41c4549764734dcf5a883d304e3229 (diff)
2 files changed, 13 insertions, 0 deletions
diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
index bd86a63960ce..5ef5f6988a2e 100644
--- a/net/rose/rose_link.c
+++ b/net/rose/rose_link.c
@@ -101,13 +101,17 @@ static void rose_t0timer_expiry(unsigned long param)
 static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh)
 {
        ax25_address *rose_call;
+        ax25_cb *ax25s;
        if (ax25cmp(&rose_callsign, &null_ax25_address) == 0)
                rose_call = (ax25_address *)neigh->dev->dev_addr;
        else
                rose_call = &rose_callsign;
+        ax25s = neigh->ax25;
        neigh->ax25 = ax25_send_frame(skb, 260, rose_call, &neigh->callsign, neigh->digipeat, neigh->dev);
+        if (ax25s)
+                ax25_cb_put(ax25s);
        return (neigh->ax25 != NULL);
 }
@@ -120,13 +124,17 @@ static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh)
 static int rose_link_up(struct rose_neigh *neigh)
 {
        ax25_address *rose_call;
+        ax25_cb *ax25s;
        if (ax25cmp(&rose_callsign, &null_ax25_address) == 0)
                rose_call = (ax25_address *)neigh->dev->dev_addr;
        else
                rose_call = &rose_callsign;
+        ax25s = neigh->ax25;
        neigh->ax25 = ax25_find_cb(rose_call, &neigh->callsign, neigh->digipeat, neigh->dev);
+        if (ax25s)
+                ax25_cb_put(ax25s);
        return (neigh->ax25 != NULL);
 }
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 795c4b025e31..70a0b3b4b4d2 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -235,6 +235,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
        if ((s = rose_neigh_list) == rose_neigh) {
                rose_neigh_list = rose_neigh->next;
+                if (rose_neigh->ax25)
+                        ax25_cb_put(rose_neigh->ax25);
                kfree(rose_neigh->digipeat);
                kfree(rose_neigh);
                return;
@@ -243,6 +245,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
        while (s != NULL && s->next != NULL) {
                if (s->next == rose_neigh) {
                        s->next = rose_neigh->next;
+                        if (rose_neigh->ax25)
+                                ax25_cb_put(rose_neigh->ax25);
                        kfree(rose_neigh->digipeat);
                        kfree(rose_neigh);
                        return;
@@ -812,6 +816,7 @@ void rose_link_failed(ax25_cb *ax25, int reason)
        if (rose_neigh != NULL) {
                rose_neigh->ax25 = NULL;
+                ax25_cb_put(ax25);
                rose_del_route_by_neigh(rose_neigh);
                rose_kill_by_neigh(rose_neigh);
author	Jarek Poplawski <jarkao2@gmail.com>	2010-01-16 04:04:04 -0500
committer	David S. Miller <davem@davemloft.net>	2010-01-16 04:04:04 -0500
commit	d00c362f1b0ff54161e0a42b4554ac621a9ef92d (patch)
tree	33ffeef90727309ad67690b2b7b63e1161b052ec /net/rose
parent	2a04cd4c7d41c4549764734dcf5a883d304e3229 (diff)