ax25: netrom: rose: Fix timer oopses

[ Upstream commit d00c362f1b0ff54161e0a42b4554ac621a9ef92d ]

Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can
cause timer oopses (first reported with 2.6.29.6 kernel).

Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905
Reported-by: Bernard Pidoux <bpidoux@free.fr>
Tested-by: Bernard Pidoux <bpidoux@free.fr>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/include/net/netrom.h b/include/net/netrom.h
index 15696b1fd30fbe85c248ad95fba4a4e7db4f4454..ab170a60e7d31a6a72b2f88fd7e3696007abb039 100644 (file)
--- a/include/net/netrom.h
+++ b/include/net/netrom.h
@@ -132,6 +132,8 @@ static __inline__ void nr_node_put(struct nr_node *nr_node)
 static __inline__ void nr_neigh_put(struct nr_neigh *nr_neigh)
 {
        if (atomic_dec_and_test(&nr_neigh->refcount)) {
+               if (nr_neigh->ax25)
+                       ax25_cb_put(nr_neigh->ax25);
                kfree(nr_neigh->digipeat);
                kfree(nr_neigh);
        }

diff --git a/net/ax25/ax25_out.c b/net/ax25/ax25_out.c
index bf706f83a5c9b123d2a14f210a7fe19510030590..14912600ec57e6e961ee7de20dc2eebbb9a4013c 100644 (file)
--- a/net/ax25/ax25_out.c
+++ b/net/ax25/ax25_out.c
@@ -92,6 +92,12 @@ ax25_cb *ax25_send_frame(struct sk_buff *skb, int paclen, ax25_address *src, ax2
 #endif
        }
 
+       /*
+        * There is one ref for the state machine; a caller needs
+        * one more to put it back, just like with the existing one.
+        */
+       ax25_cb_hold(ax25);
+
        ax25_cb_add(ax25);
 
        ax25->state = AX25_STATE_1;

diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index 4eb1ac9a7679ca3c14c0d9c651fbbf1d4fe76694..850ffc00390fcfbbbe11a08fac36d08388c2e06f 100644 (file)
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -842,12 +842,13 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
        dptr  = skb_push(skb, 1);
        *dptr = AX25_P_NETROM;
 
-       ax25s = ax25_send_frame(skb, 256, (ax25_address *)dev->dev_addr, &nr_neigh->callsign, nr_neigh->digipeat, nr_neigh->dev);
-       if (nr_neigh->ax25 && ax25s) {
-               /* We were already holding this ax25_cb */
+       ax25s = nr_neigh->ax25;
+       nr_neigh->ax25 = ax25_send_frame(skb, 256,
+                                        (ax25_address *)dev->dev_addr,
+                                        &nr_neigh->callsign,
+                                        nr_neigh->digipeat, nr_neigh->dev);
+       if (ax25s)
                ax25_cb_put(ax25s);
-       }
-       nr_neigh->ax25 = ax25s;
 
        dev_put(dev);
        ret = (nr_neigh->ax25 != NULL);

diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
index bd86a63960ce3114ad4c6c3ae8a90804d6b66d66..5ef5f6988a2e1aa892539e0c7c53364d7f796808 100644 (file)
--- a/net/rose/rose_link.c
+++ b/net/rose/rose_link.c
@@ -101,13 +101,17 @@ static void rose_t0timer_expiry(unsigned long param)
 static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh)
 {
        ax25_address *rose_call;
+       ax25_cb *ax25s;
 
        if (ax25cmp(&rose_callsign, &null_ax25_address) == 0)
                rose_call = (ax25_address *)neigh->dev->dev_addr;
        else
                rose_call = &rose_callsign;
 
+       ax25s = neigh->ax25;
        neigh->ax25 = ax25_send_frame(skb, 260, rose_call, &neigh->callsign, neigh->digipeat, neigh->dev);
+       if (ax25s)
+               ax25_cb_put(ax25s);
 
        return (neigh->ax25 != NULL);
 }
@@ -120,13 +124,17 @@ static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh)
 static int rose_link_up(struct rose_neigh *neigh)
 {
        ax25_address *rose_call;
+       ax25_cb *ax25s;
 
        if (ax25cmp(&rose_callsign, &null_ax25_address) == 0)
                rose_call = (ax25_address *)neigh->dev->dev_addr;
        else
                rose_call = &rose_callsign;
 
+       ax25s = neigh->ax25;
        neigh->ax25 = ax25_find_cb(rose_call, &neigh->callsign, neigh->digipeat, neigh->dev);
+       if (ax25s)
+               ax25_cb_put(ax25s);
 
        return (neigh->ax25 != NULL);
 }

diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index f3e21989b88cc5081d7985cbd932b04fdfebd83d..08230fa6a502a96e65ece71ce4dc4ea0b51a4134 100644 (file)
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -234,6 +234,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
 
        if ((s = rose_neigh_list) == rose_neigh) {
                rose_neigh_list = rose_neigh->next;
+               if (rose_neigh->ax25)
+                       ax25_cb_put(rose_neigh->ax25);
                kfree(rose_neigh->digipeat);
                kfree(rose_neigh);
                return;
@@ -242,6 +244,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh)
        while (s != NULL && s->next != NULL) {
                if (s->next == rose_neigh) {
                        s->next = rose_neigh->next;
+                       if (rose_neigh->ax25)
+                               ax25_cb_put(rose_neigh->ax25);
                        kfree(rose_neigh->digipeat);
                        kfree(rose_neigh);
                        return;
@@ -810,6 +814,7 @@ void rose_link_failed(ax25_cb *ax25, int reason)
 
        if (rose_neigh != NULL) {
                rose_neigh->ax25 = NULL;
+               ax25_cb_put(ax25);
 
                rose_del_route_by_neigh(rose_neigh);
                rose_kill_by_neigh(rose_neigh);