summaryrefslogtreecommitdiffstats
path: root/net/ax25
diff options
context:
space:
mode:
authorJarek Poplawski <jarkao2@gmail.com>2010-01-16 10:04:04 +0100
committerDavid S. Miller <davem@davemloft.net>2010-01-16 10:04:04 +0100
commitd00c362f1b0ff54161e0a42b4554ac621a9ef92d (patch)
tree33ffeef90727309ad67690b2b7b63e1161b052ec /net/ax25
parentappletalk:: da.s_net not copied but assigned to itself in aarp_rcv() (diff)
downloadlinux-d00c362f1b0ff54161e0a42b4554ac621a9ef92d.tar.xz
linux-d00c362f1b0ff54161e0a42b4554ac621a9ef92d.zip
ax25: netrom: rose: Fix timer oopses
Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can cause timer oopses (first reported with 2.6.29.6 kernel). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905 Reported-by: Bernard Pidoux <bpidoux@free.fr> Tested-by: Bernard Pidoux <bpidoux@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ax25')
-rw-r--r--net/ax25/ax25_out.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/ax25/ax25_out.c b/net/ax25/ax25_out.c
index bf706f83a5c9..14912600ec57 100644
--- a/net/ax25/ax25_out.c
+++ b/net/ax25/ax25_out.c
@@ -92,6 +92,12 @@ ax25_cb *ax25_send_frame(struct sk_buff *skb, int paclen, ax25_address *src, ax2
#endif
}
+ /*
+ * There is one ref for the state machine; a caller needs
+ * one more to put it back, just like with the existing one.
+ */
+ ax25_cb_hold(ax25);
+
ax25_cb_add(ax25);
ax25->state = AX25_STATE_1;