diff options
author | Jarek Poplawski <jarkao2@gmail.com> | 2010-01-16 10:04:04 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-01-16 10:04:04 +0100 |
commit | d00c362f1b0ff54161e0a42b4554ac621a9ef92d (patch) | |
tree | 33ffeef90727309ad67690b2b7b63e1161b052ec /net/rose/rose_link.c | |
parent | appletalk:: da.s_net not copied but assigned to itself in aarp_rcv() (diff) | |
download | linux-d00c362f1b0ff54161e0a42b4554ac621a9ef92d.tar.xz linux-d00c362f1b0ff54161e0a42b4554ac621a9ef92d.zip |
ax25: netrom: rose: Fix timer oopses
Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can
cause timer oopses (first reported with 2.6.29.6 kernel).
Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905
Reported-by: Bernard Pidoux <bpidoux@free.fr>
Tested-by: Bernard Pidoux <bpidoux@free.fr>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/rose/rose_link.c')
-rw-r--r-- | net/rose/rose_link.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c index bd86a63960ce..5ef5f6988a2e 100644 --- a/net/rose/rose_link.c +++ b/net/rose/rose_link.c @@ -101,13 +101,17 @@ static void rose_t0timer_expiry(unsigned long param) static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh) { ax25_address *rose_call; + ax25_cb *ax25s; if (ax25cmp(&rose_callsign, &null_ax25_address) == 0) rose_call = (ax25_address *)neigh->dev->dev_addr; else rose_call = &rose_callsign; + ax25s = neigh->ax25; neigh->ax25 = ax25_send_frame(skb, 260, rose_call, &neigh->callsign, neigh->digipeat, neigh->dev); + if (ax25s) + ax25_cb_put(ax25s); return (neigh->ax25 != NULL); } @@ -120,13 +124,17 @@ static int rose_send_frame(struct sk_buff *skb, struct rose_neigh *neigh) static int rose_link_up(struct rose_neigh *neigh) { ax25_address *rose_call; + ax25_cb *ax25s; if (ax25cmp(&rose_callsign, &null_ax25_address) == 0) rose_call = (ax25_address *)neigh->dev->dev_addr; else rose_call = &rose_callsign; + ax25s = neigh->ax25; neigh->ax25 = ax25_find_cb(rose_call, &neigh->callsign, neigh->digipeat, neigh->dev); + if (ax25s) + ax25_cb_put(ax25s); return (neigh->ax25 != NULL); } |