Commit 4965291acf8cc2c31dcb2fc7d292a04ee08da2dd
Committed by
David S. Miller
David S. Miller
1 parent
d43c7b37ad
[ROSE/AX25] af_rose: rose_release() fix
rose_release() doesn't release sockets properly, e.g. it skips sock_orphan(), so OOPSes are triggered in sock_def_write_space(), which was observed especially while ROSE skbs were kfreed from ax25_frames_acked(). There is also sock_hold() and lock_sock() added - similarly to ax25_release(). Thanks to Bernard Pidoux for substantial help in debugging this problem. Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Reported-and-tested-by: Bernard Pidoux <bpidoux@free.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 9 additions and 0 deletions Side-by-side Diff
net/rose/af_rose.c
| ... | ... | @@ -598,17 +598,24 @@ |
| 598 | 598 | |
| 599 | 599 | if (sk == NULL) return 0; |
| 600 | 600 | |
| 601 | + sock_hold(sk); | |
| 602 | + sock_orphan(sk); | |
| 603 | + lock_sock(sk); | |
| 601 | 604 | rose = rose_sk(sk); |
| 602 | 605 | |
| 603 | 606 | switch (rose->state) { |
| 604 | 607 | case ROSE_STATE_0: |
| 608 | + release_sock(sk); | |
| 605 | 609 | rose_disconnect(sk, 0, -1, -1); |
| 610 | + lock_sock(sk); | |
| 606 | 611 | rose_destroy_socket(sk); |
| 607 | 612 | break; |
| 608 | 613 | |
| 609 | 614 | case ROSE_STATE_2: |
| 610 | 615 | rose->neighbour->use--; |
| 616 | + release_sock(sk); | |
| 611 | 617 | rose_disconnect(sk, 0, -1, -1); |
| 618 | + lock_sock(sk); | |
| 612 | 619 | rose_destroy_socket(sk); |
| 613 | 620 | break; |
| 614 | 621 | |
| ... | ... | @@ -633,6 +640,8 @@ |
| 633 | 640 | } |
| 634 | 641 | |
| 635 | 642 | sock->sk = NULL; |
| 643 | + release_sock(sk); | |
| 644 | + sock_put(sk); | |
| 636 | 645 | |
| 637 | 646 | return 0; |
| 638 | 647 | } |