decnet: proper socket refcounting

Better use sk_reset_timer() / sk_stop_timer() helpers to make sure we dont access already freed/reused memory later. Reported-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Tested-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

decnet: proper socket refcounting
Better use sk_reset_timer() / sk_stop_timer() helpers to make sure we dont access already freed/reused memory later. Reported-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Tested-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet · David S. Miller
1 parent fc0b927d9a
Showing 1 changed file with 5 additions and 12 deletions Side-by-side Diff
net/decnet/dn_timer.c
@@ -36,16 +36,13 @@
  
 void dn_start_slow_timer(struct sock *sk)
 {
-	sk->sk_timer.expires	= jiffies + SLOW_INTERVAL;
-	sk->sk_timer.function	= dn_slow_timer;
-	sk->sk_timer.data	= (unsigned long)sk;
-
-	add_timer(&sk->sk_timer);
+	setup_timer(&sk->sk_timer, dn_slow_timer, (unsigned long)sk);
+	sk_reset_timer(sk, &sk->sk_timer, jiffies + SLOW_INTERVAL);
 }
  
 void dn_stop_slow_timer(struct sock *sk)
 {
-	del_timer(&sk->sk_timer);
+	sk_stop_timer(sk, &sk->sk_timer);
 }
  
 static void dn_slow_timer(unsigned long arg)
  
@@ -53,12 +50,10 @@
 	struct sock *sk = (struct sock *)arg;
 	struct dn_scp *scp = DN_SK(sk);
  
-	sock_hold(sk);
 	bh_lock_sock(sk);
  
 	if (sock_owned_by_user(sk)) {
-		sk->sk_timer.expires = jiffies + HZ / 10;
-		add_timer(&sk->sk_timer);
+		sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 10);
 		goto out;
 	}
  
@@ -100,9 +95,7 @@
 			scp->keepalive_fxn(sk);
 	}
  
-	sk->sk_timer.expires = jiffies + SLOW_INTERVAL;
-
-	add_timer(&sk->sk_timer);
+	sk_reset_timer(sk, &sk->sk_timer, jiffies + SLOW_INTERVAL);
 out:
 	bh_unlock_sock(sk);
 	sock_put(sk);
...	...	@@ -36,16 +36,13 @@
36	36
37	37	void dn_start_slow_timer(struct sock *sk)
38	38	{
39		- sk->sk_timer.expires = jiffies + SLOW_INTERVAL;
40		- sk->sk_timer.function = dn_slow_timer;
41		- sk->sk_timer.data = (unsigned long)sk;
42		-
43		- add_timer(&sk->sk_timer);
	39	+ setup_timer(&sk->sk_timer, dn_slow_timer, (unsigned long)sk);
	40	+ sk_reset_timer(sk, &sk->sk_timer, jiffies + SLOW_INTERVAL);
44	41	}
45	42
46	43	void dn_stop_slow_timer(struct sock *sk)
47	44	{
48		- del_timer(&sk->sk_timer);
	45	+ sk_stop_timer(sk, &sk->sk_timer);
49	46	}
50	47
51	48	static void dn_slow_timer(unsigned long arg)
52	49
...	...	@@ -53,12 +50,10 @@
53	50	struct sock sk = (struct sock )arg;
54	51	struct dn_scp *scp = DN_SK(sk);
55	52
56		- sock_hold(sk);
57	53	bh_lock_sock(sk);
58	54
59	55	if (sock_owned_by_user(sk)) {
60		- sk->sk_timer.expires = jiffies + HZ / 10;
61		- add_timer(&sk->sk_timer);
	56	+ sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 10);
62	57	goto out;
63	58	}
64	59
...	...	@@ -100,9 +95,7 @@
100	95	scp->keepalive_fxn(sk);
101	96	}
102	97
103		- sk->sk_timer.expires = jiffies + SLOW_INTERVAL;
104		-
105		- add_timer(&sk->sk_timer);
	98	+ sk_reset_timer(sk, &sk->sk_timer, jiffies + SLOW_INTERVAL);
106	99	out:
107	100	bh_unlock_sock(sk);
108	101	sock_put(sk);