[ROSE/AX25] af_rose: rose_release() fix
authorJarek Poplawski <jarkao2@gmail.com>
Wed, 2 Apr 2008 06:56:17 +0000 (23:56 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 2 Apr 2008 06:56:17 +0000 (23:56 -0700)
rose_release() doesn't release sockets properly, e.g. it skips
sock_orphan(), so OOPSes are triggered in sock_def_write_space(),
which was observed especially while ROSE skbs were kfreed from
ax25_frames_acked(). There is also sock_hold() and lock_sock() added -
similarly to ax25_release(). Thanks to Bernard Pidoux for substantial
help in debugging this problem.

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Reported-and-tested-by: Bernard Pidoux <bpidoux@free.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rose/af_rose.c

index 4a31a81059abb93a34c176d14e41b33e1f2e6fd8..063cbc5c26b1c44222a10fedce1232783c0346fd 100644 (file)
@@ -598,17 +598,24 @@ static int rose_release(struct socket *sock)
 
        if (sk == NULL) return 0;
 
+       sock_hold(sk);
+       sock_orphan(sk);
+       lock_sock(sk);
        rose = rose_sk(sk);
 
        switch (rose->state) {
        case ROSE_STATE_0:
+               release_sock(sk);
                rose_disconnect(sk, 0, -1, -1);
+               lock_sock(sk);
                rose_destroy_socket(sk);
                break;
 
        case ROSE_STATE_2:
                rose->neighbour->use--;
+               release_sock(sk);
                rose_disconnect(sk, 0, -1, -1);
+               lock_sock(sk);
                rose_destroy_socket(sk);
                break;
 
@@ -633,6 +640,8 @@ static int rose_release(struct socket *sock)
        }
 
        sock->sk = NULL;
+       release_sock(sk);
+       sock_put(sk);
 
        return 0;
 }