Skip to content

Commit ed32641

Browse files
davem330davem330
committed
Merge branch 'ax25-fixes'
Duoming Zhou says: ==================== Fix refcount leak and NPD bugs in ax25 The first patch fixes refcount leak in ax25 that could cause ax25-ex-connected-session-now-listening-state-bug. The second patch fixes NPD bugs in ax25 timers. ==================== Signed-off-by: David S. Miller <[email protected]>
2 parents 0caf6d9 + fc6d01f commit ed32641

File tree

2 files changed

+27
-11
lines changed

2 files changed

+27
-11
lines changed

net/ax25/af_ax25.c

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -89,18 +89,20 @@ static void ax25_kill_by_device(struct net_device *dev)
8989
sk = s->sk;
9090
if (!sk) {
9191
spin_unlock_bh(&ax25_list_lock);
92-
s->ax25_dev = NULL;
9392
ax25_disconnect(s, ENETUNREACH);
93+
s->ax25_dev = NULL;
9494
spin_lock_bh(&ax25_list_lock);
9595
goto again;
9696
}
9797
sock_hold(sk);
9898
spin_unlock_bh(&ax25_list_lock);
9999
lock_sock(sk);
100-
s->ax25_dev = NULL;
101-
dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
102-
ax25_dev_put(ax25_dev);
103100
ax25_disconnect(s, ENETUNREACH);
101+
s->ax25_dev = NULL;
102+
if (sk->sk_socket) {
103+
dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
104+
ax25_dev_put(ax25_dev);
105+
}
104106
release_sock(sk);
105107
spin_lock_bh(&ax25_list_lock);
106108
sock_put(sk);
@@ -979,14 +981,20 @@ static int ax25_release(struct socket *sock)
979981
{
980982
struct sock *sk = sock->sk;
981983
ax25_cb *ax25;
984+
ax25_dev *ax25_dev;
982985

983986
if (sk == NULL)
984987
return 0;
985988

986989
sock_hold(sk);
987-
sock_orphan(sk);
988990
lock_sock(sk);
991+
sock_orphan(sk);
989992
ax25 = sk_to_ax25(sk);
993+
ax25_dev = ax25->ax25_dev;
994+
if (ax25_dev) {
995+
dev_put_track(ax25_dev->dev, &ax25_dev->dev_tracker);
996+
ax25_dev_put(ax25_dev);
997+
}
990998

991999
if (sk->sk_type == SOCK_SEQPACKET) {
9921000
switch (ax25->state) {

net/ax25/ax25_subr.c

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -261,12 +261,20 @@ void ax25_disconnect(ax25_cb *ax25, int reason)
261261
{
262262
ax25_clear_queues(ax25);
263263

264-
if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY))
265-
ax25_stop_heartbeat(ax25);
266-
ax25_stop_t1timer(ax25);
267-
ax25_stop_t2timer(ax25);
268-
ax25_stop_t3timer(ax25);
269-
ax25_stop_idletimer(ax25);
264+
if (reason == ENETUNREACH) {
265+
del_timer_sync(&ax25->timer);
266+
del_timer_sync(&ax25->t1timer);
267+
del_timer_sync(&ax25->t2timer);
268+
del_timer_sync(&ax25->t3timer);
269+
del_timer_sync(&ax25->idletimer);
270+
} else {
271+
if (!ax25->sk || !sock_flag(ax25->sk, SOCK_DESTROY))
272+
ax25_stop_heartbeat(ax25);
273+
ax25_stop_t1timer(ax25);
274+
ax25_stop_t2timer(ax25);
275+
ax25_stop_t3timer(ax25);
276+
ax25_stop_idletimer(ax25);
277+
}
270278

271279
ax25->state = AX25_STATE_0;
272280

0 commit comments

Comments
 (0)