ax25: netrom: rose: Fix timer oopses

[ Upstream commit d00c362f1b0ff54161e0a42b4554ac621a9ef92d ] Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can cause timer oopses (first reported with 2.6.29.6 kernel). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905 Reported-by: Bernard Pidoux <bpidoux@free.fr> Tested-by: Bernard Pidoux <bpidoux@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Jarek Poplawski <jarkao2@gmail.com> 2010-01-16 01:04:04 -0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-02-09 04:50:56 -0800
commit: a74e62c2ef1fda92ad697556261b0e00fee5d581 (patch)
tree: 778a0008b9128fcebfad332a4d9749d55e6a56de /net/netrom
parent: 3125258f78ae4930916d8c569a10dfd621db77ba (diff)
1 files changed, 6 insertions, 5 deletions
diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index 4eb1ac9a767..850ffc00390 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -842,12 +842,13 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
 	dptr  = skb_push(skb, 1);
 	*dptr = AX25_P_NETROM;
 
-	ax25s = ax25_send_frame(skb, 256, (ax25_address *)dev->dev_addr, &nr_neigh->callsign, nr_neigh->digipeat, nr_neigh->dev);
-	if (nr_neigh->ax25 && ax25s) {
-		/* We were already holding this ax25_cb */
+	ax25s = nr_neigh->ax25;
+	nr_neigh->ax25 = ax25_send_frame(skb, 256,
+					 (ax25_address *)dev->dev_addr,
+					 &nr_neigh->callsign,
+					 nr_neigh->digipeat, nr_neigh->dev);
+	if (ax25s)
 		ax25_cb_put(ax25s);
-	}
-	nr_neigh->ax25 = ax25s;
 
 	dev_put(dev);
 	ret = (nr_neigh->ax25 != NULL);
author	Jarek Poplawski <jarkao2@gmail.com>	2010-01-16 01:04:04 -0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-02-09 04:50:56 -0800
commit	a74e62c2ef1fda92ad697556261b0e00fee5d581 (patch)
tree	778a0008b9128fcebfad332a4d9749d55e6a56de /net/netrom
parent	3125258f78ae4930916d8c569a10dfd621db77ba (diff)