| To: | Jeroen Vreeken <pe1rxq@xxxxxxxxx> |
|---|---|
| Subject: | [PATCH] ax25 fix for premature free. |
| From: | Stephen Hemminger <shemminger@xxxxxxxx> |
| Date: | Tue, 12 Aug 2003 15:39:01 -0700 |
| Cc: | linux-hams@xxxxxxxxxxxxxxx, ralf@xxxxxxxxxxxxxx, davem@xxxxxxxxxx, netdev@xxxxxxxxxxx |
| In-reply-to: | <20030812230951.E28977@xxxxxxxxxxxxxxxxxxxxxx> |
| Organization: | Open Source Development Lab |
| References: | <20030812194653.A28977@xxxxxxxxxxxxxxxxxxxxxx> <20030812135655.7334887b.shemminger@xxxxxxxx> <20030812230951.E28977@xxxxxxxxxxxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
The problem is that you are freeing the ax25 control block too soon for the case
of sockets that were never bound. If the socket is not bound, it never makes it
into the node list and the refcount is 1. So when you decrement in ax25_cb_del
by calling ax25_cb_put it gets freed.
This fixes the problem, it assumes your earlier patch has been applied.
diff -Nru a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
--- a/net/ax25/af_ax25.c Tue Aug 12 15:35:33 2003
+++ b/net/ax25/af_ax25.c Tue Aug 12 15:35:33 2003
@@ -66,10 +66,12 @@
*/
static void ax25_cb_del(ax25_cb *ax25)
{
- spin_lock_bh(&ax25_list_lock);
- hlist_del_init(&ax25->ax25_node);
- spin_unlock_bh(&ax25_list_lock);
- ax25_cb_put(ax25);
+ if (!hlist_unhashed(&ax25->ax25_node)) {
+ spin_lock_bh(&ax25_list_lock);
+ hlist_del(&ax25->ax25_node);
+ spin_unlock_bh(&ax25_list_lock);
+ ax25_cb_put(ax25);
+ }
}
/*
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [PATCH] bpqether add rcu_read_lock, Stephen Hemminger |
|---|---|
| Next by Date: | Re: [PATCH] ax25 fix for premature free., Jeroen Vreeken |
| Previous by Thread: | Re: [PATCH] ax25 & netrom fixes for 2.6, Jeroen Vreeken |
| Next by Thread: | Re: [PATCH] ax25 fix for premature free., Jeroen Vreeken |
| Indexes: | [Date] [Thread] [Top] [All Lists] |