rose: Socket lock was not released before returning to user space

[sfrench/cifs-2.6.git] / net / rose / af_rose.c

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 509defe53ee53fb5b49f37c0b2372edfa83cc68b..1ebf65294405976788168815b8420df757f4a7aa 100644 (file)
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -116,7 +116,7 @@ int rosecmp(rose_address *addr1, rose_address *addr2)
  */
 int rosecmpm(rose_address *addr1, rose_address *addr2, unsigned short mask)
 {
-       int i, j;
+       unsigned int i, j;
 
        if (mask > 10)
                return 1;
@@ -197,7 +197,7 @@ static int rose_device_event(struct notifier_block *this, unsigned long event,
 {
        struct net_device *dev = (struct net_device *)ptr;
 
-       if (dev->nd_net != &init_net)
+       if (dev_net(dev) != &init_net)
                return NOTIFY_DONE;
 
        if (event != NETDEV_DOWN)
@@ -345,10 +345,9 @@ void rose_destroy_socket(struct sock *sk)
        if (atomic_read(&sk->sk_wmem_alloc) ||
            atomic_read(&sk->sk_rmem_alloc)) {
                /* Defer: outstanding buffers */
-               init_timer(&sk->sk_timer);
+               setup_timer(&sk->sk_timer, rose_destroy_timer,
+                               (unsigned long)sk);
                sk->sk_timer.expires  = jiffies + 10 * HZ;
-               sk->sk_timer.function = rose_destroy_timer;
-               sk->sk_timer.data     = (unsigned long)sk;
                add_timer(&sk->sk_timer);
        } else
                sock_put(sk);
@@ -513,7 +512,8 @@ static int rose_create(struct net *net, struct socket *sock, int protocol)
        if (sock->type != SOCK_SEQPACKET || protocol != 0)
                return -ESOCKTNOSUPPORT;
 
-       if ((sk = sk_alloc(net, PF_ROSE, GFP_ATOMIC, &rose_proto, 1)) == NULL)
+       sk = sk_alloc(net, PF_ROSE, GFP_ATOMIC, &rose_proto);
+       if (sk == NULL)
                return -ENOMEM;
 
        rose = rose_sk(sk);
@@ -551,7 +551,8 @@ static struct sock *rose_make_new(struct sock *osk)
        if (osk->sk_type != SOCK_SEQPACKET)
                return NULL;
 
-       if ((sk = sk_alloc(osk->sk_net, PF_ROSE, GFP_ATOMIC, &rose_proto, 1)) == NULL)
+       sk = sk_alloc(sock_net(osk), PF_ROSE, GFP_ATOMIC, &rose_proto);
+       if (sk == NULL)
                return NULL;
 
        rose = rose_sk(sk);
@@ -597,17 +598,24 @@ static int rose_release(struct socket *sock)
 
        if (sk == NULL) return 0;
 
+       sock_hold(sk);
+       sock_orphan(sk);
+       lock_sock(sk);
        rose = rose_sk(sk);
 
        switch (rose->state) {
        case ROSE_STATE_0:
+               release_sock(sk);
                rose_disconnect(sk, 0, -1, -1);
+               lock_sock(sk);
                rose_destroy_socket(sk);
                break;
 
        case ROSE_STATE_2:
                rose->neighbour->use--;
+               release_sock(sk);
                rose_disconnect(sk, 0, -1, -1);
+               lock_sock(sk);
                rose_destroy_socket(sk);
                break;
 
@@ -632,6 +640,8 @@ static int rose_release(struct socket *sock)
        }
 
        sock->sk = NULL;
+       release_sock(sk);
+       sock_put(sk);
 
        return 0;
 }
@@ -750,8 +760,10 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
 
        rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause,
                                         &diagnostic);
-       if (!rose->neighbour)
-               return -ENETUNREACH;
+       if (!rose->neighbour) {
+               err = -ENETUNREACH;
+               goto out_release;
+       }
 
        rose->lci = rose_new_lci(rose->neighbour);
        if (!rose->lci) {
@@ -972,8 +984,8 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
         */
        memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
 
-       len  = (((skb->data[3] >> 4) & 0x0F) + 1) / 2;
-       len += (((skb->data[3] >> 0) & 0x0F) + 1) / 2;
+       len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+       len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
        if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
                rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);
                return 0;
@@ -1376,6 +1388,7 @@ static int rose_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 
 #ifdef CONFIG_PROC_FS
 static void *rose_info_start(struct seq_file *seq, loff_t *pos)
+       __acquires(rose_list_lock)
 {
        int i;
        struct sock *s;
@@ -1403,6 +1416,7 @@ static void *rose_info_next(struct seq_file *seq, void *v, loff_t *pos)
 }
 
 static void rose_info_stop(struct seq_file *seq, void *v)
+       __releases(rose_list_lock)
 {
        spin_unlock_bh(&rose_list_lock);
 }