[DCCP] CCID2: Drop sock reference count on timer expiration and reset.
There was a hybrid use of standard timers and sk_timers. This caused
the reference count of the sock to be incorrect when resetting the RTO
timer. The sock reference count should now be correct, enabling its
destruction, and allowing the DCCP module to be unloaded.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index 4a7b875..3328d23 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -234,7 +234,7 @@
ccid2_hc_tx_check_sanity(hctx);
out:
bh_unlock_sock(sk);
-/* sock_put(sk); */
+ sock_put(sk);
}
static void ccid2_start_rto_timer(struct sock *sk)
@@ -399,10 +399,12 @@
return -1;
}
-static void ccid2_hc_tx_kill_rto_timer(struct ccid2_hc_tx_sock *hctx)
+static void ccid2_hc_tx_kill_rto_timer(struct sock *sk)
{
- if (del_timer(&hctx->ccid2hctx_rtotimer))
- ccid2_pr_debug("deleted RTO timer\n");
+ struct ccid2_hc_tx_sock *hctx = ccid2_hc_tx_sk(sk);
+
+ sk_stop_timer(sk, &hctx->ccid2hctx_rtotimer);
+ ccid2_pr_debug("deleted RTO timer\n");
}
static inline void ccid2_new_ack(struct sock *sk,
@@ -496,17 +498,19 @@
}
/* we got a new ack, so re-start RTO timer */
- ccid2_hc_tx_kill_rto_timer(hctx);
+ ccid2_hc_tx_kill_rto_timer(sk);
ccid2_start_rto_timer(sk);
}
-static void ccid2_hc_tx_dec_pipe(struct ccid2_hc_tx_sock *hctx)
+static void ccid2_hc_tx_dec_pipe(struct sock *sk)
{
+ struct ccid2_hc_tx_sock *hctx = ccid2_hc_tx_sk(sk);
+
hctx->ccid2hctx_pipe--;
BUG_ON(hctx->ccid2hctx_pipe < 0);
if (hctx->ccid2hctx_pipe == 0)
- ccid2_hc_tx_kill_rto_timer(hctx);
+ ccid2_hc_tx_kill_rto_timer(sk);
}
static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
@@ -627,7 +631,7 @@
seqp->ccid2s_acked = 1;
ccid2_pr_debug("Got ack for %llu\n",
seqp->ccid2s_seq);
- ccid2_hc_tx_dec_pipe(hctx);
+ ccid2_hc_tx_dec_pipe(sk);
}
if (seqp == hctx->ccid2hctx_seqt) {
done = 1;
@@ -674,7 +678,7 @@
while (1) {
if (!seqp->ccid2s_acked) {
loss = 1;
- ccid2_hc_tx_dec_pipe(hctx);
+ ccid2_hc_tx_dec_pipe(sk);
}
if (seqp == hctx->ccid2hctx_seqt)
break;
@@ -760,9 +764,9 @@
static void ccid2_hc_tx_exit(struct sock *sk)
{
struct dccp_sock *dp = dccp_sk(sk);
- struct ccid2_hc_tx_sock *hctx = dp->dccps_hc_tx_ccid_private;
+ struct ccid2_hc_tx_sock *hctx = ccid2_hc_tx_sk(sk);
- ccid2_hc_tx_kill_rto_timer(hctx);
+ ccid2_hc_tx_kill_rto_timer(sk);
kfree(hctx->ccid2hctx_seqbuf);