net: rose: fix netdev reference changes

BugLink: https://bugs.launchpad.net/bugs/1990162
[ Upstream commit 931027820e4dafabc78aff82af59f8c1c4bd3128 ]

Bernard reported that trying to unload rose module would lead
to infamous messages:

unregistered_netdevice: waiting for rose0 to become free. Usage count = xx

This patch solves the issue, by making sure each socket referring to
a netdevice holds a reference count on it, and properly releases it
in rose_release().

rose_dev_first() is also fixed to take a device reference
before leaving the rcu_read_locked section.

Following patch will add ref_tracker annotations to ease
future bug hunting.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Bernard Pidoux <f6bvp@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Tested-by: Bernard Pidoux <f6bvp@free.fr>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index cf7d974e0f619a60ef5c6a037705974c622810f2..29a208ed8fb88d5f2e7f457ffba1cbc1d81f99cc 100644 (file)
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -191,6 +191,7 @@ static void rose_kill_by_device(struct net_device *dev)
                        rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
                        if (rose->neighbour)
                                rose->neighbour->use--;
+                       dev_put(rose->device);
                        rose->device = NULL;
                }
        }
@@ -591,6 +592,8 @@ static struct sock *rose_make_new(struct sock *osk)
        rose->idle      = orose->idle;
        rose->defer     = orose->defer;
        rose->device    = orose->device;
+       if (rose->device)
+               dev_hold(rose->device);
        rose->qbitincl  = orose->qbitincl;
 
        return sk;
@@ -644,6 +647,7 @@ static int rose_release(struct socket *sock)
                break;
        }
 
+       dev_put(rose->device);
        sock->sk = NULL;
        release_sock(sk);
        sock_put(sk);
@@ -720,7 +724,6 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
        struct rose_sock *rose = rose_sk(sk);
        struct sockaddr_rose *addr = (struct sockaddr_rose *)uaddr;
        unsigned char cause, diagnostic;
-       struct net_device *dev;
        ax25_uid_assoc *user;
        int n, err = 0;
 
@@ -777,9 +780,12 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
        }
 
        if (sock_flag(sk, SOCK_ZAPPED)) {       /* Must bind first - autobinding in this may or may not work */
+               struct net_device *dev;
+
                sock_reset_flag(sk, SOCK_ZAPPED);
 
-               if ((dev = rose_dev_first()) == NULL) {
+               dev = rose_dev_first();
+               if (!dev) {
                        err = -ENETUNREACH;
                        goto out_release;
                }
@@ -787,6 +793,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
                user = ax25_findbyuid(current_euid());
                if (!user) {
                        err = -EINVAL;
+                       dev_put(dev);
                        goto out_release;
                }
 

diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 764a726debb1ffd3a941a66b6abe5f63ee18cbed..66aa05db5390f765c142006383201bdf5d97621b 100644 (file)
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -615,6 +615,8 @@ struct net_device *rose_dev_first(void)
                        if (first == NULL || strncmp(dev->name, first->name, 3) < 0)
                                first = dev;
        }
+       if (first)
+               dev_hold(first);
        rcu_read_unlock();
 
        return first;