forge/linux-pinenote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linux-pinenote/include/net/rose.h
Alexey Dobriyan 891e6a9312 [ROSE]: Fix rose.ko oops on unload 
Commit a3d384029a aka
"[AX.25]: Fix unchecked rose_add_loopback_neigh uses"
transformed rose_loopback_neigh var into statically allocated one.
However, on unload it will be kfree's which can't work.

Steps to reproduce:

	modprobe rose
	rmmod rose

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008
 printing eip:
c014c664
*pde = 00000000
Oops: 0000 [#1]
PREEMPT DEBUG_PAGEALLOC
Modules linked in: rose ax25 fan ufs loop usbhid rtc snd_intel8x0 snd_ac97_codec ehci_hcd ac97_bus uhci_hcd thermal usbcore button processor evdev sr_mod cdrom
CPU:    0
EIP:    0060:[<c014c664>]    Not tainted VLI
EFLAGS: 00210086   (2.6.23-rc9 #3)
EIP is at kfree+0x48/0xa1
eax: 00000556   ebx: c1734aa0   ecx: f6a5e000   edx: f7082000
esi: 00000000   edi: f9a55d20   ebp: 00200287   esp: f6a5ef28
ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
Process rmmod (pid: 1823, ti=f6a5e000 task=f7082000 task.ti=f6a5e000)
Stack: f9a55d20 f9a5200c 00000000 00000000 00000000 f6a5e000 f9a5200c f9a55a00 
       00000000 bf818cf0 f9a51f3f f9a55a00 00000000 c0132c60 65736f72 00000000 
       f69f9630 f69f9528 c014244a f6a4e900 00200246 f7082000 c01025e6 00000000 
Call Trace:
 [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
 [<f9a5200c>] rose_rt_free+0x1d/0x49 [rose]
 [<f9a51f3f>] rose_exit+0x4c/0xd5 [rose]
 [<c0132c60>] sys_delete_module+0x15e/0x186
 [<c014244a>] remove_vma+0x40/0x45
 [<c01025e6>] sysenter_past_esp+0x8f/0x99
 [<c012bacf>] trace_hardirqs_on+0x118/0x13b
 [<c01025b6>] sysenter_past_esp+0x5f/0x99
 =======================
Code: 05 03 1d 80 db 5b c0 8b 03 25 00 40 02 00 3d 00 40 02 00 75 03 8b 5b 0c 8b 73 10 8b 44 24 18 89 44 24 04 9c 5d fa e8 77 df fd ff <8b> 56 08 89 f8 e8 84 f4 fd ff e8 bd 32 06 00 3b 5c 86 60 75 0f 
EIP: [<c014c664>] kfree+0x48/0xa1 SS:ESP 0068:f6a5ef28

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-07 23:44:17 -07:00

235 lines
7.7 KiB
C
Raw Blame History

/*
* Declarations of Rose type objects.
*
* Jonathan Naylor G4KLX 25/8/96
*/
#ifndef _ROSE_H
#define _ROSE_H
#include <linux/rose.h>
#include <net/sock.h>
#define ROSE_ADDR_LEN 5
#define ROSE_MIN_LEN 3
#define ROSE_GFI 0x10
#define ROSE_Q_BIT 0x80
#define ROSE_D_BIT 0x40
#define ROSE_M_BIT 0x10
#define ROSE_CALL_REQUEST 0x0B
#define ROSE_CALL_ACCEPTED 0x0F
#define ROSE_CLEAR_REQUEST 0x13
#define ROSE_CLEAR_CONFIRMATION 0x17
#define ROSE_DATA 0x00
#define ROSE_INTERRUPT 0x23
#define ROSE_INTERRUPT_CONFIRMATION 0x27
#define ROSE_RR 0x01
#define ROSE_RNR 0x05
#define ROSE_REJ 0x09
#define ROSE_RESET_REQUEST 0x1B
#define ROSE_RESET_CONFIRMATION 0x1F
#define ROSE_REGISTRATION_REQUEST 0xF3
#define ROSE_REGISTRATION_CONFIRMATION 0xF7
#define ROSE_RESTART_REQUEST 0xFB
#define ROSE_RESTART_CONFIRMATION 0xFF
#define ROSE_DIAGNOSTIC 0xF1
#define ROSE_ILLEGAL 0xFD
/* Define Link State constants. */
enum {
ROSE_STATE_0, /* Ready */
ROSE_STATE_1, /* Awaiting Call Accepted */
ROSE_STATE_2, /* Awaiting Clear Confirmation */
ROSE_STATE_3, /* Data Transfer */
ROSE_STATE_4, /* Awaiting Reset Confirmation */
ROSE_STATE_5 /* Deferred Call Acceptance */
};
#define ROSE_DEFAULT_T0 180000 /* Default T10 T20 value */
#define ROSE_DEFAULT_T1 200000 /* Default T11 T21 value */
#define ROSE_DEFAULT_T2 180000 /* Default T12 T22 value */
#define ROSE_DEFAULT_T3 180000 /* Default T13 T23 value */
#define ROSE_DEFAULT_HB 5000 /* Default Holdback value */
#define ROSE_DEFAULT_IDLE 0 /* No Activity Timeout - none */
#define ROSE_DEFAULT_ROUTING 1 /* Default routing flag */
#define ROSE_DEFAULT_FAIL_TIMEOUT 120000 /* Time until link considered usable */
#define ROSE_DEFAULT_MAXVC 50 /* Maximum number of VCs per neighbour */
#define ROSE_DEFAULT_WINDOW_SIZE 7 /* Default window size */
#define ROSE_MODULUS 8
#define ROSE_MAX_PACKET_SIZE 251 /* Maximum packet size */
#define ROSE_COND_ACK_PENDING 0x01
#define ROSE_COND_PEER_RX_BUSY 0x02
#define ROSE_COND_OWN_RX_BUSY 0x04
#define FAC_NATIONAL 0x00
#define FAC_CCITT 0x0F
#define FAC_NATIONAL_RAND 0x7F
#define FAC_NATIONAL_FLAGS 0x3F
#define FAC_NATIONAL_DEST_DIGI 0xE9
#define FAC_NATIONAL_SRC_DIGI 0xEB
#define FAC_NATIONAL_FAIL_CALL 0xED
#define FAC_NATIONAL_FAIL_ADD 0xEE
#define FAC_NATIONAL_DIGIS 0xEF
#define FAC_CCITT_DEST_NSAP 0xC9
#define FAC_CCITT_SRC_NSAP 0xCB
struct rose_neigh {
struct rose_neigh *next;
ax25_address callsign;
ax25_digi *digipeat;
ax25_cb *ax25;
struct net_device *dev;
unsigned short count;
unsigned short use;
unsigned int number;
char restarted;
char dce_mode;
char loopback;
struct sk_buff_head queue;
struct timer_list t0timer;
struct timer_list ftimer;
};
struct rose_node {
struct rose_node *next;
rose_address address;
unsigned short mask;
unsigned char count;
char loopback;
struct rose_neigh *neighbour[3];
};
struct rose_route {
struct rose_route *next;
unsigned int lci1, lci2;
rose_address src_addr, dest_addr;
ax25_address src_call, dest_call;
struct rose_neigh *neigh1, *neigh2;
unsigned int rand;
};
struct rose_sock {
struct sock sock;
rose_address source_addr, dest_addr;
ax25_address source_call, dest_call;
unsigned char source_ndigis, dest_ndigis;
ax25_address source_digis[ROSE_MAX_DIGIS];
ax25_address dest_digis[ROSE_MAX_DIGIS];
struct rose_neigh *neighbour;
struct net_device *device;
unsigned int lci, rand;
unsigned char state, condition, qbitincl, defer;
unsigned char cause, diagnostic;
unsigned short vs, vr, va, vl;
unsigned long t1, t2, t3, hb, idle;
#ifdef M_BIT
unsigned short fraglen;
struct sk_buff_head frag_queue;
#endif
struct sk_buff_head ack_queue;
struct rose_facilities_struct facilities;
struct timer_list timer;
struct timer_list idletimer;
};
#define rose_sk(sk) ((struct rose_sock *)(sk))
/* af_rose.c */
extern ax25_address rose_callsign;
extern int sysctl_rose_restart_request_timeout;
extern int sysctl_rose_call_request_timeout;
extern int sysctl_rose_reset_request_timeout;
extern int sysctl_rose_clear_request_timeout;
extern int sysctl_rose_no_activity_timeout;
extern int sysctl_rose_ack_hold_back_timeout;
extern int sysctl_rose_routing_control;
extern int sysctl_rose_link_fail_timeout;
extern int sysctl_rose_maximum_vcs;
extern int sysctl_rose_window_size;
extern int rosecmp(rose_address *, rose_address *);
extern int rosecmpm(rose_address *, rose_address *, unsigned short);
extern const char *rose2asc(const rose_address *);
extern struct sock *rose_find_socket(unsigned int, struct rose_neigh *);
extern void rose_kill_by_neigh(struct rose_neigh *);
extern unsigned int rose_new_lci(struct rose_neigh *);
extern int rose_rx_call_request(struct sk_buff *, struct net_device *, struct rose_neigh *, unsigned int);
extern void rose_destroy_socket(struct sock *);
/* rose_dev.c */
extern void rose_setup(struct net_device *);
/* rose_in.c */
extern int rose_process_rx_frame(struct sock *, struct sk_buff *);
/* rose_link.c */
extern void rose_start_ftimer(struct rose_neigh *);
extern void rose_stop_ftimer(struct rose_neigh *);
extern void rose_stop_t0timer(struct rose_neigh *);
extern int rose_ftimer_running(struct rose_neigh *);
extern void rose_link_rx_restart(struct sk_buff *, struct rose_neigh *, unsigned short);
extern void rose_transmit_clear_request(struct rose_neigh *, unsigned int, unsigned char, unsigned char);
extern void rose_transmit_link(struct sk_buff *, struct rose_neigh *);
/* rose_loopback.c */
extern void rose_loopback_init(void);
extern void rose_loopback_clear(void);
extern int rose_loopback_queue(struct sk_buff *, struct rose_neigh *);
/* rose_out.c */
extern void rose_kick(struct sock *);
extern void rose_enquiry_response(struct sock *);
/* rose_route.c */
extern struct rose_neigh *rose_loopback_neigh;
extern const struct file_operations rose_neigh_fops;
extern const struct file_operations rose_nodes_fops;
extern const struct file_operations rose_routes_fops;
extern void rose_add_loopback_neigh(void);
extern int __must_check rose_add_loopback_node(rose_address *);
extern void rose_del_loopback_node(rose_address *);
extern void rose_rt_device_down(struct net_device *);
extern void rose_link_device_down(struct net_device *);
extern struct net_device *rose_dev_first(void);
extern struct net_device *rose_dev_get(rose_address *);
extern struct rose_route *rose_route_free_lci(unsigned int, struct rose_neigh *);
extern struct rose_neigh *rose_get_neigh(rose_address *, unsigned char *, unsigned char *);
extern int rose_rt_ioctl(unsigned int, void __user *);
extern void rose_link_failed(ax25_cb *, int);
extern int rose_route_frame(struct sk_buff *, ax25_cb *);
extern void rose_rt_free(void);
/* rose_subr.c */
extern void rose_clear_queues(struct sock *);
extern void rose_frames_acked(struct sock *, unsigned short);
extern void rose_requeue_frames(struct sock *);
extern int rose_validate_nr(struct sock *, unsigned short);
extern void rose_write_internal(struct sock *, int);
extern int rose_decode(struct sk_buff *, int *, int *, int *, int *, int *);
extern int rose_parse_facilities(unsigned char *, struct rose_facilities_struct *);
extern void rose_disconnect(struct sock *, int, int, int);
/* rose_timer.c */
extern void rose_start_heartbeat(struct sock *);
extern void rose_start_t1timer(struct sock *);
extern void rose_start_t2timer(struct sock *);
extern void rose_start_t3timer(struct sock *);
extern void rose_start_hbtimer(struct sock *);
extern void rose_start_idletimer(struct sock *);
extern void rose_stop_heartbeat(struct sock *);
extern void rose_stop_timer(struct sock *);
extern void rose_stop_idletimer(struct sock *);
/* sysctl_net_rose.c */
extern void rose_register_sysctl(void);
extern void rose_unregister_sysctl(void);
#endif
Reference in a new issue View git blame Copy permalink