From: chrisw@osdl.org <chrisw@osdl.org>
Date: Fri, 11 Mar 2005 23:31:10 +0000 (-0800)
Subject: [PATCH] add timercode-race-AX.25.patch
X-Git-Tag: v2.6.11.9~53
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21120afbdda7a6a907e2bf86b9497ade99ff25e7;p=thirdparty%2Fkernel%2Fstable-queue.git

[PATCH] add timercode-race-AX.25.patch
---

diff --git a/2.6.11.4/timercode-race-AX.25.patch b/2.6.11.4/timercode-race-AX.25.patch
new file mode 100644
index 00000000000..d513932d4df
--- /dev/null
+++ b/2.6.11.4/timercode-race-AX.25.patch
@@ -0,0 +1,31 @@
+Date: Fri, 11 Mar 2005 21:46:29 +0000
+From: Ralf Baechle DL5RB <ralf@linux-mips.org>
+To: stable@kernel.org
+Subject: [PATCH] Timercode race in AX.25
+
+When destroying a socket ax25_destroy_socket tries to stop the protocol's
+T1 timer before freeing the memory.  If things are just right using the
+non-sync variant of del_timer means the timer will continue to run even
+after the del_timer because it's adding itself again which is likely to
+result in a crash when the timer is executed again a few seconds later.
+
+del_timer_sync can be expensive, so I don't want this one to go into 2.6
+mainline where I'll try to cook something that is less intrusive than
+regular calls to del_timer_sync.
+
+Signed-off-by: Ralf Baechle DL5RB <ralf@linux-mips.org>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+
+Index: bk-afu/net/ax25/ax25_timer.c
+===================================================================
+--- bk-afu.orig/net/ax25/ax25_timer.c	2005-03-08 13:54:06.000000000 +0000
++++ bk-afu/net/ax25/ax25_timer.c	2005-03-08 16:43:34.790532976 +0000
+@@ -106,7 +106,7 @@
+ 
+ void ax25_stop_t1timer(ax25_cb *ax25)
+ {
+-	del_timer(&ax25->t1timer);
++	del_timer_sync(&ax25->t1timer);
+ }
+ 
+ void ax25_stop_t2timer(ax25_cb *ax25)