[DCCP] CCID2: Drop sock reference count on timer expiration and reset.

There was a hybrid use of standard timers and sk_timers. This caused the reference count of the sock to be incorrect when resetting the RTO timer. The sock reference count should now be correct, enabling its destruction, and allowing the DCCP module to be unloaded. Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
git-mirror · Mar 21, 2006 · 77ff72d · 77ff72d
1 parent ba66c6e
commit 77ff72d
Showing 1 changed file with 15 additions and 11 deletions.
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
@@ -234,7 +234,7 @@ static void ccid2_hc_tx_rto_expire(unsigned long data)
 	ccid2_hc_tx_check_sanity(hctx);
 out:
 	bh_unlock_sock(sk);
-/*	sock_put(sk); */
+	sock_put(sk);
 }
 
 static void ccid2_start_rto_timer(struct sock *sk)
@@ -399,10 +399,12 @@ static int ccid2_ackvector(struct sock *sk, struct sk_buff *skb, int offset,
 	return -1;
 }
 
-static void ccid2_hc_tx_kill_rto_timer(struct ccid2_hc_tx_sock *hctx)
+static void ccid2_hc_tx_kill_rto_timer(struct sock *sk)
 {
-	if (del_timer(&hctx->ccid2hctx_rtotimer))
-		ccid2_pr_debug("deleted RTO timer\n");
+	struct ccid2_hc_tx_sock *hctx = ccid2_hc_tx_sk(sk);
+
+	sk_stop_timer(sk, &hctx->ccid2hctx_rtotimer);
+	ccid2_pr_debug("deleted RTO timer\n");
 }
 
 static inline void ccid2_new_ack(struct sock *sk,
@@ -496,17 +498,19 @@ static inline void ccid2_new_ack(struct sock *sk,
 	}
 
 	/* we got a new ack, so re-start RTO timer */
-	ccid2_hc_tx_kill_rto_timer(hctx);
+	ccid2_hc_tx_kill_rto_timer(sk);
 	ccid2_start_rto_timer(sk);
 }
 
-static void ccid2_hc_tx_dec_pipe(struct ccid2_hc_tx_sock *hctx)
+static void ccid2_hc_tx_dec_pipe(struct sock *sk)
 {
+	struct ccid2_hc_tx_sock *hctx = ccid2_hc_tx_sk(sk);
+
 	hctx->ccid2hctx_pipe--;
 	BUG_ON(hctx->ccid2hctx_pipe < 0);
 
 	if (hctx->ccid2hctx_pipe == 0)
-		ccid2_hc_tx_kill_rto_timer(hctx);
+		ccid2_hc_tx_kill_rto_timer(sk);
 }
 
 static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
@@ -627,7 +631,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
 					seqp->ccid2s_acked = 1;
 					ccid2_pr_debug("Got ack for %llu\n",
 					       	       seqp->ccid2s_seq);
-					ccid2_hc_tx_dec_pipe(hctx);
+					ccid2_hc_tx_dec_pipe(sk);
 				}
 				if (seqp == hctx->ccid2hctx_seqt) {
 					done = 1;
@@ -674,7 +678,7 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb)
 		while (1) {
 			if (!seqp->ccid2s_acked) {
 				loss = 1;
-				ccid2_hc_tx_dec_pipe(hctx);
+				ccid2_hc_tx_dec_pipe(sk);
 			}
 			if (seqp == hctx->ccid2hctx_seqt)
 				break;
@@ -760,9 +764,9 @@ static int ccid2_hc_tx_init(struct sock *sk)
 static void ccid2_hc_tx_exit(struct sock *sk)
 {
 	struct dccp_sock *dp = dccp_sk(sk);
-        struct ccid2_hc_tx_sock *hctx = dp->dccps_hc_tx_ccid_private;
+        struct ccid2_hc_tx_sock *hctx = ccid2_hc_tx_sk(sk);
 
-	ccid2_hc_tx_kill_rto_timer(hctx);
+	ccid2_hc_tx_kill_rto_timer(sk);
 
 	kfree(hctx->ccid2hctx_seqbuf);