From patchwork Thu Dec 18 10:20:46 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wei Yongjun <yjwei@cn.fujitsu.com>
X-Patchwork-Id: 14642
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 869DADDF1E
	for <patchwork-incoming@ozlabs.org>;
	Thu, 18 Dec 2008 21:20:09 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751544AbYLRKUF (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 18 Dec 2008 05:20:05 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751470AbYLRKUE
	(ORCPT <rfc822; netdev-outgoing>); Thu, 18 Dec 2008 05:20:04 -0500
Received: from cn.fujitsu.com ([222.73.24.84]:59824 "EHLO
	song.cn.fujitsu.com"
	rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP
	id S1752128AbYLRKUD (ORCPT <rfc822;netdev@vger.kernel.org>);
	Thu, 18 Dec 2008 05:20:03 -0500
Received: from tang.cn.fujitsu.com (tang.cn.fujitsu.com [10.167.250.3])
	by song.cn.fujitsu.com (Postfix) with ESMTP id 77093170116;
	Thu, 18 Dec 2008 18:23:45 +0800 (CST)
Received: from fnst.cn.fujitsu.com (localhost.localdomain [127.0.0.1])
	by tang.cn.fujitsu.com (8.13.1/8.13.1) with ESMTP id mBIANjAf024771;
	Thu, 18 Dec 2008 18:23:45 +0800
Received: from [10.167.141.76] (unknown [10.167.141.76])
	by fnst.cn.fujitsu.com (Postfix) with ESMTP id CE70ED439B;
	Thu, 18 Dec 2008 18:25:19 +0800 (CST)
Message-ID: <494A23FE.6020305@cn.fujitsu.com>
Date: Thu, 18 Dec 2008 18:20:46 +0800
From: Wei Yongjun <yjwei@cn.fujitsu.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: [PATCH] net: Fix module refcount leak in kernel_accept()
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The kernel_accept() does not hold the module refcount of newsock->ops->owner,
so we need __module_get(newsock->ops->owner) code after call kernel_accept()
by hand.
In sunrpc, the module refcount is missing to hold. So this cause kernel panic.

Used following script to reproduct:

while [ 1 ];
do
    mount -t nfs4 192.168.0.19:/ /mnt
    touch /mnt/file
    umount /mnt
    lsmod | grep ipv6
done

This patch fixed the problem by add __module_get(newsock->ops->owner) to
kernel_accept(). So we do not need to used __module_get(newsock->ops->owner)
in every place when used kernel_accept().

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
---
 net/bluetooth/rfcomm/core.c |    2 --
 net/socket.c                |    1 +
 2 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index ba537fa..ce68e04 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1786,8 +1786,6 @@ static inline void rfcomm_accept_connection(struct rfcomm_session *s)
 	if (err < 0)
 		return;
 
-	__module_get(nsock->ops->owner);
-
 	/* Set our callbacks */
 	nsock->sk->sk_data_ready   = rfcomm_l2data_ready;
 	nsock->sk->sk_state_change = rfcomm_l2state_change;
diff --git a/net/socket.c b/net/socket.c
index 92764d8..76ba80a 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2307,6 +2307,7 @@ int kernel_accept(struct socket *sock, struct socket **newsock, int flags)
 	}
 
 	(*newsock)->ops = sock->ops;
+	__module_get((*newsock)->ops->owner);
 
 done:
 	return err;