Skip to content

Commit 7e5530a

Browse files
torvaldstorvalds
committed
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller: 1) 8139cp leaks memory in error paths, from Francois Romieu. 2) do_tcp_sendpages() cannot handle order > 0 pages, but they can certainly arrive there now, fix from Eric Dumazet. 3) Race condition and sysfs fixes in bonding from Nikolay Aleksandrov. 4) Remain-on-Channel fix in mac80211 from Felix Liao. 5) CCK rate calculation fix in iwlwifi, from Emmanuel Grumbach. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: 8139cp: fix coherent mapping leak in error path. tcp: fix crashes in do_tcp_sendpages() bonding: fix race condition in bonding_store_slaves_active bonding: make arp_ip_target parameter checks consistent with sysfs bonding: fix miimon and arp_interval delayed work race conditions mac80211: fix remain-on-channel (non-)cancelling iwlwifi: fix the basic CCK rates calculation
2 parents 4ccc804 + 892a925 commit 7e5530a

File tree

6 files changed

+61
-108
lines changed

6 files changed

+61
-108
lines changed

drivers/net/bonding/bond_main.c

Lines changed: 29 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -3459,6 +3459,28 @@ static int bond_xmit_hash_policy_l34(struct sk_buff *skb, int count)
34593459

34603460
/*-------------------------- Device entry points ----------------------------*/
34613461

3462+
static void bond_work_init_all(struct bonding *bond)
3463+
{
3464+
INIT_DELAYED_WORK(&bond->mcast_work,
3465+
bond_resend_igmp_join_requests_delayed);
3466+
INIT_DELAYED_WORK(&bond->alb_work, bond_alb_monitor);
3467+
INIT_DELAYED_WORK(&bond->mii_work, bond_mii_monitor);
3468+
if (bond->params.mode == BOND_MODE_ACTIVEBACKUP)
3469+
INIT_DELAYED_WORK(&bond->arp_work, bond_activebackup_arp_mon);
3470+
else
3471+
INIT_DELAYED_WORK(&bond->arp_work, bond_loadbalance_arp_mon);
3472+
INIT_DELAYED_WORK(&bond->ad_work, bond_3ad_state_machine_handler);
3473+
}
3474+
3475+
static void bond_work_cancel_all(struct bonding *bond)
3476+
{
3477+
cancel_delayed_work_sync(&bond->mii_work);
3478+
cancel_delayed_work_sync(&bond->arp_work);
3479+
cancel_delayed_work_sync(&bond->alb_work);
3480+
cancel_delayed_work_sync(&bond->ad_work);
3481+
cancel_delayed_work_sync(&bond->mcast_work);
3482+
}
3483+
34623484
static int bond_open(struct net_device *bond_dev)
34633485
{
34643486
struct bonding *bond = netdev_priv(bond_dev);
@@ -3481,41 +3503,27 @@ static int bond_open(struct net_device *bond_dev)
34813503
}
34823504
read_unlock(&bond->lock);
34833505

3484-
INIT_DELAYED_WORK(&bond->mcast_work, bond_resend_igmp_join_requests_delayed);
3506+
bond_work_init_all(bond);
34853507

34863508
if (bond_is_lb(bond)) {
34873509
/* bond_alb_initialize must be called before the timer
34883510
* is started.
34893511
*/
3490-
if (bond_alb_initialize(bond, (bond->params.mode == BOND_MODE_ALB))) {
3491-
/* something went wrong - fail the open operation */
3512+
if (bond_alb_initialize(bond, (bond->params.mode == BOND_MODE_ALB)))
34923513
return -ENOMEM;
3493-
}
3494-
3495-
INIT_DELAYED_WORK(&bond->alb_work, bond_alb_monitor);
34963514
queue_delayed_work(bond->wq, &bond->alb_work, 0);
34973515
}
34983516

3499-
if (bond->params.miimon) { /* link check interval, in milliseconds. */
3500-
INIT_DELAYED_WORK(&bond->mii_work, bond_mii_monitor);
3517+
if (bond->params.miimon) /* link check interval, in milliseconds. */
35013518
queue_delayed_work(bond->wq, &bond->mii_work, 0);
3502-
}
35033519

35043520
if (bond->params.arp_interval) { /* arp interval, in milliseconds. */
3505-
if (bond->params.mode == BOND_MODE_ACTIVEBACKUP)
3506-
INIT_DELAYED_WORK(&bond->arp_work,
3507-
bond_activebackup_arp_mon);
3508-
else
3509-
INIT_DELAYED_WORK(&bond->arp_work,
3510-
bond_loadbalance_arp_mon);
3511-
35123521
queue_delayed_work(bond->wq, &bond->arp_work, 0);
35133522
if (bond->params.arp_validate)
35143523
bond->recv_probe = bond_arp_rcv;
35153524
}
35163525

35173526
if (bond->params.mode == BOND_MODE_8023AD) {
3518-
INIT_DELAYED_WORK(&bond->ad_work, bond_3ad_state_machine_handler);
35193527
queue_delayed_work(bond->wq, &bond->ad_work, 0);
35203528
/* register to receive LACPDUs */
35213529
bond->recv_probe = bond_3ad_lacpdu_recv;
@@ -3530,34 +3538,10 @@ static int bond_close(struct net_device *bond_dev)
35303538
struct bonding *bond = netdev_priv(bond_dev);
35313539

35323540
write_lock_bh(&bond->lock);
3533-
35343541
bond->send_peer_notif = 0;
3535-
35363542
write_unlock_bh(&bond->lock);
35373543

3538-
if (bond->params.miimon) { /* link check interval, in milliseconds. */
3539-
cancel_delayed_work_sync(&bond->mii_work);
3540-
}
3541-
3542-
if (bond->params.arp_interval) { /* arp interval, in milliseconds. */
3543-
cancel_delayed_work_sync(&bond->arp_work);
3544-
}
3545-
3546-
switch (bond->params.mode) {
3547-
case BOND_MODE_8023AD:
3548-
cancel_delayed_work_sync(&bond->ad_work);
3549-
break;
3550-
case BOND_MODE_TLB:
3551-
case BOND_MODE_ALB:
3552-
cancel_delayed_work_sync(&bond->alb_work);
3553-
break;
3554-
default:
3555-
break;
3556-
}
3557-
3558-
if (delayed_work_pending(&bond->mcast_work))
3559-
cancel_delayed_work_sync(&bond->mcast_work);
3560-
3544+
bond_work_cancel_all(bond);
35613545
if (bond_is_lb(bond)) {
35623546
/* Must be called only after all
35633547
* slaves have been released
@@ -4436,26 +4420,6 @@ static void bond_setup(struct net_device *bond_dev)
44364420
bond_dev->features |= bond_dev->hw_features;
44374421
}
44384422

4439-
static void bond_work_cancel_all(struct bonding *bond)
4440-
{
4441-
if (bond->params.miimon && delayed_work_pending(&bond->mii_work))
4442-
cancel_delayed_work_sync(&bond->mii_work);
4443-
4444-
if (bond->params.arp_interval && delayed_work_pending(&bond->arp_work))
4445-
cancel_delayed_work_sync(&bond->arp_work);
4446-
4447-
if (bond->params.mode == BOND_MODE_ALB &&
4448-
delayed_work_pending(&bond->alb_work))
4449-
cancel_delayed_work_sync(&bond->alb_work);
4450-
4451-
if (bond->params.mode == BOND_MODE_8023AD &&
4452-
delayed_work_pending(&bond->ad_work))
4453-
cancel_delayed_work_sync(&bond->ad_work);
4454-
4455-
if (delayed_work_pending(&bond->mcast_work))
4456-
cancel_delayed_work_sync(&bond->mcast_work);
4457-
}
4458-
44594423
/*
44604424
* Destroy a bonding device.
44614425
* Must be under rtnl_lock when this function is called.
@@ -4706,12 +4670,13 @@ static int bond_check_params(struct bond_params *params)
47064670
arp_ip_count++) {
47074671
/* not complete check, but should be good enough to
47084672
catch mistakes */
4709-
if (!isdigit(arp_ip_target[arp_ip_count][0])) {
4673+
__be32 ip = in_aton(arp_ip_target[arp_ip_count]);
4674+
if (!isdigit(arp_ip_target[arp_ip_count][0]) ||
4675+
ip == 0 || ip == htonl(INADDR_BROADCAST)) {
47104676
pr_warning("Warning: bad arp_ip_target module parameter (%s), ARP monitoring will not be performed\n",
47114677
arp_ip_target[arp_ip_count]);
47124678
arp_interval = 0;
47134679
} else {
4714-
__be32 ip = in_aton(arp_ip_target[arp_ip_count]);
47154680
arp_target[arp_ip_count] = ip;
47164681
}
47174682
}

drivers/net/bonding/bond_sysfs.c

Lines changed: 12 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -513,6 +513,8 @@ static ssize_t bonding_store_arp_interval(struct device *d,
513513
int new_value, ret = count;
514514
struct bonding *bond = to_bond(d);
515515

516+
if (!rtnl_trylock())
517+
return restart_syscall();
516518
if (sscanf(buf, "%d", &new_value) != 1) {
517519
pr_err("%s: no arp_interval value specified.\n",
518520
bond->dev->name);
@@ -539,10 +541,6 @@ static ssize_t bonding_store_arp_interval(struct device *d,
539541
pr_info("%s: ARP monitoring cannot be used with MII monitoring. %s Disabling MII monitoring.\n",
540542
bond->dev->name, bond->dev->name);
541543
bond->params.miimon = 0;
542-
if (delayed_work_pending(&bond->mii_work)) {
543-
cancel_delayed_work(&bond->mii_work);
544-
flush_workqueue(bond->wq);
545-
}
546544
}
547545
if (!bond->params.arp_targets[0]) {
548546
pr_info("%s: ARP monitoring has been set up, but no ARP targets have been specified.\n",
@@ -554,19 +552,12 @@ static ssize_t bonding_store_arp_interval(struct device *d,
554552
* timer will get fired off when the open function
555553
* is called.
556554
*/
557-
if (!delayed_work_pending(&bond->arp_work)) {
558-
if (bond->params.mode == BOND_MODE_ACTIVEBACKUP)
559-
INIT_DELAYED_WORK(&bond->arp_work,
560-
bond_activebackup_arp_mon);
561-
else
562-
INIT_DELAYED_WORK(&bond->arp_work,
563-
bond_loadbalance_arp_mon);
564-
565-
queue_delayed_work(bond->wq, &bond->arp_work, 0);
566-
}
555+
cancel_delayed_work_sync(&bond->mii_work);
556+
queue_delayed_work(bond->wq, &bond->arp_work, 0);
567557
}
568558

569559
out:
560+
rtnl_unlock();
570561
return ret;
571562
}
572563
static DEVICE_ATTR(arp_interval, S_IRUGO | S_IWUSR,
@@ -962,6 +953,8 @@ static ssize_t bonding_store_miimon(struct device *d,
962953
int new_value, ret = count;
963954
struct bonding *bond = to_bond(d);
964955

956+
if (!rtnl_trylock())
957+
return restart_syscall();
965958
if (sscanf(buf, "%d", &new_value) != 1) {
966959
pr_err("%s: no miimon value specified.\n",
967960
bond->dev->name);
@@ -993,10 +986,6 @@ static ssize_t bonding_store_miimon(struct device *d,
993986
bond->params.arp_validate =
994987
BOND_ARP_VALIDATE_NONE;
995988
}
996-
if (delayed_work_pending(&bond->arp_work)) {
997-
cancel_delayed_work(&bond->arp_work);
998-
flush_workqueue(bond->wq);
999-
}
1000989
}
1001990

1002991
if (bond->dev->flags & IFF_UP) {
@@ -1005,15 +994,12 @@ static ssize_t bonding_store_miimon(struct device *d,
1005994
* timer will get fired off when the open function
1006995
* is called.
1007996
*/
1008-
if (!delayed_work_pending(&bond->mii_work)) {
1009-
INIT_DELAYED_WORK(&bond->mii_work,
1010-
bond_mii_monitor);
1011-
queue_delayed_work(bond->wq,
1012-
&bond->mii_work, 0);
1013-
}
997+
cancel_delayed_work_sync(&bond->arp_work);
998+
queue_delayed_work(bond->wq, &bond->mii_work, 0);
1014999
}
10151000
}
10161001
out:
1002+
rtnl_unlock();
10171003
return ret;
10181004
}
10191005
static DEVICE_ATTR(miimon, S_IRUGO | S_IWUSR,
@@ -1582,6 +1568,7 @@ static ssize_t bonding_store_slaves_active(struct device *d,
15821568
goto out;
15831569
}
15841570

1571+
read_lock(&bond->lock);
15851572
bond_for_each_slave(bond, slave, i) {
15861573
if (!bond_is_active_slave(slave)) {
15871574
if (new_value)
@@ -1590,6 +1577,7 @@ static ssize_t bonding_store_slaves_active(struct device *d,
15901577
slave->inactive = 1;
15911578
}
15921579
}
1580+
read_unlock(&bond->lock);
15931581
out:
15941582
return ret;
15951583
}

drivers/net/ethernet/realtek/8139cp.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1060,17 +1060,22 @@ static int cp_init_rings (struct cp_private *cp)
10601060

10611061
static int cp_alloc_rings (struct cp_private *cp)
10621062
{
1063+
struct device *d = &cp->pdev->dev;
10631064
void *mem;
1065+
int rc;
10641066

1065-
mem = dma_alloc_coherent(&cp->pdev->dev, CP_RING_BYTES,
1066-
&cp->ring_dma, GFP_KERNEL);
1067+
mem = dma_alloc_coherent(d, CP_RING_BYTES, &cp->ring_dma, GFP_KERNEL);
10671068
if (!mem)
10681069
return -ENOMEM;
10691070

10701071
cp->rx_ring = mem;
10711072
cp->tx_ring = &cp->rx_ring[CP_RX_RING_SIZE];
10721073

1073-
return cp_init_rings(cp);
1074+
rc = cp_init_rings(cp);
1075+
if (rc < 0)
1076+
dma_free_coherent(d, CP_RING_BYTES, cp->rx_ring, cp->ring_dma);
1077+
1078+
return rc;
10741079
}
10751080

10761081
static void cp_clean_rings (struct cp_private *cp)

drivers/net/wireless/iwlwifi/dvm/rxon.c

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1012,12 +1012,12 @@ static void iwl_calc_basic_rates(struct iwl_priv *priv,
10121012
* As a consequence, it's not as complicated as it sounds, just add
10131013
* any lower rates to the ACK rate bitmap.
10141014
*/
1015-
if (IWL_RATE_11M_INDEX < lowest_present_ofdm)
1016-
ofdm |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
1017-
if (IWL_RATE_5M_INDEX < lowest_present_ofdm)
1018-
ofdm |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
1019-
if (IWL_RATE_2M_INDEX < lowest_present_ofdm)
1020-
ofdm |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
1015+
if (IWL_RATE_11M_INDEX < lowest_present_cck)
1016+
cck |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
1017+
if (IWL_RATE_5M_INDEX < lowest_present_cck)
1018+
cck |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
1019+
if (IWL_RATE_2M_INDEX < lowest_present_cck)
1020+
cck |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
10211021
/* 1M already there or needed so always add */
10221022
cck |= IWL_RATE_1M_MASK >> IWL_FIRST_CCK_RATE;
10231023

net/ipv4/tcp.c

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -830,8 +830,8 @@ static int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
830830
return mss_now;
831831
}
832832

833-
static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffset,
834-
size_t psize, int flags)
833+
static ssize_t do_tcp_sendpages(struct sock *sk, struct page *page, int offset,
834+
size_t size, int flags)
835835
{
836836
struct tcp_sock *tp = tcp_sk(sk);
837837
int mss_now, size_goal;
@@ -858,12 +858,9 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse
858858
if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
859859
goto out_err;
860860

861-
while (psize > 0) {
861+
while (size > 0) {
862862
struct sk_buff *skb = tcp_write_queue_tail(sk);
863-
struct page *page = pages[poffset / PAGE_SIZE];
864863
int copy, i;
865-
int offset = poffset % PAGE_SIZE;
866-
int size = min_t(size_t, psize, PAGE_SIZE - offset);
867864
bool can_coalesce;
868865

869866
if (!tcp_send_head(sk) || (copy = size_goal - skb->len) <= 0) {
@@ -912,8 +909,8 @@ static ssize_t do_tcp_sendpages(struct sock *sk, struct page **pages, int poffse
912909
TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH;
913910

914911
copied += copy;
915-
poffset += copy;
916-
if (!(psize -= copy))
912+
offset += copy;
913+
if (!(size -= copy))
917914
goto out;
918915

919916
if (skb->len < size_goal || (flags & MSG_OOB))
@@ -960,7 +957,7 @@ int tcp_sendpage(struct sock *sk, struct page *page, int offset,
960957
flags);
961958

962959
lock_sock(sk);
963-
res = do_tcp_sendpages(sk, &page, offset, size, flags);
960+
res = do_tcp_sendpages(sk, page, offset, size, flags);
964961
release_sock(sk);
965962
return res;
966963
}

net/mac80211/offchannel.c

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -458,8 +458,6 @@ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata)
458458
list_move_tail(&roc->list, &tmp_list);
459459
roc->abort = true;
460460
}
461-
462-
ieee80211_start_next_roc(local);
463461
mutex_unlock(&local->mtx);
464462

465463
list_for_each_entry_safe(roc, tmp, &tmp_list, list) {

0 commit comments

Comments
 (0)