diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-10-05 11:50:15 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-10-05 11:50:15 -0400 |
| commit | 9819a30c11ea439e5e3c81f5539c4d42d6c76314 (patch) | |
| tree | eee29b4735a2ddb944260ad3d281efd4a56788cc /net/tipc/link.c | |
| parent | 6fe137cbe3e85e832a169006e8ccc04cec69c653 (diff) | |
| parent | ef129d34149ea23d0d442844fc25ae26a85589fc (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from David Miller:
1) Fix ieeeu02154 atusb driver use-after-free, from Johan Hovold.
2) Need to validate TCA_CBQ_WRROPT netlink attributes, from Eric
Dumazet.
3) txq null deref in mac80211, from Miaoqing Pan.
4) ionic driver needs to select NET_DEVLINK, from Arnd Bergmann.
5) Need to disable bh during nft_connlimit GC, from Pablo Neira Ayuso.
6) Avoid division by zero in taprio scheduler, from Vladimir Oltean.
7) Various xgmac fixes in stmmac driver from Jose Abreu.
8) Avoid 64-bit division in mlx5 leading to link errors on 32-bit from
Michal Kubecek.
9) Fix bad VLAN check in rtl8366 DSA driver, from Linus Walleij.
10) Fix sleep while atomic in sja1105, from Vladimir Oltean.
11) Suspend/resume deadlock in stmmac, from Thierry Reding.
12) Various UDP GSO fixes from Josh Hunt.
13) Fix slab out of bounds access in tcp_zerocopy_receive(), from Eric
Dumazet.
14) Fix OOPS in __ipv6_ifa_notify(), from David Ahern.
15) Memory leak in NFC's llcp_sock_bind, from Eric Dumazet.
* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (72 commits)
selftests/net: add nettest to .gitignore
net: qlogic: Fix memory leak in ql_alloc_large_buffers
nfc: fix memory leak in llcp_sock_bind()
sch_dsmark: fix potential NULL deref in dsmark_init()
net: phy: at803x: use operating parameters from PHY-specific status
net: phy: extract pause mode
net: phy: extract link partner advertisement reading
net: phy: fix write to mii-ctrl1000 register
ipv6: Handle missing host route in __ipv6_ifa_notify
net: phy: allow for reset line to be tied to a sleepy GPIO controller
net: ipv4: avoid mixed n_redirects and rate_tokens usage
r8152: Set macpassthru in reset_resume callback
cxgb4:Fix out-of-bounds MSI-X info array access
Revert "ipv6: Handle race in addrconf_dad_work"
net: make sock_prot_memory_pressure() return "const char *"
rxrpc: Fix rxrpc_recvmsg tracepoint
qmi_wwan: add support for Cinterion CLS8 devices
tcp: fix slab-out-of-bounds in tcp_zerocopy_receive()
lib: textsearch: fix escapes in example code
udp: only do GSO if # of segs > 1
...
Diffstat (limited to 'net/tipc/link.c')
| -rw-r--r-- | net/tipc/link.c | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/net/tipc/link.c b/net/tipc/link.c index 6cc75ffd9e2c..999eab592de8 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c | |||
| @@ -160,6 +160,7 @@ struct tipc_link { | |||
| 160 | struct { | 160 | struct { |
| 161 | u16 len; | 161 | u16 len; |
| 162 | u16 limit; | 162 | u16 limit; |
| 163 | struct sk_buff *target_bskb; | ||
| 163 | } backlog[5]; | 164 | } backlog[5]; |
| 164 | u16 snd_nxt; | 165 | u16 snd_nxt; |
| 165 | u16 window; | 166 | u16 window; |
| @@ -880,6 +881,7 @@ static void link_prepare_wakeup(struct tipc_link *l) | |||
| 880 | void tipc_link_reset(struct tipc_link *l) | 881 | void tipc_link_reset(struct tipc_link *l) |
| 881 | { | 882 | { |
| 882 | struct sk_buff_head list; | 883 | struct sk_buff_head list; |
| 884 | u32 imp; | ||
| 883 | 885 | ||
| 884 | __skb_queue_head_init(&list); | 886 | __skb_queue_head_init(&list); |
| 885 | 887 | ||
| @@ -901,11 +903,10 @@ void tipc_link_reset(struct tipc_link *l) | |||
| 901 | __skb_queue_purge(&l->deferdq); | 903 | __skb_queue_purge(&l->deferdq); |
| 902 | __skb_queue_purge(&l->backlogq); | 904 | __skb_queue_purge(&l->backlogq); |
| 903 | __skb_queue_purge(&l->failover_deferdq); | 905 | __skb_queue_purge(&l->failover_deferdq); |
| 904 | l->backlog[TIPC_LOW_IMPORTANCE].len = 0; | 906 | for (imp = 0; imp <= TIPC_SYSTEM_IMPORTANCE; imp++) { |
| 905 | l->backlog[TIPC_MEDIUM_IMPORTANCE].len = 0; | 907 | l->backlog[imp].len = 0; |
| 906 | l->backlog[TIPC_HIGH_IMPORTANCE].len = 0; | 908 | l->backlog[imp].target_bskb = NULL; |
| 907 | l->backlog[TIPC_CRITICAL_IMPORTANCE].len = 0; | 909 | } |
| 908 | l->backlog[TIPC_SYSTEM_IMPORTANCE].len = 0; | ||
| 909 | kfree_skb(l->reasm_buf); | 910 | kfree_skb(l->reasm_buf); |
| 910 | kfree_skb(l->reasm_tnlmsg); | 911 | kfree_skb(l->reasm_tnlmsg); |
| 911 | kfree_skb(l->failover_reasm_skb); | 912 | kfree_skb(l->failover_reasm_skb); |
| @@ -947,7 +948,7 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list, | |||
| 947 | u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1; | 948 | u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1; |
| 948 | struct sk_buff_head *transmq = &l->transmq; | 949 | struct sk_buff_head *transmq = &l->transmq; |
| 949 | struct sk_buff_head *backlogq = &l->backlogq; | 950 | struct sk_buff_head *backlogq = &l->backlogq; |
| 950 | struct sk_buff *skb, *_skb, *bskb; | 951 | struct sk_buff *skb, *_skb, **tskb; |
| 951 | int pkt_cnt = skb_queue_len(list); | 952 | int pkt_cnt = skb_queue_len(list); |
| 952 | int rc = 0; | 953 | int rc = 0; |
| 953 | 954 | ||
| @@ -999,19 +1000,21 @@ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list, | |||
| 999 | seqno++; | 1000 | seqno++; |
| 1000 | continue; | 1001 | continue; |
| 1001 | } | 1002 | } |
| 1002 | if (tipc_msg_bundle(skb_peek_tail(backlogq), hdr, mtu)) { | 1003 | tskb = &l->backlog[imp].target_bskb; |
| 1004 | if (tipc_msg_bundle(*tskb, hdr, mtu)) { | ||
| 1003 | kfree_skb(__skb_dequeue(list)); | 1005 | kfree_skb(__skb_dequeue(list)); |
| 1004 | l->stats.sent_bundled++; | 1006 | l->stats.sent_bundled++; |
| 1005 | continue; | 1007 | continue; |
| 1006 | } | 1008 | } |
| 1007 | if (tipc_msg_make_bundle(&bskb, hdr, mtu, l->addr)) { | 1009 | if (tipc_msg_make_bundle(tskb, hdr, mtu, l->addr)) { |
| 1008 | kfree_skb(__skb_dequeue(list)); | 1010 | kfree_skb(__skb_dequeue(list)); |
| 1009 | __skb_queue_tail(backlogq, bskb); | 1011 | __skb_queue_tail(backlogq, *tskb); |
| 1010 | l->backlog[msg_importance(buf_msg(bskb))].len++; | 1012 | l->backlog[imp].len++; |
| 1011 | l->stats.sent_bundled++; | 1013 | l->stats.sent_bundled++; |
| 1012 | l->stats.sent_bundles++; | 1014 | l->stats.sent_bundles++; |
| 1013 | continue; | 1015 | continue; |
| 1014 | } | 1016 | } |
| 1017 | l->backlog[imp].target_bskb = NULL; | ||
| 1015 | l->backlog[imp].len += skb_queue_len(list); | 1018 | l->backlog[imp].len += skb_queue_len(list); |
| 1016 | skb_queue_splice_tail_init(list, backlogq); | 1019 | skb_queue_splice_tail_init(list, backlogq); |
| 1017 | } | 1020 | } |
| @@ -1027,6 +1030,7 @@ static void tipc_link_advance_backlog(struct tipc_link *l, | |||
| 1027 | u16 seqno = l->snd_nxt; | 1030 | u16 seqno = l->snd_nxt; |
| 1028 | u16 ack = l->rcv_nxt - 1; | 1031 | u16 ack = l->rcv_nxt - 1; |
| 1029 | u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1; | 1032 | u16 bc_ack = l->bc_rcvlink->rcv_nxt - 1; |
| 1033 | u32 imp; | ||
| 1030 | 1034 | ||
| 1031 | while (skb_queue_len(&l->transmq) < l->window) { | 1035 | while (skb_queue_len(&l->transmq) < l->window) { |
| 1032 | skb = skb_peek(&l->backlogq); | 1036 | skb = skb_peek(&l->backlogq); |
| @@ -1037,7 +1041,10 @@ static void tipc_link_advance_backlog(struct tipc_link *l, | |||
| 1037 | break; | 1041 | break; |
| 1038 | __skb_dequeue(&l->backlogq); | 1042 | __skb_dequeue(&l->backlogq); |
| 1039 | hdr = buf_msg(skb); | 1043 | hdr = buf_msg(skb); |
| 1040 | l->backlog[msg_importance(hdr)].len--; | 1044 | imp = msg_importance(hdr); |
| 1045 | l->backlog[imp].len--; | ||
| 1046 | if (unlikely(skb == l->backlog[imp].target_bskb)) | ||
| 1047 | l->backlog[imp].target_bskb = NULL; | ||
| 1041 | __skb_queue_tail(&l->transmq, skb); | 1048 | __skb_queue_tail(&l->transmq, skb); |
| 1042 | /* next retransmit attempt */ | 1049 | /* next retransmit attempt */ |
| 1043 | if (link_is_bc_sndlink(l)) | 1050 | if (link_is_bc_sndlink(l)) |