summaryrefslogtreecommitdiffstats
path: root/net (follow)
Commit message (Collapse)AuthorAgeFilesLines
* [IPV6] TUNNEL6: Fix incoming packet length check for inter-protocol tunnel.Colin2008-06-041-1/+1
| | | | | | | | | I discover a strange behavior in [ipv4 in ipv6] tunnel. When IPv6 tunnel payload is less than 40(0x28), packet can be sent to network, received in physical interface, but not seen in IP tunnel interface. No counter increase in tunnel interface. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
* [IPV6] ADDRCONF: Check range of prefix lengthThomas Graf2008-06-041-2/+8
| | | | | | | | | | | | | | | | As of now, the prefix length is not vaildated when adding or deleting addresses. The value is passed directly into the inet6_ifaddr structure and later passed on to memcmp() as length indicator which relies on the value never to exceed 128 (bits). Due to the missing check, the currently code allows for any 8 bit value to be passed on as prefix length while using the netlink interface, and any 32 bit value while using the ioctl interface. [Use unsigned int instead to generate better code - yoshfuji] Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
* [IPV6] UDP: Possible dst leak in udpv6_sendmsg.YOSHIFUJI Hideaki2008-06-041-0/+2
| | | | | | | | | | | ip6_sk_dst_lookup returns held dst entry. It should be released on all paths beyond this point. Add missed release when up->pending is set. Bug report and initial patch by Denis V. Lunev <den@openvz.org>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Denis V. Lunev <den@openvz.org>
* [SCTP]: Fix NULL dereference of asoc.YOSHIFUJI Hideaki2008-06-043-4/+6
| | | | | | | | | Commit 7cbca67c073263c179f605bdbbdc565ab29d801d ("[IPV6]: Support Source Address Selection API (RFC5014)") introduced NULL dereference of asoc to sctp_v6_get_saddr in net/sctp/ipv6.c. Pointed out by Johann Felix Soden <johfel@users.sourceforge.net>. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
* ax25: Fix NULL pointer dereference and lockup.Jarek Poplawski2008-06-031-8/+3
| | | | | | | | | | | | | | From: Jarek Poplawski <jarkao2@gmail.com> There is only one function in AX25 calling skb_append(), and it really looks suspicious: appends skb after previously enqueued one, but in the meantime this previous skb could be removed from the queue. This patch Fixes it the simple way, so this is not fully compatible with the current method, but testing hasn't shown any problems. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* bluetooth: rfcomm_dev_state_change deadlock fixDave Young2008-06-031-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's logic in __rfcomm_dlc_close: rfcomm_dlc_lock(d); d->state = BT_CLOSED; d->state_changed(d, err); rfcomm_dlc_unlock(d); In rfcomm_dev_state_change, it's possible that rfcomm_dev_put try to take the dlc lock, then we will deadlock. Here fixed it by unlock dlc before rfcomm_dev_get in rfcomm_dev_state_change. why not unlock just before rfcomm_dev_put? it's because there's another problem. rfcomm_dev_get/rfcomm_dev_del will take rfcomm_dev_lock, but in rfcomm_dev_add the lock order is : rfcomm_dev_lock --> dlc lock so I unlock dlc before the taken of rfcomm_dev_lock. Actually it's a regression caused by commit 1905f6c736cb618e07eca0c96e60e3c024023428 ("bluetooth : __rfcomm_dlc_close lock fix"), the dlc state_change could be two callbacks : rfcomm_sk_state_change and rfcomm_dev_state_change. I missed the rfcomm_sk_state_change that time. Thanks Arjan van de Ven <arjan@linux.intel.com> for the effort in commit 4c8411f8c115def968820a4df6658ccfd55d7f1a ("bluetooth: fix locking bug in the rfcomm socket cleanup handling") but he missed the rfcomm_dev_state_change lock issue. Signed-off-by: Dave Young <hidave.darkstar@gmail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2008-05-3011-42/+45
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (26 commits) llc: Fix double accounting of received packets netfilter: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init() bluetooth: fix locking bug in the rfcomm socket cleanup handling mac80211: fix alignment issue with compare_ether_addr() mac80211: Fix for NULL pointer dereference in sta_info_get() mac80211: fix a typo in ieee80211_handle_filtered_frame comment rndis_wlan: add missing range check for power_output modparam iwlwifi: fix rate scale TLC column selection bug iwlwifi: fix exit from stay_in_table state rndis_wlan: Make connections to TKIP PSK networks work mac80211 : Fixes the status message for iwconfig rt2x00: Use atomic interface iteration in irq context rt2x00: Reset antenna RSSI after switch rt2x00: Don't count retries as failure rt2x00: Fix memleak in tx() path mac80211: reorder channel and freq reporting in wext scan report b43: Fix controller restart crash mac80211: fix ieee80211_rx_bss_put/get imbalance net/mac80211: always true conditionals b43: Upload both beacon templates on initial load ...
| * llc: Fix double accounting of received packetsArnaldo Carvalho de Melo2008-05-301-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | llc_sap_rcv was being preceded by skb_set_owner_r, then calling llc_state_process that calls sock_queue_rcv_skb, that in turn calls skb_set_owner_r again making the space allowed to be used by the socket to be leaked, making the socket to get stuck. Fix it by setting skb->sk at llc_sap_rcv and leave the accounting to be done only at sock_queue_rcv_skb. Reported-by: Dmitry Petukhov <dmgenp@gmail.com> Tested-by: Dmitry Petukhov <dmgenp@gmail.com> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * netfilter: nf_conntrack_expect: fix error path unwind in ↵Alexey Dobriyan2008-05-291-2/+2
| | | | | | | | | | | | | | | | nf_conntrack_expect_init() Signed-off-by: Alexey Dobriyan <adobriyan@parallels.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'master' of ↵David S. Miller2008-05-296-23/+31
| |\ | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-2.6
| | * mac80211: fix alignment issue with compare_ether_addr()Senthil Balasubramanian2008-05-283-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This addresses an alignment issue with compare_ether_addr(). The addresses passed to compare_ether_addr should be two bytes aligned. It may function properly in x86 platform. However may not work properly on IA-64 or ARM processor. This also fixes a typo in mlme.c where the sk_buff struct name is incorect. Though sizeof() works for any incorrect structure pointer name as its just a pointer length that we want, lets just fix it. Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: Fix for NULL pointer dereference in sta_info_get()Senthil Balasubramanian2008-05-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This addresses a NULL pointer dereference in sta_info_get(). TID and sta_info are extracted in ADDBA Timer expiry function through the timer handler's argument. The problem is extracging the TID (which was stored in timer_to_tid[] array of type "u8") through "int *" typecast which may also yield unwanted bytes for the MSB of TID that results in incorrect sta_info and ieee80211_local pointers. ieee80211_local pointer is NULL as illustrated below, it crashes in sta_info_get(). The problem started when extracting ieee80211_local pointer out of sta_info iteself and eventually crashed in stat_info_get(). The proper way to fix is to change the data type of TID to u8 instead of u16. However changing all the occurences requires some prototype changes as well. We should fix this in upcoming patches. Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com> Signed-off-by: Luis Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: fix a typo in ieee80211_handle_filtered_frame commentYi Zhu2008-05-281-1/+1
| | | | | | | | | | | | | | | | | | | | | fix a typo in ieee80211_handle_filtered_frame comment Signed-off-by: Yi Zhu <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211 : Fixes the status message for iwconfigAbhijeet Kolekar2008-05-281-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | iwconfig was showing incorrect status messages when disassociated. Patch fixes this by always checking for association status in ioctl calls for getting ap address. Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: reorder channel and freq reporting in wext scan reportTomas Winkler2008-05-281-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch switch order of channel and freq (SIOCGIWFREQ) reports in scan results in order to overcome wpa_supplicant inability to handle channel numbers in 5.2Ghz band. Wext reporting channel number is ambiguous as channels 7-12 (802.11j) exist on both bands. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: fix ieee80211_rx_bss_put/get imbalanceTomas Winkler2008-05-281-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | This patch fixes iee80211_rx_bss_put/get imbalance introduced by 'mac80211: enable IBSS merging' patch. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * net/mac80211: always true conditionalsNicolas Kaiser2008-05-281-2/+2
| | | | | | | | | | | | | | | | | | | | | Correct always true conditionals. Signed-off-by: Nicolas Kaiser <nikai@nikai.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | bluetooth: fix locking bug in the rfcomm socket cleanup handlingArjan van de Ven2008-05-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the following operation: if (parent && sock_flag(sk, SOCK_ZAPPED)) { /* We have to drop DLC lock here, otherwise * rfcomm_sock_destruct() will dead lock. */ rfcomm_dlc_unlock(d); rfcomm_sock_kill(sk); rfcomm_dlc_lock(d); } } which is fine, since rfcomm_sock_kill() will call sk_free() which will call rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good. HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets called with the rfcomm_dlc_lock() taken. This is the case for all but one case, and in that case where we don't have the lock, we do a double unlock followed by an attempt to take the lock, which due to underflow isn't going anywhere fast. This patch fixes this by moving the stragling case inside the lock, like the other usages of the same call are doing in this code. This was found with the help of the www.kerneloops.org project, where this deadlock was observed 51 times at this point in time: http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | dccp ccid-3: Fix "t_ipi explosion" bugGerrit Renker2008-05-271-9/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The identification of this bug is thanks to Cheng Wei and Tomasz Grobelny. To avoid divide-by-zero, the implementation previously ignored RTTs smaller than 4 microseconds when performing integer division RTT/4. When the RTT reached a value less than 4 microseconds (as observed on loopback), this prevented the Window Counter CCVal value from advancing. As a result, the receiver stopped sending feedback. This in turn caused non-ending expiries of the nofeedback timer at the sender, so that the sending rate was progressively reduced until reaching the minimum of one packet per 64 seconds. The patch fixes this bug by handling integer division more intelligently. Due to consistent use of dccp_sample_rtt(), divide-by-zero-RTT is avoided. Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | dccp: Fix to handle short sequence numbers packet correctlyWei Yongjun2008-05-271-2/+2
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC4340 said: 8.5. Pseudocode ... If P.type is not Data, Ack, or DataAck and P.X == 0 (the packet has short sequence numbers), drop packet and return But DCCP has some mistake to handle short sequence numbers packet, now it drop packet only if P.type is Data, Ack, or DataAck and P.X == 0. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2008-05-263-14/+3
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (52 commits) vlan: Use bitmask of feature flags instead of seperate feature bits fmvj18x_cs: add NextCom NC5310 rev B support xirc2ps_cs: re-initialize the multicast address in do_reset 3C509: rx_bytes should not be increased when alloc_skb failed NETFRONT: Use __skb_queue_purge() VIRTIO: Use __skb_queue_purge() phylib: do EXPORT_SYMBOL on get_phy_id netlink: Fix nla_parse_nested_compat() to call nla_parse() directly WAN: protect HDLC proto list while insmod/rmmod drivers/net/fs_enet: remove null pointer dereference S2io: Version update for napi and MSI-X patches S2io: Added napi support when MSIX is enabled. S2io: Move all the transmit completions to a single msi-x (alarm) vector drivers/net/ehea - remove unnecessary memset after kzalloc au1000_eth: remove useless check Blackfin EMAC Driver: Removed duplicated include <linux/ethtool.h> cpmac bugfixes and enhancements e1000e: use resource_size_t, not unsigned long, for phys addrs net/usb: add support for Apple USB Ethernet Adapter uli526x: add support for netpoll ...
| * vlan: Use bitmask of feature flags instead of seperate feature bitsPatrick McHardy2008-05-233-14/+3
| | | | | | | | | | | | | | | | | | | | | | Herbert Xu points out that the use of seperate feature bits for features to be propagated to VLAN devices is going to get messy real soon. Replace the VLAN feature bits by a bitmask of feature flags to be propagated and restore the old GSO_SHIFT/MASK values. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2008-05-229-386/+23
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: net: The world is not perfect patch. tcp: Make prior_ssthresh a u32 xfrm_user: Remove zero length key checks. net/ipv4/arp.c: Use common hex_asc helpers cassini: Only use chip checksum for ipv4 packets. tcp: TCP connection times out if ICMP frag needed is delayed netfilter: Move linux/types.h inclusions outside of #ifdef __KERNEL__ af_key: Fix selector family initialization. libertas: Fix ethtool statistics mac80211: fix NULL pointer dereference in ieee80211_compatible_rates mac80211: don't claim iwspy support orinoco_cs: add ID for SpeedStream wireless adapters hostap_cs: add ID for Conceptronic CON11CPro rtl8187: resource leak in error case ath5k: Fix loop variable initializations
| * net: The world is not perfect patch.Rami Rosen2008-05-223-362/+3
| | | | | | | | | | | | | | | | | | | | | | | | Unless there will be any objection here, I suggest consider the following patch which simply removes the code for the -DI_WISH_WORLD_WERE_PERFECT in the three methods which use it. The compilation errors we get when using -DI_WISH_WORLD_WERE_PERFECT show that this code was not built and not used for really a long time. Signed-off-by: Rami Rosen <ramirose@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * xfrm_user: Remove zero length key checks.David S. Miller2008-05-221-11/+0
| | | | | | | | | | | | | | | | | | | | | | The crypto layer will determine whether that is valid or not. Suggested by Herbert Xu, based upon a report and patch by Martin Willi. Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
| * net/ipv4/arp.c: Use common hex_asc helpersDenis Cheng2008-05-221-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Here the local hexbuf is a duplicate of global const char hex_asc from lib/hexdump.c, except the hex letters' cases: const char hexbuf[] = "0123456789ABCDEF"; const char hex_asc[] = "0123456789abcdef"; and here to print HW addresses, the hex cases are not significant. Thanks to Harvey Harrison to introduce the hex_asc_hi/hex_asc_lo helpers. Signed-off-by: Denis Cheng <crquan@gmail.com> Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * tcp: TCP connection times out if ICMP frag needed is delayedSridhar Samudrala2008-05-221-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We are seeing an issue with TCP in handling an ICMP frag needed message that is received after net.ipv4.tcp_retries1 retransmits. The default value of retries1 is 3. So if the path mtu changes and ICMP frag needed is lost for the first 3 retransmits or if it gets delayed until 3 retransmits are done, TCP doesn't update MSS correctly and continues to retransmit the orginal message until it timesout after tcp_retries2 retransmits. I am seeing this issue even with the latest 2.6.25.4 kernel. In tcp_retransmit_timer(), when retransmits counter exceeds tcp_retries1 value, the dst cache entry of the socket is reset. At this time, if we receive an ICMP frag needed message, the dst entry gets updated with the new MTU, but the TCP sockets dst_cache entry remains NULL. So the next time when we try to retransmit after the ICMP frag needed is received, tcp_retransmit_skb() gets called. Here the cur_mss value is calculated at the start of the routine with a NULL sk_dst_cache. Instead we should call tcp_current_mss after the rebuild_header that caches the dst entry with the updated mtu. Also the rebuild_header should be called before tcp_fragment so that skb is fragmented if the mss goes down. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * af_key: Fix selector family initialization.Kazunori MIYAZAWA2008-05-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | This propagates the xfrm_user fix made in commit bcf0dda8d2408fe1c1040cdec5a98e5fcad2ac72 ("[XFRM]: xfrm_user: fix selector family initialization") Based upon a bug report from, and tested by, Alan Swanson. Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'master' of ↵David S. Miller2008-05-212-5/+11
| |\ | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-2.6
| | * mac80211: fix NULL pointer dereference in ieee80211_compatible_ratesHelmut Schaa2008-05-211-4/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a possible NULL pointer dereference in ieee80211_compatible_rates introduced in the patch "mac80211: fix association with some APs". If no bss is available just use all supported rates in the association request. Signed-off-by: Helmut Schaa <hschaa@suse.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: don't claim iwspy supportJohannes Berg2008-05-201-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | We removed iwspy support a very long time ago because it is useless, but forgot to stop claiming to support it. Apparently, nobody cares, but remove it nonetheless. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | Merge branch 'for-2.6.26' of git://linux-nfs.org/~bfields/linuxLinus Torvalds2008-05-215-212/+218
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 'for-2.6.26' of git://linux-nfs.org/~bfields/linux: (25 commits) svcrdma: Verify read-list fits within RPCSVC_MAXPAGES svcrdma: Change svc_rdma_send_error return type to void svcrdma: Copy transport address and arm CQ before calling rdma_accept svcrdma: Set rqstp transport address in rdma_read_complete function svcrdma: Use ib verbs version of dma_unmap svcrdma: Cleanup queued, but unprocessed I/O in svc_rdma_free svcrdma: Move the QP and cm_id destruction to svc_rdma_free svcrdma: Add reference for each SQ/RQ WR svcrdma: Move destroy to kernel thread svcrdma: Shrink scope of spinlock on RQ CQ svcrdma: Use standard Linux lists for context cache svcrdma: Simplify RDMA_READ deferral buffer management svcrdma: Remove unused READ_DONE context flags bit svcrdma: Return error from rdma_read_xdr so caller knows to free context svcrdma: Fix error handling during listening endpoint creation svcrdma: Free context on post_recv error in send_reply svcrdma: Free context on ib_post_recv error svcrdma: Add put of connection ESTABLISHED reference in rdma_cma_handler svcrdma: Fix return value in svc_rdma_send svcrdma: Fix race with dto_tasklet in svc_rdma_send ...
| * \ \ Merge branch 'from-tomtucker' into for-2.6.26J. Bruce Fields2008-05-214-210/+216
| |\ \ \
| | * | | svcrdma: Verify read-list fits within RPCSVC_MAXPAGESTom Tucker2008-05-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A RDMA read-list cannot contain more elements than RPCSVC_MAXPAGES or it will overflow the DTO context. Verify this when processing the protocol header. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Change svc_rdma_send_error return type to voidTom Tucker2008-05-192-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The svc_rdma_send_error function is called when an RPCRDMA protocol error is detected. This function attempts to post an error reply message. Since an error posting to a transport in error is ignored, change the return type to void. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Copy transport address and arm CQ before calling rdma_acceptTom Tucker2008-05-191-9/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This race was found by inspection. Messages can be received from the peer immediately following the rdma_accept call, however, the CQ have not yet been armed and the transport address has not yet been set. Set the transport address in the connect request handler and arm the CQ prior to calling rdma_accept. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Set rqstp transport address in rdma_read_complete functionTom Tucker2008-05-191-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rdma_read_complete function needs to copy the rqstp transport address from the transport. Failure to do so can result in using the wrong authentication method for the RPC or bug checking if the rqstp address is not valid. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Use ib verbs version of dma_unmapTom Tucker2008-05-191-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the ib_verbs version of the dma_unmap service in the svc_rdma_put_context function. This should support providers using software rdma. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Cleanup queued, but unprocessed I/O in svc_rdma_freeTom Tucker2008-05-191-3/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the transport is closing, the DTO tasklet may queue data that never gets processed. Clean up resources associated with this I/O. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Move the QP and cm_id destruction to svc_rdma_freeTom Tucker2008-05-191-20/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move the destruction of the QP and CM_ID to the free path so that the QP cleanup code doesn't race with the dto_tasklet handling flushed WR. The QP reference is not needed because we now have a reference for every WR. Also add a guard in the SQ and RQ completion handlers to ignore calls generated by some providers when the QP is destroyed. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Add reference for each SQ/RQ WRTom Tucker2008-05-191-2/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a reference on the transport for every outstanding WR. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Move destroy to kernel threadTom Tucker2008-05-191-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some providers may wait while destroying adapter resources. Since it is possible that the last reference is put on the dto_tasklet, the actual destroy must be scheduled as a work item. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Shrink scope of spinlock on RQ CQTom Tucker2008-05-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rq_cq_reap function is only called from the dto_tasklet. The only resource shared with other threads is the sc_rq_dto_q. Move the spin lock to protect only this list. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Use standard Linux lists for context cacheTom Tucker2008-05-191-21/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace the one-off linked list implementation used to implement the context cache with the standard Linux list_head lists. Add a context counter to catch resource leaks. A WARN_ON will be added later to ensure that we've freed all contexts. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Simplify RDMA_READ deferral buffer managementTom Tucker2008-05-192-48/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An NFS_WRITE requires a set of RDMA_READ requests to fetch the write data from the client. There are two principal pieces of data that need to be tracked: the list of pages that comprise the completed RPC and the SGE of dma mapped pages to refer to this list of pages. Previously this whole bit was managed as a linked list of contexts with the context containing the page list buried in this list. This patch simplifies this processing by not keeping a linked list, but rather only a pionter from the last submitted RDMA_READ's context to the context that maps the set of pages that describe the RPC. This significantly simplifies this code path. SGE contexts are cleaned up inline in the DTO path instead of at read completion time. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Remove unused READ_DONE context flags bitTom Tucker2008-05-192-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The RDMACTXT_F_READ_DONE bit is not longer used. Remove it. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Return error from rdma_read_xdr so caller knows to free contextTom Tucker2008-05-191-7/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The rdma_read_xdr function did not discriminate between no read-list and an error posting the read-list. This results in a leak of a page if there is an error posting the read-list. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Fix error handling during listening endpoint creationTom Tucker2008-05-191-11/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A listening endpoint isn't known to the generic transport switch until the svc_create_xprt function returns without error. Calling svc_xprt_put within the xpo_create function causes the module reference count to be erroneously decremented. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Free context on post_recv error in send_replyTom Tucker2008-05-191-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If an error is encountered trying to post a recv buffer in send_reply, free the passed in context. Return an error to the caller so it is aware that the request was not posted. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>
| | * | | svcrdma: Free context on ib_post_recv errorTom Tucker2008-05-191-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If there is an error posting the recv WR to the RQ, free the context associated with the WR. This would leak a context when asynchronous errors occurred on the transport while conccurent threads were processing their RPC. Signed-off-by: Tom Tucker <tom@opengridcomputing.com>