From: Nikolay Aleksandrov Date: Wed, 26 Feb 2014 13:20:30 +0000 (+0100) Subject: bonding: fix a div error caused by the slave release path X-Git-Tag: firefly_0821_release~176^2~4330^2~26 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=ee6154e11eeccd4ae32c4881415dbd902a869592;p=firefly-linux-kernel-4.4.55.git bonding: fix a div error caused by the slave release path There's a bug in the slave release function which leads the transmit functions which use the bond->slave_cnt to a div by 0 because we might just have released our last slave and made slave_cnt == 0 but at the same time we may have a transmitter after the check for an empty list which will fetch it and use it in the slave id calculation. Fix it by moving the slave_cnt after synchronize_rcu so if this was our last slave any new transmitters will see an empty slave list which is checked after rcu lock but before calling the mode transmit functions which rely on bond->slave_cnt. Fixes: 278b208375 ("bonding: initial RCU conversion") CC: Veaceslav Falico CC: Andy Gospodarek CC: Jay Vosburgh CC: David S. Miller Signed-off-by: Nikolay Aleksandrov Acked-by: Veaceslav Falico Signed-off-by: David S. Miller --- diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 82b70ff1fd28..b47fa0421e01 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -1659,9 +1659,6 @@ static int __bond_release_one(struct net_device *bond_dev, return -EINVAL; } - /* release the slave from its bond */ - bond->slave_cnt--; - bond_sysfs_slave_del(slave); bond_upper_dev_unlink(bond_dev, slave_dev); @@ -1743,6 +1740,7 @@ static int __bond_release_one(struct net_device *bond_dev, unblock_netpoll_tx(); synchronize_rcu(); + bond->slave_cnt--; if (!bond_has_slaves(bond)) { call_netdevice_notifiers(NETDEV_CHANGEADDR, bond->dev);