hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption 

NF_CT_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding nf_conntrack_lock.

Add NF_CT_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2007-02-12 11:13:43 -08:00 committed by David S. Miller
parent abbaccda4c
commit c0e912d7ed
3 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/net/netfilter/nf_conntrack.h
View File

@ -257,6 +257,12 @@ extern int nf_conntrack_max;
DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) #define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
#define NF_CT_STAT_INC_ATOMIC(count) \
do { \
local_bh_disable(); \
__get_cpu_var(nf_conntrack_stat).count++; \
local_bh_enable(); \
} while (0)
/* no helper, no nat */ /* no helper, no nat */
#define NF_CT_F_BASIC 0 #define NF_CT_F_BASIC 0

4
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
View File

@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff,
*/ */
if ((protoff < 0) || (protoff > (*pskb)->len)) { if ((protoff < 0) || (protoff > (*pskb)->len)) {
DEBUGP("ip6_conntrack_core: can't find proto in pkt\n"); DEBUGP("ip6_conntrack_core: can't find proto in pkt\n");
NF_CT_STAT_INC(error); NF_CT_STAT_INC_ATOMIC(error);
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return -NF_ACCEPT; return -NF_ACCEPT;
} }

14
net/netfilter/nf_conntrack_core.c
View File

@ -563,7 +563,7 @@ static int early_drop(struct list_head *chain)
if (del_timer(&ct->timeout)) { if (del_timer(&ct->timeout)) {
death_by_timeout((unsigned long)ct); death_by_timeout((unsigned long)ct);
dropped = 1; dropped = 1;
NF_CT_STAT_INC(early_drop); NF_CT_STAT_INC_ATOMIC(early_drop);
} }
nf_ct_put(ct); nf_ct_put(ct);
return dropped; return dropped;
@ -821,7 +821,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
/* Previously seen (loopback or untracked)? Ignore. */ /* Previously seen (loopback or untracked)? Ignore. */
if ((*pskb)->nfct) { if ((*pskb)->nfct) {
NF_CT_STAT_INC(ignore); NF_CT_STAT_INC_ATOMIC(ignore);
return NF_ACCEPT; return NF_ACCEPT;
} }
@ -840,8 +840,8 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
* core what to do with the packet. */ * core what to do with the packet. */
if (l4proto->error != NULL && if (l4proto->error != NULL &&
(ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) { (ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) {
NF_CT_STAT_INC(error); NF_CT_STAT_INC_ATOMIC(error);
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return -ret; return -ret;
} }
@ -849,13 +849,13 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
&set_reply, &ctinfo); &set_reply, &ctinfo);
if (!ct) { if (!ct) {
/* Not valid part of a connection */ /* Not valid part of a connection */
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return NF_ACCEPT; return NF_ACCEPT;
} }
if (IS_ERR(ct)) { if (IS_ERR(ct)) {
/* Too stressed to deal. */ /* Too stressed to deal. */
NF_CT_STAT_INC(drop); NF_CT_STAT_INC_ATOMIC(drop);
return NF_DROP; return NF_DROP;
} }
@ -868,7 +868,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
DEBUGP("nf_conntrack_in: Can't track with proto module\n"); DEBUGP("nf_conntrack_in: Can't track with proto module\n");
nf_conntrack_put((*pskb)->nfct); nf_conntrack_put((*pskb)->nfct);
(*pskb)->nfct = NULL; (*pskb)->nfct = NULL;
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return -ret; return -ret;
} }