]> err.no Git - linux-2.6/commitdiff
[NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption
authorPatrick McHardy <kaber@trash.net>
Mon, 12 Feb 2007 19:13:14 +0000 (11:13 -0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 12 Feb 2007 19:13:14 +0000 (11:13 -0800)
CONNTRACK_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding ip_conntrack_lock.

Add CONNTRACK_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/netfilter_ipv4/ip_conntrack.h
net/ipv4/netfilter/ip_conntrack_core.c

index 33581c13d9474a6d33dfc080b4a75df990ab9ee0..da9274e6bf12c57a22a29db1f90eeab5e0ebc0b3 100644 (file)
@@ -301,6 +301,12 @@ extern unsigned int ip_conntrack_htable_size;
 extern int ip_conntrack_checksum;
  
 #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
+#define CONNTRACK_STAT_INC_ATOMIC(count)               \
+do {                                                   \
+       local_bh_disable();                             \
+       __get_cpu_var(ip_conntrack_stat).count++;       \
+       local_bh_enable();                              \
+} while (0)
 
 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
 #include <linux/notifier.h>
index e7de6d31b853b0e0a09de9f9d55e033ee1b4b541..a7e34d007ab01e2d37e2e037ac6ea8b757d9a317 100644 (file)
@@ -538,7 +538,7 @@ static int early_drop(struct list_head *chain)
        if (del_timer(&ct->timeout)) {
                death_by_timeout((unsigned long)ct);
                dropped = 1;
-               CONNTRACK_STAT_INC(early_drop);
+               CONNTRACK_STAT_INC_ATOMIC(early_drop);
        }
        ip_conntrack_put(ct);
        return dropped;
@@ -804,7 +804,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
 
        /* Previously seen (loopback or untracked)?  Ignore. */
        if ((*pskb)->nfct) {
-               CONNTRACK_STAT_INC(ignore);
+               CONNTRACK_STAT_INC_ATOMIC(ignore);
                return NF_ACCEPT;
        }
 
@@ -840,20 +840,20 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
         * core what to do with the packet. */
        if (proto->error != NULL
            && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
-               CONNTRACK_STAT_INC(error);
-               CONNTRACK_STAT_INC(invalid);
+               CONNTRACK_STAT_INC_ATOMIC(error);
+               CONNTRACK_STAT_INC_ATOMIC(invalid);
                return -ret;
        }
 
        if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
                /* Not valid part of a connection */
-               CONNTRACK_STAT_INC(invalid);
+               CONNTRACK_STAT_INC_ATOMIC(invalid);
                return NF_ACCEPT;
        }
 
        if (IS_ERR(ct)) {
                /* Too stressed to deal. */
-               CONNTRACK_STAT_INC(drop);
+               CONNTRACK_STAT_INC_ATOMIC(drop);
                return NF_DROP;
        }
 
@@ -865,7 +865,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
                 * the netfilter core what to do*/
                nf_conntrack_put((*pskb)->nfct);
                (*pskb)->nfct = NULL;
-               CONNTRACK_STAT_INC(invalid);
+               CONNTRACK_STAT_INC_ATOMIC(invalid);
                return -ret;
        }