Commit c0e912d7 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller

[NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption

NF_CT_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding nf_conntrack_lock.

Add NF_CT_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent abbaccda
...@@ -257,6 +257,12 @@ extern int nf_conntrack_max; ...@@ -257,6 +257,12 @@ extern int nf_conntrack_max;
DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat); DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++) #define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
#define NF_CT_STAT_INC_ATOMIC(count) \
do { \
local_bh_disable(); \
__get_cpu_var(nf_conntrack_stat).count++; \
local_bh_enable(); \
} while (0)
/* no helper, no nat */ /* no helper, no nat */
#define NF_CT_F_BASIC 0 #define NF_CT_F_BASIC 0
......
...@@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff, ...@@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff,
*/ */
if ((protoff < 0) || (protoff > (*pskb)->len)) { if ((protoff < 0) || (protoff > (*pskb)->len)) {
DEBUGP("ip6_conntrack_core: can't find proto in pkt\n"); DEBUGP("ip6_conntrack_core: can't find proto in pkt\n");
NF_CT_STAT_INC(error); NF_CT_STAT_INC_ATOMIC(error);
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return -NF_ACCEPT; return -NF_ACCEPT;
} }
......
...@@ -563,7 +563,7 @@ static int early_drop(struct list_head *chain) ...@@ -563,7 +563,7 @@ static int early_drop(struct list_head *chain)
if (del_timer(&ct->timeout)) { if (del_timer(&ct->timeout)) {
death_by_timeout((unsigned long)ct); death_by_timeout((unsigned long)ct);
dropped = 1; dropped = 1;
NF_CT_STAT_INC(early_drop); NF_CT_STAT_INC_ATOMIC(early_drop);
} }
nf_ct_put(ct); nf_ct_put(ct);
return dropped; return dropped;
...@@ -821,7 +821,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) ...@@ -821,7 +821,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
/* Previously seen (loopback or untracked)? Ignore. */ /* Previously seen (loopback or untracked)? Ignore. */
if ((*pskb)->nfct) { if ((*pskb)->nfct) {
NF_CT_STAT_INC(ignore); NF_CT_STAT_INC_ATOMIC(ignore);
return NF_ACCEPT; return NF_ACCEPT;
} }
...@@ -840,8 +840,8 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) ...@@ -840,8 +840,8 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
* core what to do with the packet. */ * core what to do with the packet. */
if (l4proto->error != NULL && if (l4proto->error != NULL &&
(ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) { (ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) {
NF_CT_STAT_INC(error); NF_CT_STAT_INC_ATOMIC(error);
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return -ret; return -ret;
} }
...@@ -849,13 +849,13 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) ...@@ -849,13 +849,13 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
&set_reply, &ctinfo); &set_reply, &ctinfo);
if (!ct) { if (!ct) {
/* Not valid part of a connection */ /* Not valid part of a connection */
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return NF_ACCEPT; return NF_ACCEPT;
} }
if (IS_ERR(ct)) { if (IS_ERR(ct)) {
/* Too stressed to deal. */ /* Too stressed to deal. */
NF_CT_STAT_INC(drop); NF_CT_STAT_INC_ATOMIC(drop);
return NF_DROP; return NF_DROP;
} }
...@@ -868,7 +868,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) ...@@ -868,7 +868,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
DEBUGP("nf_conntrack_in: Can't track with proto module\n"); DEBUGP("nf_conntrack_in: Can't track with proto module\n");
nf_conntrack_put((*pskb)->nfct); nf_conntrack_put((*pskb)->nfct);
(*pskb)->nfct = NULL; (*pskb)->nfct = NULL;
NF_CT_STAT_INC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);
return -ret; return -ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment