diff options
author | Patrick McHardy <kaber@trash.net> | 2007-02-12 20:13:14 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-02-12 20:13:14 +0100 |
commit | abbaccda4c364815b8b1a82c45a94f60760e13e1 (patch) | |
tree | 58e28cc25db59456092fc760b7a29e6d223610c5 /net | |
parent | [NETFILTER]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3prot... (diff) | |
download | linux-abbaccda4c364815b8b1a82c45a94f60760e13e1.tar.xz linux-abbaccda4c364815b8b1a82c45a94f60760e13e1.zip |
[NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption
CONNTRACK_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding ip_conntrack_lock.
Add CONNTRACK_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_core.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index e7de6d31b853..a7e34d007ab0 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c @@ -538,7 +538,7 @@ static int early_drop(struct list_head *chain) if (del_timer(&ct->timeout)) { death_by_timeout((unsigned long)ct); dropped = 1; - CONNTRACK_STAT_INC(early_drop); + CONNTRACK_STAT_INC_ATOMIC(early_drop); } ip_conntrack_put(ct); return dropped; @@ -804,7 +804,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum, /* Previously seen (loopback or untracked)? Ignore. */ if ((*pskb)->nfct) { - CONNTRACK_STAT_INC(ignore); + CONNTRACK_STAT_INC_ATOMIC(ignore); return NF_ACCEPT; } @@ -840,20 +840,20 @@ unsigned int ip_conntrack_in(unsigned int hooknum, * core what to do with the packet. */ if (proto->error != NULL && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) { - CONNTRACK_STAT_INC(error); - CONNTRACK_STAT_INC(invalid); + CONNTRACK_STAT_INC_ATOMIC(error); + CONNTRACK_STAT_INC_ATOMIC(invalid); return -ret; } if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) { /* Not valid part of a connection */ - CONNTRACK_STAT_INC(invalid); + CONNTRACK_STAT_INC_ATOMIC(invalid); return NF_ACCEPT; } if (IS_ERR(ct)) { /* Too stressed to deal. */ - CONNTRACK_STAT_INC(drop); + CONNTRACK_STAT_INC_ATOMIC(drop); return NF_DROP; } @@ -865,7 +865,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum, * the netfilter core what to do*/ nf_conntrack_put((*pskb)->nfct); (*pskb)->nfct = NULL; - CONNTRACK_STAT_INC(invalid); + CONNTRACK_STAT_INC_ATOMIC(invalid); return -ret; } |