summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-02-12 20:13:14 +0100
committerDavid S. Miller <davem@davemloft.net>2007-02-12 20:13:14 +0100
commitabbaccda4c364815b8b1a82c45a94f60760e13e1 (patch)
tree58e28cc25db59456092fc760b7a29e6d223610c5 /net
parent[NETFILTER]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3prot... (diff)
downloadlinux-abbaccda4c364815b8b1a82c45a94f60760e13e1.tar.xz
linux-abbaccda4c364815b8b1a82c45a94f60760e13e1.zip
[NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption
CONNTRACK_STAT_INC assumes rcu_read_lock in nf_hook_slow disables preemption as well, making it legal to use __get_cpu_var without disabling preemption manually. The assumption is not correct anymore with preemptable RCU, additionally we need to protect against softirqs when not holding ip_conntrack_lock. Add CONNTRACK_STAT_INC_ATOMIC macro, which disables local softirqs, and use where necessary. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ip_conntrack_core.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index e7de6d31b853..a7e34d007ab0 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -538,7 +538,7 @@ static int early_drop(struct list_head *chain)
if (del_timer(&ct->timeout)) {
death_by_timeout((unsigned long)ct);
dropped = 1;
- CONNTRACK_STAT_INC(early_drop);
+ CONNTRACK_STAT_INC_ATOMIC(early_drop);
}
ip_conntrack_put(ct);
return dropped;
@@ -804,7 +804,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
/* Previously seen (loopback or untracked)? Ignore. */
if ((*pskb)->nfct) {
- CONNTRACK_STAT_INC(ignore);
+ CONNTRACK_STAT_INC_ATOMIC(ignore);
return NF_ACCEPT;
}
@@ -840,20 +840,20 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
* core what to do with the packet. */
if (proto->error != NULL
&& (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
- CONNTRACK_STAT_INC(error);
- CONNTRACK_STAT_INC(invalid);
+ CONNTRACK_STAT_INC_ATOMIC(error);
+ CONNTRACK_STAT_INC_ATOMIC(invalid);
return -ret;
}
if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
/* Not valid part of a connection */
- CONNTRACK_STAT_INC(invalid);
+ CONNTRACK_STAT_INC_ATOMIC(invalid);
return NF_ACCEPT;
}
if (IS_ERR(ct)) {
/* Too stressed to deal. */
- CONNTRACK_STAT_INC(drop);
+ CONNTRACK_STAT_INC_ATOMIC(drop);
return NF_DROP;
}
@@ -865,7 +865,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
* the netfilter core what to do*/
nf_conntrack_put((*pskb)->nfct);
(*pskb)->nfct = NULL;
- CONNTRACK_STAT_INC(invalid);
+ CONNTRACK_STAT_INC_ATOMIC(invalid);
return -ret;
}