Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0b35f603 authored by Taehee Yoo's avatar Taehee Yoo Committed by Pablo Neira Ayuso
Browse files

netfilter: Remove duplicated rcu_read_lock. 

This patch removes duplicate rcu_read_lock().

1. IPVS part:

According to Julian Anastasov's mention, contexts of ipvs are described
at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:

 - packet RX/TX: does not need locks because packets come from hooks.
 - sync msg RX: backup server uses RCU locks while registering new
   connections.
 - ip_vs_ctl.c: configuration get/set, RCU locks needed.
 - xt_ipvs.c: It is a netfilter match, running from hook context.

As result, rcu_read_lock and rcu_read_unlock can be removed from:

 - ip_vs_core.c: all
 - ip_vs_ctl.c:
   - only from ip_vs_has_real_service
 - ip_vs_ftp.c: all
 - ip_vs_proto_sctp.c: all
 - ip_vs_proto_tcp.c: all
 - ip_vs_proto_udp.c: all
 - ip_vs_xmit.c: all (contains only packet processing)

2. Netfilter part:

There are three types of functions that are guaranteed the rcu_read_lock().
First, as result, functions are only called by nf_hook():

 - nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
 - tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
 - match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
 - xt_osf_match_packet().

Second, functions that caller already held the rcu_read_lock().
 - destroy_conntrack(), ctnetlink_conntrack_event().
 - ctnl_timeout_find_get(), nfqnl_nf_hook_drop().

Third, functions that are mixed with type1 and type2.

These functions are called by nf_hook() also these are called by
ordinary functions that already held the rcu_read_lock():

 - __ctnetlink_glue_build(), ctnetlink_expect_event().
 - ctnetlink_proto_size().

Applied files are below:

- nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
- nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
- nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
- xt_connlimit.c, xt_hashlimit.c, xt_osf.c

Detailed calltrace can be found at:
http://marc.info/?l=netfilter-devel&m=149667610710350&w=2



Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 9f08ea84

net/netfilter/ipvs/ip_vs_core.c

+0 −8
Original line number Diff line number Diff line
@@ -125,14 +125,12 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb) 
		s->cnt.inbytes += skb->len;

		u64_stats_update_end(&s->syncp);



		rcu_read_lock();

		svc = rcu_dereference(dest->svc);

		s = this_cpu_ptr(svc->stats.cpustats);

		u64_stats_update_begin(&s->syncp);

		s->cnt.inpkts++;

		s->cnt.inbytes += skb->len;

		u64_stats_update_end(&s->syncp);

		rcu_read_unlock();



		s = this_cpu_ptr(ipvs->tot_stats.cpustats);

		u64_stats_update_begin(&s->syncp);
@@ -159,14 +157,12 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb) 
		s->cnt.outbytes += skb->len;

		u64_stats_update_end(&s->syncp);



		rcu_read_lock();

		svc = rcu_dereference(dest->svc);

		s = this_cpu_ptr(svc->stats.cpustats);

		u64_stats_update_begin(&s->syncp);

		s->cnt.outpkts++;

		s->cnt.outbytes += skb->len;

		u64_stats_update_end(&s->syncp);

		rcu_read_unlock();



		s = this_cpu_ptr(ipvs->tot_stats.cpustats);

		u64_stats_update_begin(&s->syncp);
@@ -1222,7 +1218,6 @@ static struct ip_vs_conn *__ip_vs_rs_conn_out(unsigned int hooknum, 
	if (!pptr)

		return NULL;



	rcu_read_lock();

	dest = ip_vs_find_real_service(ipvs, af, iph->protocol,

				       &iph->saddr, pptr[0]);

	if (dest) {
@@ -1237,7 +1232,6 @@ static struct ip_vs_conn *__ip_vs_rs_conn_out(unsigned int hooknum, 
						  pptr[0], pptr[1]);

		}

	}

	rcu_read_unlock();



	return cp;

}
@@ -1689,11 +1683,9 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related, 
			if (dest) {

				struct ip_vs_dest_dst *dest_dst;



				rcu_read_lock();

				dest_dst = rcu_dereference(dest->dest_dst);

				if (dest_dst)

					mtu = dst_mtu(dest_dst->dst_cache);

				rcu_read_unlock();

			}

			if (mtu > 68 + sizeof(struct iphdr))

				mtu -= sizeof(struct iphdr);

net/netfilter/ipvs/ip_vs_ctl.c

+0 −3
Original line number Diff line number Diff line
@@ -550,18 +550,15 @@ bool ip_vs_has_real_service(struct netns_ipvs *ipvs, int af, __u16 protocol, 
	/* Check for "full" addressed entries */

	hash = ip_vs_rs_hashkey(af, daddr, dport);



	rcu_read_lock();

	hlist_for_each_entry_rcu(dest, &ipvs->rs_table[hash], d_list) {

		if (dest->port == dport &&

		    dest->af == af &&

		    ip_vs_addr_equal(af, &dest->addr, daddr) &&

		    (dest->protocol == protocol || dest->vfwmark)) {

			/* HIT */

			rcu_read_unlock();

			return true;

		}

	}

	rcu_read_unlock();



	return false;

}

net/netfilter/ipvs/ip_vs_ftp.c

+0 −2
Original line number Diff line number Diff line
@@ -269,13 +269,11 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp, 
			 * hopefully it will succeed on the retransmitted

			 * packet.

			 */

			rcu_read_lock();

			mangled = nf_nat_mangle_tcp_packet(skb, ct, ctinfo,

							   iph->ihl * 4,

							   start - data,

							   end - start,

							   buf, buf_len);

			rcu_read_unlock();

			if (mangled) {

				ip_vs_nfct_expect_related(skb, ct, n_cp,

							  IPPROTO_TCP, 0, 0);

net/netfilter/ipvs/ip_vs_proto_sctp.c

+2 −9
Original line number Diff line number Diff line
@@ -38,7 +38,6 @@ sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, 
		return 0;

	}



	rcu_read_lock();

	if (likely(!ip_vs_iph_inverse(iph)))

		svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,

					 &iph->daddr, ports[1]);
@@ -53,7 +52,6 @@ sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, 
			 * It seems that we are very loaded.

			 * We have to drop this packet :(

			 */

			rcu_read_unlock();

			*verdict = NF_DROP;

			return 0;

		}
@@ -67,11 +65,9 @@ sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, 
				*verdict = ip_vs_leave(svc, skb, pd, iph);

			else

				*verdict = NF_DROP;

			rcu_read_unlock();

			return 0;

		}

	}

	rcu_read_unlock();

	/* NF_ACCEPT */

	return 1;

}
@@ -526,12 +522,10 @@ static int sctp_app_conn_bind(struct ip_vs_conn *cp) 
	/* Lookup application incarnations and bind the right one */

	hash = sctp_app_hashkey(cp->vport);



	rcu_read_lock();

	list_for_each_entry_rcu(inc, &ipvs->sctp_apps[hash], p_list) {

		if (inc->port == cp->vport) {

			if (unlikely(!ip_vs_app_inc_get(inc)))

				break;

			rcu_read_unlock();



			IP_VS_DBG_BUF(9, "%s: Binding conn %s:%u->"

					"%s:%u to app %s on port %u\n",
@@ -544,11 +538,10 @@ static int sctp_app_conn_bind(struct ip_vs_conn *cp) 
			cp->app = inc;

			if (inc->init_conn)

				result = inc->init_conn(inc, cp);

			goto out;

			break;

		}

	}

	rcu_read_unlock();

out:



	return result;

}

net/netfilter/ipvs/ip_vs_proto_tcp.c

+1 −9
Original line number Diff line number Diff line
@@ -63,7 +63,6 @@ tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, 
	}



	/* No !th->ack check to allow scheduling on SYN+ACK for Active FTP */

	rcu_read_lock();



	if (likely(!ip_vs_iph_inverse(iph)))

		svc = ip_vs_service_find(ipvs, af, skb->mark, iph->protocol,
@@ -80,7 +79,6 @@ tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, 
			 * It seems that we are very loaded.

			 * We have to drop this packet :(

			 */

			rcu_read_unlock();

			*verdict = NF_DROP;

			return 0;

		}
@@ -95,11 +93,9 @@ tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb, 
				*verdict = ip_vs_leave(svc, skb, pd, iph);

			else

				*verdict = NF_DROP;

			rcu_read_unlock();

			return 0;

		}

	}

	rcu_read_unlock();

	/* NF_ACCEPT */

	return 1;

}
@@ -661,12 +657,10 @@ tcp_app_conn_bind(struct ip_vs_conn *cp) 
	/* Lookup application incarnations and bind the right one */

	hash = tcp_app_hashkey(cp->vport);



	rcu_read_lock();

	list_for_each_entry_rcu(inc, &ipvs->tcp_apps[hash], p_list) {

		if (inc->port == cp->vport) {

			if (unlikely(!ip_vs_app_inc_get(inc)))

				break;

			rcu_read_unlock();



			IP_VS_DBG_BUF(9, "%s(): Binding conn %s:%u->"

				      "%s:%u to app %s on port %u\n",
@@ -680,12 +674,10 @@ tcp_app_conn_bind(struct ip_vs_conn *cp) 
			cp->app = inc;

			if (inc->init_conn)

				result = inc->init_conn(inc, cp);

			goto out;

			break;

		}

	}

	rcu_read_unlock();



  out:

	return result;

}