Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c0e912d7 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption 



NF_CT_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding nf_conntrack_lock.

Add NF_CT_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent abbaccda

include/net/netfilter/nf_conntrack.h

+6 −0
Original line number Original line Diff line number Diff line
@@ -257,6 +257,12 @@ extern int nf_conntrack_max; 




DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);

DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);

#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)

#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)

#define NF_CT_STAT_INC_ATOMIC(count)			\

do {							\

	local_bh_disable();				\

	__get_cpu_var(nf_conntrack_stat).count++;	\

	local_bh_enable();				\

} while (0)





/* no helper, no nat */

/* no helper, no nat */

#define	NF_CT_F_BASIC	0

#define	NF_CT_F_BASIC	0

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsigned int hooknum, unsigned int *dataoff, 
	 */

	 */

	if ((protoff < 0) || (protoff > (*pskb)->len)) {

	if ((protoff < 0) || (protoff > (*pskb)->len)) {

		DEBUGP("ip6_conntrack_core: can't find proto in pkt\n");

		DEBUGP("ip6_conntrack_core: can't find proto in pkt\n");

		NF_CT_STAT_INC(error);

		NF_CT_STAT_INC_ATOMIC(error);

		NF_CT_STAT_INC(invalid);

		NF_CT_STAT_INC_ATOMIC(invalid);

		return -NF_ACCEPT;

		return -NF_ACCEPT;

	}

	}

net/netfilter/nf_conntrack_core.c

+7 −7
Original line number Original line Diff line number Diff line
@@ -563,7 +563,7 @@ static int early_drop(struct list_head *chain) 
	if (del_timer(&ct->timeout)) {

	if (del_timer(&ct->timeout)) {

		death_by_timeout((unsigned long)ct);

		death_by_timeout((unsigned long)ct);

		dropped = 1;

		dropped = 1;

		NF_CT_STAT_INC(early_drop);

		NF_CT_STAT_INC_ATOMIC(early_drop);

	}

	}

	nf_ct_put(ct);

	nf_ct_put(ct);

	return dropped;

	return dropped;
@@ -821,7 +821,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) 




	/* Previously seen (loopback or untracked)?  Ignore. */

	/* Previously seen (loopback or untracked)?  Ignore. */

	if ((*pskb)->nfct) {

	if ((*pskb)->nfct) {

		NF_CT_STAT_INC(ignore);

		NF_CT_STAT_INC_ATOMIC(ignore);

		return NF_ACCEPT;

		return NF_ACCEPT;

	}

	}
@@ -840,8 +840,8 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) 
	 * core what to do with the packet. */

	 * core what to do with the packet. */

	if (l4proto->error != NULL &&

	if (l4proto->error != NULL &&

	    (ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) {

	    (ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) {

		NF_CT_STAT_INC(error);

		NF_CT_STAT_INC_ATOMIC(error);

		NF_CT_STAT_INC(invalid);

		NF_CT_STAT_INC_ATOMIC(invalid);

		return -ret;

		return -ret;

	}

	}
@@ -849,13 +849,13 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) 
			       &set_reply, &ctinfo);

			       &set_reply, &ctinfo);

	if (!ct) {

	if (!ct) {

		/* Not valid part of a connection */

		/* Not valid part of a connection */

		NF_CT_STAT_INC(invalid);

		NF_CT_STAT_INC_ATOMIC(invalid);

		return NF_ACCEPT;

		return NF_ACCEPT;

	}

	}





	if (IS_ERR(ct)) {

	if (IS_ERR(ct)) {

		/* Too stressed to deal. */

		/* Too stressed to deal. */

		NF_CT_STAT_INC(drop);

		NF_CT_STAT_INC_ATOMIC(drop);

		return NF_DROP;

		return NF_DROP;

	}

	}
@@ -868,7 +868,7 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb) 
		DEBUGP("nf_conntrack_in: Can't track with proto module\n");

		DEBUGP("nf_conntrack_in: Can't track with proto module\n");

		nf_conntrack_put((*pskb)->nfct);

		nf_conntrack_put((*pskb)->nfct);

		(*pskb)->nfct = NULL;

		(*pskb)->nfct = NULL;

		NF_CT_STAT_INC(invalid);

		NF_CT_STAT_INC_ATOMIC(invalid);

		return -ret;

		return -ret;

	}

	}