bridge: reduce size of input cb to 16 bytes

Reduce size of br_input_skb_cb from 24 to 16 bytes by using bitfield for those values that can only be 0 or 1. igmp is the igmp type value, so it needs to be at least u8. Furthermore, the bridge currently relies on step-by-step initialization of br_input_skb_cb fields as the skb passes through the stack. Explicitly zero out the bridge input cb instead, this avoids having to review/validate that no BR_INPUT_SKB_CB(skb)->foo test can see a 'random' value from previous protocol cb. AFAICS all current fields are always set up before they are read again, so this is not a bug fix. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: David S. Miller <davem@davemloft.net> Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2019-04-11 10:36:40 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-04-11 19:47:27 -0400
commit: f12064d1b402c60c5db9c4b63d5ed6d7facb33f6 (patch)
tree: 3baf5120d728d59d10ad1cfb51daa1fed4ba42e6
parent: 26f7fe4a5db5b41d2abe53e37100c8984b157fb2 (diff)
3 files changed, 16 insertions, 16 deletions
diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
index 724b474ade54..15116752365a 100644
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -131,7 +131,7 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
        u8 *arpptr, *sha;
        __be32 sip, tip;
-        BR_INPUT_SKB_CB(skb)->proxyarp_replied = false;
+        BR_INPUT_SKB_CB(skb)->proxyarp_replied = 0;
        if ((dev->flags & IFF_NOARP) ||
            !pskb_may_pull(skb, arp_hdr_len(dev)))
@@ -161,7 +161,7 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
                        return;
                if (ipv4_is_zeronet(sip) || sip == tip) {
                        /* prevent flooding to neigh suppress ports */
-                        BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                        BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                        return;
                }
        }
@@ -181,7 +181,7 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
                /* its our local ip, so don't proxy reply
                 * and don't forward to neigh suppress ports
                 */
-                BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                return;
        }
@@ -217,7 +217,7 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
                         */
                        if (replied ||
                            br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED))
-                                BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                }
                neigh_release(n);
@@ -393,7 +393,7 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
        struct ipv6hdr *iphdr;
        struct neighbour *n;
-        BR_INPUT_SKB_CB(skb)->proxyarp_replied = false;
+        BR_INPUT_SKB_CB(skb)->proxyarp_replied = 0;
        if (p && (p->flags & BR_NEIGH_SUPPRESS))
                return;
@@ -401,7 +401,7 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
        if (msg->icmph.icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT &&
            !msg->icmph.icmp6_solicited) {
                /* prevent flooding to neigh suppress ports */
-                BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                return;
        }
@@ -414,7 +414,7 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
        if (ipv6_addr_any(saddr) || !ipv6_addr_cmp(saddr, daddr)) {
                /* prevent flooding to neigh suppress ports */
-                BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                return;
        }
@@ -432,7 +432,7 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
                /* its our own ip, so don't proxy reply
                 * and don't forward to arp suppress ports
                 */
-                BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                return;
        }
@@ -465,7 +465,7 @@ void br_do_suppress_nd(struct sk_buff *skb, struct net_bridge *br,
                         */
                        if (replied ||
                            br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED))
-                                BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;
+                                BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
                }
                neigh_release(n);
        }
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 5ea7e56119c1..e2f93e5c72da 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -227,6 +227,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
        if (!skb)
                return RX_HANDLER_CONSUMED;
+        memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
        p = br_port_get_rcu(skb->dev);
        if (p->flags & BR_VLAN_TUNNEL) {
                if (br_handle_ingress_vlan_tunnel(skb, p,
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 7946aa3b6e09..e7110a6e2b7e 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -425,15 +425,13 @@ struct br_input_skb_cb {
        struct net_device *brdev;
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
-        int igmp;
+        u8 igmp;
-        int mrouters_only;
+        u8 mrouters_only:1;
 #endif
+        u8 proxyarp_replied:1;
-        bool proxyarp_replied;
+        u8 src_port_isolated:1;
-        bool src_port_isolated;
 #ifdef CONFIG_BRIDGE_VLAN_FILTERING
-        bool vlan_filtered;
+        u8 vlan_filtered:1;
 #endif
 #ifdef CONFIG_NET_SWITCHDEV
author	Florian Westphal <fw@strlen.de>	2019-04-11 10:36:40 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-04-11 19:47:27 -0400
commit	f12064d1b402c60c5db9c4b63d5ed6d7facb33f6 (patch)
tree	3baf5120d728d59d10ad1cfb51daa1fed4ba42e6
parent	26f7fe4a5db5b41d2abe53e37100c8984b157fb2 (diff)

diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c index 724b474ade54..15116752365a 100644 --- a/net/bridge/br_arp_nd_proxy.c +++ b/net/bridge/br_arp_nd_proxy.c
@@ -131,7 +131,7 @@ void br_do_proxy_suppress_arp(struct sk_buff skb, struct net_bridge br,
131	u8 arpptr, sha;	131	u8 arpptr, sha;
132	__be32 sip, tip;	132	__be32 sip, tip;
133		133
134	BR_INPUT_SKB_CB(skb)->proxyarp_replied = false;	134	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 0;
135		135
136	if ((dev->flags & IFF_NOARP) \|\|	136	if ((dev->flags & IFF_NOARP) \|\|
137	!pskb_may_pull(skb, arp_hdr_len(dev)))	137	!pskb_may_pull(skb, arp_hdr_len(dev)))
@@ -161,7 +161,7 @@ void br_do_proxy_suppress_arp(struct sk_buff skb, struct net_bridge br,
161	return;	161	return;
162	if (ipv4_is_zeronet(sip) \|\| sip == tip) {	162	if (ipv4_is_zeronet(sip) \|\| sip == tip) {
163	/* prevent flooding to neigh suppress ports */	163	/* prevent flooding to neigh suppress ports */
164	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	164	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
165	return;	165	return;
166	}	166	}
167	}	167	}
@@ -181,7 +181,7 @@ void br_do_proxy_suppress_arp(struct sk_buff skb, struct net_bridge br,
181	/* its our local ip, so don't proxy reply	181	/* its our local ip, so don't proxy reply
182	* and don't forward to neigh suppress ports	182	* and don't forward to neigh suppress ports
183	*/	183	*/
184	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	184	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
185	return;	185	return;
186	}	186	}
187		187
@@ -217,7 +217,7 @@ void br_do_proxy_suppress_arp(struct sk_buff skb, struct net_bridge br,
217	*/	217	*/
218	if (replied \|\|	218	if (replied \|\|
219	br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED))	219	br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED))
220	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	220	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
221	}	221	}
222		222
223	neigh_release(n);	223	neigh_release(n);
@@ -393,7 +393,7 @@ void br_do_suppress_nd(struct sk_buff skb, struct net_bridge br,
393	struct ipv6hdr *iphdr;	393	struct ipv6hdr *iphdr;
394	struct neighbour *n;	394	struct neighbour *n;
395		395
396	BR_INPUT_SKB_CB(skb)->proxyarp_replied = false;	396	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 0;
397		397
398	if (p && (p->flags & BR_NEIGH_SUPPRESS))	398	if (p && (p->flags & BR_NEIGH_SUPPRESS))
399	return;	399	return;
@@ -401,7 +401,7 @@ void br_do_suppress_nd(struct sk_buff skb, struct net_bridge br,
401	if (msg->icmph.icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT &&	401	if (msg->icmph.icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT &&
402	!msg->icmph.icmp6_solicited) {	402	!msg->icmph.icmp6_solicited) {
403	/* prevent flooding to neigh suppress ports */	403	/* prevent flooding to neigh suppress ports */
404	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	404	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
405	return;	405	return;
406	}	406	}
407		407
@@ -414,7 +414,7 @@ void br_do_suppress_nd(struct sk_buff skb, struct net_bridge br,
414		414
415	if (ipv6_addr_any(saddr) \|\| !ipv6_addr_cmp(saddr, daddr)) {	415	if (ipv6_addr_any(saddr) \|\| !ipv6_addr_cmp(saddr, daddr)) {
416	/* prevent flooding to neigh suppress ports */	416	/* prevent flooding to neigh suppress ports */
417	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	417	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
418	return;	418	return;
419	}	419	}
420		420
@@ -432,7 +432,7 @@ void br_do_suppress_nd(struct sk_buff skb, struct net_bridge br,
432	/* its our own ip, so don't proxy reply	432	/* its our own ip, so don't proxy reply
433	* and don't forward to arp suppress ports	433	* and don't forward to arp suppress ports
434	*/	434	*/
435	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	435	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
436	return;	436	return;
437	}	437	}
438		438
@@ -465,7 +465,7 @@ void br_do_suppress_nd(struct sk_buff skb, struct net_bridge br,
465	*/	465	*/
466	if (replied \|\|	466	if (replied \|\|
467	br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED))	467	br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED))
468	BR_INPUT_SKB_CB(skb)->proxyarp_replied = true;	468	BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
469	}	469	}
470	neigh_release(n);	470	neigh_release(n);
471	}	471	}


diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 5ea7e56119c1..e2f93e5c72da 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c
@@ -227,6 +227,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
227	if (!skb)	227	if (!skb)
228	return RX_HANDLER_CONSUMED;	228	return RX_HANDLER_CONSUMED;
229		229
		230	memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
		231
230	p = br_port_get_rcu(skb->dev);	232	p = br_port_get_rcu(skb->dev);
231	if (p->flags & BR_VLAN_TUNNEL) {	233	if (p->flags & BR_VLAN_TUNNEL) {
232	if (br_handle_ingress_vlan_tunnel(skb, p,	234	if (br_handle_ingress_vlan_tunnel(skb, p,


diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 7946aa3b6e09..e7110a6e2b7e 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h
@@ -425,15 +425,13 @@ struct br_input_skb_cb {
425	struct net_device *brdev;	425	struct net_device *brdev;
426		426
427	#ifdef CONFIG_BRIDGE_IGMP_SNOOPING	427	#ifdef CONFIG_BRIDGE_IGMP_SNOOPING
428	int igmp;	428	u8 igmp;
429	int mrouters_only;	429	u8 mrouters_only:1;
430	#endif	430	#endif
431		431	u8 proxyarp_replied:1;
432	bool proxyarp_replied;	432	u8 src_port_isolated:1;
433	bool src_port_isolated;
434
435	#ifdef CONFIG_BRIDGE_VLAN_FILTERING	433	#ifdef CONFIG_BRIDGE_VLAN_FILTERING
436	bool vlan_filtered;	434	u8 vlan_filtered:1;
437	#endif	435	#endif
438		436
439	#ifdef CONFIG_NET_SWITCHDEV	437	#ifdef CONFIG_NET_SWITCHDEV