diff options
author | Eric Dumazet <dada1@cosmosbay.com> | 2009-04-02 03:53:49 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-04-02 03:54:43 -0400 |
commit | fa9a86ddc8ecd2830a5e773facc250f110300ae7 (patch) | |
tree | fb7120974ec38932aa909403c2598cbd01353b35 /net | |
parent | 8cbd9606a6367c221a7bbcc47f3ab1a8c31b6437 (diff) |
netfilter: use rcu_read_bh() in ipt_do_table()
Commit 784544739a25c30637397ace5489eeb6e15d7d49
(netfilter: iptables: lock free counters) forgot to disable BH
in arpt_do_table(), ipt_do_table() and ip6t_do_table()
Use rcu_read_lock_bh() instead of rcu_read_lock() cures the problem.
Reported-and-bisected-by: Roman Mindalev <r000n@r000n.net>
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 4 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 4 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 4 |
3 files changed, 6 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 35c5f6a5cb7..5ba533d234d 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c | |||
@@ -253,7 +253,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
253 | indev = in ? in->name : nulldevname; | 253 | indev = in ? in->name : nulldevname; |
254 | outdev = out ? out->name : nulldevname; | 254 | outdev = out ? out->name : nulldevname; |
255 | 255 | ||
256 | rcu_read_lock(); | 256 | rcu_read_lock_bh(); |
257 | private = rcu_dereference(table->private); | 257 | private = rcu_dereference(table->private); |
258 | table_base = rcu_dereference(private->entries[smp_processor_id()]); | 258 | table_base = rcu_dereference(private->entries[smp_processor_id()]); |
259 | 259 | ||
@@ -329,7 +329,7 @@ unsigned int arpt_do_table(struct sk_buff *skb, | |||
329 | } | 329 | } |
330 | } while (!hotdrop); | 330 | } while (!hotdrop); |
331 | 331 | ||
332 | rcu_read_unlock(); | 332 | rcu_read_unlock_bh(); |
333 | 333 | ||
334 | if (hotdrop) | 334 | if (hotdrop) |
335 | return NF_DROP; | 335 | return NF_DROP; |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 82ee7c9049f..810c0b62c7d 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -339,7 +339,7 @@ ipt_do_table(struct sk_buff *skb, | |||
339 | 339 | ||
340 | IP_NF_ASSERT(table->valid_hooks & (1 << hook)); | 340 | IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
341 | 341 | ||
342 | rcu_read_lock(); | 342 | rcu_read_lock_bh(); |
343 | private = rcu_dereference(table->private); | 343 | private = rcu_dereference(table->private); |
344 | table_base = rcu_dereference(private->entries[smp_processor_id()]); | 344 | table_base = rcu_dereference(private->entries[smp_processor_id()]); |
345 | 345 | ||
@@ -437,7 +437,7 @@ ipt_do_table(struct sk_buff *skb, | |||
437 | } | 437 | } |
438 | } while (!hotdrop); | 438 | } while (!hotdrop); |
439 | 439 | ||
440 | rcu_read_unlock(); | 440 | rcu_read_unlock_bh(); |
441 | 441 | ||
442 | #ifdef DEBUG_ALLOW_ALL | 442 | #ifdef DEBUG_ALLOW_ALL |
443 | return NF_ACCEPT; | 443 | return NF_ACCEPT; |
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index e89cfa3a8f2..dfed176aed3 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c | |||
@@ -365,7 +365,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
365 | 365 | ||
366 | IP_NF_ASSERT(table->valid_hooks & (1 << hook)); | 366 | IP_NF_ASSERT(table->valid_hooks & (1 << hook)); |
367 | 367 | ||
368 | rcu_read_lock(); | 368 | rcu_read_lock_bh(); |
369 | private = rcu_dereference(table->private); | 369 | private = rcu_dereference(table->private); |
370 | table_base = rcu_dereference(private->entries[smp_processor_id()]); | 370 | table_base = rcu_dereference(private->entries[smp_processor_id()]); |
371 | 371 | ||
@@ -466,7 +466,7 @@ ip6t_do_table(struct sk_buff *skb, | |||
466 | #ifdef CONFIG_NETFILTER_DEBUG | 466 | #ifdef CONFIG_NETFILTER_DEBUG |
467 | ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON; | 467 | ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON; |
468 | #endif | 468 | #endif |
469 | rcu_read_unlock(); | 469 | rcu_read_unlock_bh(); |
470 | 470 | ||
471 | #ifdef DEBUG_ALLOW_ALL | 471 | #ifdef DEBUG_ALLOW_ALL |
472 | return NF_ACCEPT; | 472 | return NF_ACCEPT; |