aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <dada1@cosmosbay.com>2009-04-02 03:53:49 -0400
committerDavid S. Miller <davem@davemloft.net>2009-04-02 03:54:43 -0400
commitfa9a86ddc8ecd2830a5e773facc250f110300ae7 (patch)
treefb7120974ec38932aa909403c2598cbd01353b35
parent8cbd9606a6367c221a7bbcc47f3ab1a8c31b6437 (diff)
netfilter: use rcu_read_bh() in ipt_do_table()
Commit 784544739a25c30637397ace5489eeb6e15d7d49 (netfilter: iptables: lock free counters) forgot to disable BH in arpt_do_table(), ipt_do_table() and ip6t_do_table() Use rcu_read_lock_bh() instead of rcu_read_lock() cures the problem. Reported-and-bisected-by: Roman Mindalev <r000n@r000n.net> Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Acked-by: Patrick McHardy <kaber@trash.net> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/netfilter/arp_tables.c4
-rw-r--r--net/ipv4/netfilter/ip_tables.c4
-rw-r--r--net/ipv6/netfilter/ip6_tables.c4
3 files changed, 6 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 35c5f6a5cb7c..5ba533d234db 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -253,7 +253,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
253 indev = in ? in->name : nulldevname; 253 indev = in ? in->name : nulldevname;
254 outdev = out ? out->name : nulldevname; 254 outdev = out ? out->name : nulldevname;
255 255
256 rcu_read_lock(); 256 rcu_read_lock_bh();
257 private = rcu_dereference(table->private); 257 private = rcu_dereference(table->private);
258 table_base = rcu_dereference(private->entries[smp_processor_id()]); 258 table_base = rcu_dereference(private->entries[smp_processor_id()]);
259 259
@@ -329,7 +329,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
329 } 329 }
330 } while (!hotdrop); 330 } while (!hotdrop);
331 331
332 rcu_read_unlock(); 332 rcu_read_unlock_bh();
333 333
334 if (hotdrop) 334 if (hotdrop)
335 return NF_DROP; 335 return NF_DROP;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 82ee7c9049ff..810c0b62c7d4 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -339,7 +339,7 @@ ipt_do_table(struct sk_buff *skb,
339 339
340 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 340 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
341 341
342 rcu_read_lock(); 342 rcu_read_lock_bh();
343 private = rcu_dereference(table->private); 343 private = rcu_dereference(table->private);
344 table_base = rcu_dereference(private->entries[smp_processor_id()]); 344 table_base = rcu_dereference(private->entries[smp_processor_id()]);
345 345
@@ -437,7 +437,7 @@ ipt_do_table(struct sk_buff *skb,
437 } 437 }
438 } while (!hotdrop); 438 } while (!hotdrop);
439 439
440 rcu_read_unlock(); 440 rcu_read_unlock_bh();
441 441
442#ifdef DEBUG_ALLOW_ALL 442#ifdef DEBUG_ALLOW_ALL
443 return NF_ACCEPT; 443 return NF_ACCEPT;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e89cfa3a8f25..dfed176aed37 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -365,7 +365,7 @@ ip6t_do_table(struct sk_buff *skb,
365 365
366 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 366 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
367 367
368 rcu_read_lock(); 368 rcu_read_lock_bh();
369 private = rcu_dereference(table->private); 369 private = rcu_dereference(table->private);
370 table_base = rcu_dereference(private->entries[smp_processor_id()]); 370 table_base = rcu_dereference(private->entries[smp_processor_id()]);
371 371
@@ -466,7 +466,7 @@ ip6t_do_table(struct sk_buff *skb,
466#ifdef CONFIG_NETFILTER_DEBUG 466#ifdef CONFIG_NETFILTER_DEBUG
467 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON; 467 ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
468#endif 468#endif
469 rcu_read_unlock(); 469 rcu_read_unlock_bh();
470 470
471#ifdef DEBUG_ALLOW_ALL 471#ifdef DEBUG_ALLOW_ALL
472 return NF_ACCEPT; 472 return NF_ACCEPT;