netfilter: Remove explicit rcu_read_lock in nf_hook_slow
All of the callers of nf_hook_slow already hold the rcu_read_lock, so this cleanup removes the recursive call. This is just a cleanup, as the locking code gracefully handles this situation. Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Aaron Conole
Pablo Neira Ayuso
parent
2c1e2703ff
commit
e2361cb90a
@ -24,7 +24,7 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
|||||||
return EBT_DROP;
|
return EBT_DROP;
|
||||||
|
|
||||||
if (par->hooknum != NF_BR_BROUTING)
|
if (par->hooknum != NF_BR_BROUTING)
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
ether_addr_copy(eth_hdr(skb)->h_dest,
|
ether_addr_copy(eth_hdr(skb)->h_dest,
|
||||||
br_port_get_rcu(par->in)->br->dev->dev_addr);
|
br_port_get_rcu(par->in)->br->dev->dev_addr);
|
||||||
else
|
else
|
||||||
|
|||||||
@ -146,7 +146,7 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
|
|||||||
return 1;
|
return 1;
|
||||||
if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
|
if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out)))
|
||||||
return 1;
|
return 1;
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
if (in && (p = br_port_get_rcu(in)) != NULL &&
|
if (in && (p = br_port_get_rcu(in)) != NULL &&
|
||||||
NF_INVF(e, EBT_ILOGICALIN,
|
NF_INVF(e, EBT_ILOGICALIN,
|
||||||
ebt_dev_check(e->logical_in, p->br->dev)))
|
ebt_dev_check(e->logical_in, p->br->dev)))
|
||||||
|
|||||||
@ -110,7 +110,7 @@ static unsigned int ipv4_helper(void *priv,
|
|||||||
if (!help)
|
if (!help)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
helper = rcu_dereference(help->helper);
|
helper = rcu_dereference(help->helper);
|
||||||
if (!helper)
|
if (!helper)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|||||||
@ -149,7 +149,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
|
|||||||
return -NF_ACCEPT;
|
return -NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
innerproto = __nf_ct_l4proto_find(PF_INET, origtuple.dst.protonum);
|
innerproto = __nf_ct_l4proto_find(PF_INET, origtuple.dst.protonum);
|
||||||
|
|
||||||
/* Ordinarily, we'd expect the inverted tupleproto, but it's
|
/* Ordinarily, we'd expect the inverted tupleproto, but it's
|
||||||
|
|||||||
@ -115,7 +115,7 @@ static unsigned int ipv6_helper(void *priv,
|
|||||||
help = nfct_help(ct);
|
help = nfct_help(ct);
|
||||||
if (!help)
|
if (!help)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
helper = rcu_dereference(help->helper);
|
helper = rcu_dereference(help->helper);
|
||||||
if (!helper)
|
if (!helper)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|||||||
@ -165,7 +165,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
|
|||||||
return -NF_ACCEPT;
|
return -NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
inproto = __nf_ct_l4proto_find(PF_INET6, origtuple.dst.protonum);
|
inproto = __nf_ct_l4proto_find(PF_INET6, origtuple.dst.protonum);
|
||||||
|
|
||||||
/* Ordinarily, we'd expect the inverted tupleproto, but it's
|
/* Ordinarily, we'd expect the inverted tupleproto, but it's
|
||||||
|
|||||||
@ -291,16 +291,13 @@ repeat:
|
|||||||
|
|
||||||
|
|
||||||
/* Returns 1 if okfn() needs to be executed by the caller,
|
/* Returns 1 if okfn() needs to be executed by the caller,
|
||||||
* -EPERM for NF_DROP, 0 otherwise. */
|
* -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */
|
||||||
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
|
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
struct nf_hook_ops *elem;
|
struct nf_hook_ops *elem;
|
||||||
unsigned int verdict;
|
unsigned int verdict;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
/* We may already have this, but read-locks nest anyway */
|
|
||||||
rcu_read_lock();
|
|
||||||
|
|
||||||
elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
|
elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
|
||||||
next_hook:
|
next_hook:
|
||||||
verdict = nf_iterate(state->hook_list, skb, state, &elem);
|
verdict = nf_iterate(state->hook_list, skb, state, &elem);
|
||||||
@ -321,7 +318,6 @@ next_hook:
|
|||||||
kfree_skb(skb);
|
kfree_skb(skb);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
rcu_read_unlock();
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(nf_hook_slow);
|
EXPORT_SYMBOL(nf_hook_slow);
|
||||||
|
|||||||
@ -1275,7 +1275,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
|
|||||||
skb->nfct = NULL;
|
skb->nfct = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
l3proto = __nf_ct_l3proto_find(pf);
|
l3proto = __nf_ct_l3proto_find(pf);
|
||||||
ret = l3proto->get_l4proto(skb, skb_network_offset(skb),
|
ret = l3proto->get_l4proto(skb, skb_network_offset(skb),
|
||||||
&dataoff, &protonum);
|
&dataoff, &protonum);
|
||||||
|
|||||||
@ -736,7 +736,7 @@ static int callforward_do_filter(struct net *net,
|
|||||||
const struct nf_afinfo *afinfo;
|
const struct nf_afinfo *afinfo;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow() */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
afinfo = nf_get_afinfo(family);
|
afinfo = nf_get_afinfo(family);
|
||||||
if (!afinfo)
|
if (!afinfo)
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@ -346,7 +346,7 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct,
|
|||||||
/* Called from the helper function, this call never fails */
|
/* Called from the helper function, this call never fails */
|
||||||
help = nfct_help(ct);
|
help = nfct_help(ct);
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
helper = rcu_dereference(help->helper);
|
helper = rcu_dereference(help->helper);
|
||||||
|
|
||||||
nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
|
nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL,
|
||||||
|
|||||||
@ -43,7 +43,7 @@ nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
|
|||||||
if (help == NULL)
|
if (help == NULL)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
helper = rcu_dereference(help->helper);
|
helper = rcu_dereference(help->helper);
|
||||||
if (helper == NULL)
|
if (helper == NULL)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|||||||
@ -442,7 +442,9 @@ __build_packet_message(struct nfnl_log_net *log,
|
|||||||
if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
|
if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSINDEV,
|
||||||
htonl(indev->ifindex)) ||
|
htonl(indev->ifindex)) ||
|
||||||
/* this is the bridge group "brX" */
|
/* this is the bridge group "brX" */
|
||||||
/* rcu_read_lock()ed by nf_hook_slow or nf_log_packet */
|
/* rcu_read_lock()ed by nf_hook_thresh or
|
||||||
|
* nf_log_packet.
|
||||||
|
*/
|
||||||
nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
|
nla_put_be32(inst->skb, NFULA_IFINDEX_INDEV,
|
||||||
htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
|
htonl(br_port_get_rcu(indev)->br->dev->ifindex)))
|
||||||
goto nla_put_failure;
|
goto nla_put_failure;
|
||||||
@ -477,7 +479,9 @@ __build_packet_message(struct nfnl_log_net *log,
|
|||||||
if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
|
if (nla_put_be32(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
|
||||||
htonl(outdev->ifindex)) ||
|
htonl(outdev->ifindex)) ||
|
||||||
/* this is the bridge group "brX" */
|
/* this is the bridge group "brX" */
|
||||||
/* rcu_read_lock()ed by nf_hook_slow or nf_log_packet */
|
/* rcu_read_lock()ed by nf_hook_thresh or
|
||||||
|
* nf_log_packet.
|
||||||
|
*/
|
||||||
nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
|
nla_put_be32(inst->skb, NFULA_IFINDEX_OUTDEV,
|
||||||
htonl(br_port_get_rcu(outdev)->br->dev->ifindex)))
|
htonl(br_port_get_rcu(outdev)->br->dev->ifindex)))
|
||||||
goto nla_put_failure;
|
goto nla_put_failure;
|
||||||
|
|||||||
@ -740,7 +740,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
|
|||||||
struct net *net = entry->state.net;
|
struct net *net = entry->state.net;
|
||||||
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
|
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow() */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
queue = instance_lookup(q, queuenum);
|
queue = instance_lookup(q, queuenum);
|
||||||
if (!queue)
|
if (!queue)
|
||||||
return -ESRCH;
|
return -ESRCH;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ helper_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
|||||||
if (!master_help)
|
if (!master_help)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
/* rcu_read_lock()ed by nf_hook_slow */
|
/* rcu_read_lock()ed by nf_hook_thresh */
|
||||||
helper = rcu_dereference(master_help->helper);
|
helper = rcu_dereference(master_help->helper);
|
||||||
if (!helper)
|
if (!helper)
|
||||||
return ret;
|
return ret;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user