From eeaf61d8891f9c9ed12c1a667e72bf83f0857954 Mon Sep 17 00:00:00 2001 From: stephen hemminger Date: Tue, 27 Jul 2010 08:26:30 +0000 Subject: bridge: add rcu_read_lock on transmit Long ago, when bridge was converted to RCU, rcu lock was equivalent to having preempt disabled. RCU has changed a lot since then and bridge code was still assuming the since transmit was called with bottom half disabled, it was RCU safe. Signed-off-by: Stephen Hemminger Tested-by: Johannes Berg Signed-off-by: David S. Miller --- net/bridge/br_device.c | 4 +++- net/bridge/br_fdb.c | 2 +- net/bridge/br_input.c | 6 +++--- net/bridge/br_stp_bpdu.c | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) (limited to 'net') diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 753fc42..4cec805 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -22,7 +22,7 @@ #include #include "br_private.h" -/* net device transmit always called with no BH (preempt_disabled) */ +/* net device transmit always called with BH disabled */ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) { struct net_bridge *br = netdev_priv(dev); @@ -46,6 +46,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) skb_reset_mac_header(skb); skb_pull(skb, ETH_HLEN); + rcu_read_lock(); if (is_multicast_ether_addr(dest)) { if (br_multicast_rcv(br, NULL, skb)) goto out; @@ -61,6 +62,7 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) br_flood_deliver(br, skb); out: + rcu_read_unlock(); return NETDEV_TX_OK; } diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index b01dde3..7204ad3 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c @@ -214,7 +214,7 @@ void br_fdb_delete_by_port(struct net_bridge *br, spin_unlock_bh(&br->hash_lock); } -/* No locking or refcounting, assumes caller has no preempt (rcu_read_lock) */ +/* No locking or refcounting, assumes caller has rcu_read_lock */ struct net_bridge_fdb_entry *__br_fdb_get(struct net_bridge *br, const unsigned char *addr) { diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index d36e700..114365c 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -37,7 +37,7 @@ static int br_pass_frame_up(struct sk_buff *skb) netif_receive_skb); } -/* note: already called with rcu_read_lock (preempt_disabled) */ +/* note: already called with rcu_read_lock */ int br_handle_frame_finish(struct sk_buff *skb) { const unsigned char *dest = eth_hdr(skb)->h_dest; @@ -108,7 +108,7 @@ drop: goto out; } -/* note: already called with rcu_read_lock (preempt_disabled) */ +/* note: already called with rcu_read_lock */ static int br_handle_local_finish(struct sk_buff *skb) { struct net_bridge_port *p = rcu_dereference(skb->dev->br_port); @@ -133,7 +133,7 @@ static inline int is_link_local(const unsigned char *dest) /* * Called via br_handle_frame_hook. * Return NULL if skb is handled - * note: already called with rcu_read_lock (preempt_disabled) + * note: already called with rcu_read_lock */ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb) { diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c index 217bd22..5854e82 100644 --- a/net/bridge/br_stp_bpdu.c +++ b/net/bridge/br_stp_bpdu.c @@ -131,7 +131,7 @@ void br_send_tcn_bpdu(struct net_bridge_port *p) /* * Called from llc. * - * NO locks, but rcu_read_lock (preempt_disabled) + * NO locks, but rcu_read_lock */ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb, struct net_device *dev) -- cgit v1.1 From a3bdb549e30e7a263f7a589747c40e9c50110315 Mon Sep 17 00:00:00 2001 From: Dmitry Popov Date: Thu, 29 Jul 2010 01:59:36 +0000 Subject: tcp: cookie transactions setsockopt memory leak There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c), TCP_COOKIE_TRANSACTIONS case. In some cases (when tp->cookie_values == NULL) new tcp_cookie_values structure can be allocated (at cvp), but not bound to tp->cookie_values. So a memory leak occurs. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller --- net/ipv4/tcp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 65afeae..c259714 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2176,6 +2176,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, GFP_KERNEL); if (cvp == NULL) return -ENOMEM; + + kref_init(&cvp->kref); } lock_sock(sk); tp->rx_opt.cookie_in_always = @@ -2190,12 +2192,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, */ kref_put(&tp->cookie_values->kref, tcp_cookie_values_release); - kref_init(&cvp->kref); - tp->cookie_values = cvp; } else { cvp = tp->cookie_values; } } + if (cvp != NULL) { cvp->cookie_desired = ctd.tcpct_cookie_desired; @@ -2209,6 +2210,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, cvp->s_data_desired = ctd.tcpct_s_data_desired; cvp->s_data_constant = 0; /* false */ } + + tp->cookie_values = cvp; } release_sock(sk); return err; -- cgit v1.1 From 6d1d1d398cb7db7a12c5d652d50f85355345234f Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 29 Jul 2010 01:12:31 +0000 Subject: bridge: Fix skb leak when multicast parsing fails on TX On the bridge TX path we're leaking an skb when br_multicast_rcv returns an error. Reported-by: David Lamparter Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/bridge/br_device.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 4cec805..f49bcd9 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -48,8 +48,10 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) rcu_read_lock(); if (is_multicast_ether_addr(dest)) { - if (br_multicast_rcv(br, NULL, skb)) + if (br_multicast_rcv(br, NULL, skb)) { + kfree_skb(skb); goto out; + } mdst = br_mdb_get(br, skb); if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) -- cgit v1.1 From 072d79a31a3b870b49886f4347e23f81b7eca3ac Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Thu, 29 Jul 2010 13:41:46 +0000 Subject: act_nat: fix wild pointer pskb_may_pull() may change skb pointers, so adjust icmph after pskb_may_pull(). Signed-off-by: Changli Gao Acked-by: Herbert Xu Signed-off-by: David S. Miller --- net/sched/act_nat.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c index 724553e..ea008f5 100644 --- a/net/sched/act_nat.c +++ b/net/sched/act_nat.c @@ -218,6 +218,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph))) goto drop; + icmph = (void *)(skb_network_header(skb) + ihl); iph = (void *)(icmph + 1); if (egress) addr = iph->daddr; -- cgit v1.1 From 3a3dfb062c2e086c202d34f09ce29634515ad256 Mon Sep 17 00:00:00 2001 From: Changli Gao Date: Thu, 29 Jul 2010 14:04:18 +0000 Subject: act_nat: the checksum of ICMP doesn't have pseudo header after updating the value of the ICMP payload, inet_proto_csum_replace4() should be called with zero pseudohdr. Signed-off-by: Changli Gao Acked-by: Herbert Xu Signed-off-by: David S. Miller --- net/sched/act_nat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c index ea008f5..abbf4fa 100644 --- a/net/sched/act_nat.c +++ b/net/sched/act_nat.c @@ -247,7 +247,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a, iph->saddr = new_addr; inet_proto_csum_replace4(&icmph->checksum, skb, addr, new_addr, - 1); + 0); break; } default: -- cgit v1.1