netfilter: nf_ct_sane: remove pseudo skb linearization

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

For historical reason this code performs pseudo linearization of skbs
via skb_header_pointer and a global 64k buffer.

With arrival of BIG TCP, packets generated by TCP stack can exceed 64kb.

Rewrite this to only extract the needed header data. This also allows
to get rid of the locking.

Fixes: 7c4e983c4f3c ("net: allow gso_max_size to exceed 65536")
Fixes: 0fe79f28bfaf ("net: allow gro_max_size to exceed 65536")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 3 years ago a664375d c485c35f

+31 -39

1 changed file

expand all

net

netfilter

nf_conntrack_sane.c

+31 -39

net/netfilter/nf_conntrack_sane.c

··· 34 34 MODULE_DESCRIPTION("SANE connection tracking helper"); 35 35 MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 36 36 37 - static char *sane_buffer; 38 - 39 - static DEFINE_SPINLOCK(nf_sane_lock); 40 - 41 37 #define MAX_PORTS 8 42 38 static u_int16_t ports[MAX_PORTS]; 43 39 static unsigned int ports_c; ··· 63 67 unsigned int dataoff, datalen; 64 68 const struct tcphdr *th; 65 69 struct tcphdr _tcph; 66 - void *sb_ptr; 67 70 int ret = NF_ACCEPT; 68 71 int dir = CTINFO2DIR(ctinfo); 69 72 struct nf_ct_sane_master *ct_sane_info = nfct_help_data(ct); 70 73 struct nf_conntrack_expect *exp; 71 74 struct nf_conntrack_tuple *tuple; 72 - struct sane_request *req; 73 75 struct sane_reply_net_start *reply; 76 + union { 77 + struct sane_request req; 78 + struct sane_reply_net_start repl; 79 + } buf; 74 80 75 81 /* Until there's been traffic both ways, don't look in packets. */ 76 82 if (ctinfo != IP_CT_ESTABLISHED && ··· 90 92 return NF_ACCEPT; 91 93 92 94 datalen = skb->len - dataoff; 93 - 94 - spin_lock_bh(&nf_sane_lock); 95 - sb_ptr = skb_header_pointer(skb, dataoff, datalen, sane_buffer); 96 - if (!sb_ptr) { 97 - spin_unlock_bh(&nf_sane_lock); 98 - return NF_ACCEPT; 99 - } 100 - 101 95 if (dir == IP_CT_DIR_ORIGINAL) { 102 - if (datalen != sizeof(struct sane_request)) 103 - goto out; 96 + const struct sane_request *req; 104 97 105 - req = sb_ptr; 98 + if (datalen != sizeof(struct sane_request)) 99 + return NF_ACCEPT; 100 + 101 + req = skb_header_pointer(skb, dataoff, datalen, &buf.req); 102 + if (!req) 103 + return NF_ACCEPT; 104 + 106 105 if (req->RPC_code != htonl(SANE_NET_START)) { 107 106 /* Not an interesting command */ 108 - ct_sane_info->state = SANE_STATE_NORMAL; 109 - goto out; 107 + WRITE_ONCE(ct_sane_info->state, SANE_STATE_NORMAL); 108 + return NF_ACCEPT; 110 109 } 111 110 112 111 /* We're interested in the next reply */ 113 - ct_sane_info->state = SANE_STATE_START_REQUESTED; 114 - goto out; 112 + WRITE_ONCE(ct_sane_info->state, SANE_STATE_START_REQUESTED); 113 + return NF_ACCEPT; 115 114 } 116 115 116 + /* IP_CT_DIR_REPLY */ 117 + 117 118 /* Is it a reply to an uninteresting command? */ 118 - if (ct_sane_info->state != SANE_STATE_START_REQUESTED) 119 - goto out; 119 + if (READ_ONCE(ct_sane_info->state) != SANE_STATE_START_REQUESTED) 120 + return NF_ACCEPT; 120 121 121 122 /* It's a reply to SANE_NET_START. */ 122 - ct_sane_info->state = SANE_STATE_NORMAL; 123 + WRITE_ONCE(ct_sane_info->state, SANE_STATE_NORMAL); 123 124 124 125 if (datalen < sizeof(struct sane_reply_net_start)) { 125 126 pr_debug("NET_START reply too short\n"); 126 - goto out; 127 + return NF_ACCEPT; 127 128 } 128 129 129 - reply = sb_ptr; 130 + datalen = sizeof(struct sane_reply_net_start); 131 + 132 + reply = skb_header_pointer(skb, dataoff, datalen, &buf.repl); 133 + if (!reply) 134 + return NF_ACCEPT; 135 + 130 136 if (reply->status != htonl(SANE_STATUS_SUCCESS)) { 131 137 /* saned refused the command */ 132 138 pr_debug("unsuccessful SANE_STATUS = %u\n", 133 139 ntohl(reply->status)); 134 - goto out; 140 + return NF_ACCEPT; 135 141 } 136 142 137 143 /* Invalid saned reply? Ignore it. */ 138 144 if (reply->zero != 0) 139 - goto out; 145 + return NF_ACCEPT; 140 146 141 147 exp = nf_ct_expect_alloc(ct); 142 148 if (exp == NULL) { 143 149 nf_ct_helper_log(skb, ct, "cannot alloc expectation"); 144 - ret = NF_DROP; 145 - goto out; 150 + return NF_DROP; 146 151 } 147 152 148 153 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; ··· 163 162 } 164 163 165 164 nf_ct_expect_put(exp); 166 - 167 - out: 168 - spin_unlock_bh(&nf_sane_lock); 169 165 return ret; 170 166 } 171 167 ··· 176 178 static void __exit nf_conntrack_sane_fini(void) 177 179 { 178 180 nf_conntrack_helpers_unregister(sane, ports_c * 2); 179 - kfree(sane_buffer); 180 181 } 181 182 182 183 static int __init nf_conntrack_sane_init(void) ··· 183 186 int i, ret = 0; 184 187 185 188 NF_CT_HELPER_BUILD_BUG_ON(sizeof(struct nf_ct_sane_master)); 186 - 187 - sane_buffer = kmalloc(65536, GFP_KERNEL); 188 - if (!sane_buffer) 189 - return -ENOMEM; 190 189 191 190 if (ports_c == 0) 192 191 ports[ports_c++] = SANE_PORT; ··· 203 210 ret = nf_conntrack_helpers_register(sane, ports_c * 2); 204 211 if (ret < 0) { 205 212 pr_err("failed to register helpers\n"); 206 - kfree(sane_buffer); 207 213 return ret; 208 214 } 209 215