Aaron Conole <[email protected]> wrote:
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core
[..]
> +#define nf_entry_dereference(e) \
> + rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
>
> -static struct list_head *nf_find_hook_list(struct net *net,
> - const struct nf_hook_ops *reg)
> +static struct nf_hook_entry *nf_find_hook_list(struct net *net,
> + const struct nf_hook_ops *reg)
> {
> - struct list_head *hook_list = NULL;
> + struct nf_hook_entry *hook_list = NULL;
>
> if (reg->pf != NFPROTO_NETDEV)
> - hook_list = &net->nf.hooks[reg->pf][reg->hooknum];
> + hook_list = rcu_dereference(net->nf.hooks[reg->pf]
> + [reg->hooknum]);
> else if (reg->hooknum == NF_NETDEV_INGRESS) {
> #ifdef CONFIG_NETFILTER_INGRESS
> if (reg->dev && dev_net(reg->dev) == net)
> - hook_list = ®->dev->nf_hooks_ingress;
> + hook_list =
> + rcu_dereference(reg->dev->nf_hooks_ingress);
Both of these should use nf_entry_dereference() to avoid the lockdep
splat reported by kbuild robot:
net/netfilter/core.c:75 suspicious rcu_dereference_check() usage!
2 locks held by swapper/1:
#0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81c2e567>] rtnl_lock+0x17/0x20
#1: (nf_hook_mutex){+.+...}, at: [<ffffffff81c58fcb>]
nf_register_net_hook+0xcb/0x240
