netfilter: ipset: Don't use test_bit() in lockless RCU readers in bitmap types

The pair of the patch "netfilter: ipset: Don't use test_bit() in lockless
RCU readers in hash types" for the bitmap types.

Fixes: 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
Fixes: b0da3905bb1e ("netfilter: ipset: Bitmap types using the unified code base")
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h
index 798c7993635e66db05c9e6d19f5893c2086ec3bc..bb9b5bed10e19c43c2be125791c0bcc2b7f06278 100644 (file)
--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
+++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
@@ -165,6 +165,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
                ip_set_init_skbinfo(ext_skbinfo(x, set), ext);
 
        /* Activate element */
+       smp_mb__before_atomic();
        set_bit(e->id, map->members);
        set->elements++;
 
@@ -219,7 +220,7 @@ mtype_list(const struct ip_set *set,
                cond_resched_rcu();
                id = cb->args[IPSET_CB_ARG0];
                x = get_ext(set, map, id);
-               if (!test_bit(id, map->members) ||
+               if (!test_bit_acquire(id, map->members) ||
                    (SET_WITH_TIMEOUT(set) &&
 #ifdef IP_SET_BITMAP_STORED_TIMEOUT
                     mtype_is_filled(x) &&
@@ -278,6 +279,7 @@ mtype_gc(struct timer_list *t)
                        x = get_ext(set, map, id);
                        if (ip_set_timeout_expired(ext_timeout(x, set))) {
                                clear_bit(id, map->members);
+                               smp_mb__after_atomic();
                                ip_set_ext_destroy(set, x);
                                set->elements--;
                        }

diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index 5988b9bb9029dc1ac6e3c88d79c9d74442e00ac4..ac7febce074f1f90a4d2df6db71516574f75a675 100644 (file)
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -67,7 +67,7 @@ static int
 bitmap_ip_do_test(const struct bitmap_ip_adt_elem *e,
                  struct bitmap_ip *map, size_t dsize)
 {
-       return !!test_bit(e->id, map->members);
+       return !!test_bit_acquire(e->id, map->members);
 }
 
 static int

diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 752f59ef8744296090c3680175a321826391be56..5921fd9d2dca009fb41c38e4c473979ab96d96a8 100644 (file)
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -86,7 +86,7 @@ bitmap_ipmac_do_test(const struct bitmap_ipmac_adt_elem *e,
 {
        const struct bitmap_ipmac_elem *elem;
 
-       if (!test_bit(e->id, map->members))
+       if (!test_bit_acquire(e->id, map->members))
                return 0;
        elem = get_const_elem(map->extensions, e->id, dsize);
        if (e->add_mac && elem->filled == MAC_FILLED)

diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
index 7138e080def4cfd7abf40a9ca485212773dda8ec..ca875c9824245fb9689e3e88321f8fbd9fe4a6c6 100644 (file)
--- a/net/netfilter/ipset/ip_set_bitmap_port.c
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -58,7 +58,7 @@ static int
 bitmap_port_do_test(const struct bitmap_port_adt_elem *e,
                    const struct bitmap_port *map, size_t dsize)
 {
-       return !!test_bit(e->id, map->members);
+       return !!test_bit_acquire(e->id, map->members);
 }
 
 static int