Attachment #132067 for bug #194059

View | Details | Raw Unified | Return to bug 194059
Collapse All | Expand All





	/* Put the 2-byte PPP protocol number on the front,
	   making sure there is room for the address and control fields. */
	if (skb_cow_head(skb, PPP_HDRLEN))
		goto outf;

		ns = alloc_skb(skb->len + dev->hard_header_len, GFP_ATOMIC);
		if (ns == 0)
			goto outf;
		skb_reserve(ns, dev->hard_header_len);
		skb_copy_bits(skb, 0, skb_put(ns, skb->len), skb->len);
		kfree_skb(skb);
		skb = ns;
	}
	pp = skb_push(skb, 2);
	proto = npindex_to_proto[npi];
	pp[0] = proto >> 8;

static void
ppp_receive_frame(struct ppp *ppp, struct sk_buff *skb, struct channel *pch)
{
	if (pskb_may_pull(skb, 2)) {
#ifdef CONFIG_PPP_MULTILINK
		/* XXX do channel-level decompression here */
		if (PPP_PROTO(skb) == PPP_MP)

		if (ppp->vj == 0 || (ppp->flags & SC_REJ_COMP_TCP))
			goto err;

		if (skb_tailroom(skb) < 124 || skb_cloned(skb)) {
			/* copy to a new sk_buff with more tailroom */
			ns = dev_alloc_skb(skb->len + 128);
			if (ns == 0) {

		/* check if the packet passes the pass and active filters */
		/* the filter instructions are constructed assuming
		   a four-byte PPP header on each packet */
		if (ppp->pass_filter || ppp->active_filter) {
			if (skb_cloned(skb) &&
			    pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
				goto err;

			*skb_push(skb, 2) = 0;
			if (ppp->pass_filter
			    && sk_run_filter(skb, ppp->pass_filter,
					     ppp->pass_len) == 0) {
				if (ppp->debug & 1)
					printk(KERN_DEBUG "PPP: inbound frame "
					       "not passed\n");
				kfree_skb(skb);
				return;
			}
			if (!(ppp->active_filter
			      && sk_run_filter(skb, ppp->active_filter,
					       ppp->active_len) == 0))
				ppp->last_recv = jiffies;
			__skb_pull(skb, 2);
		} else
#endif /* CONFIG_PPP_FILTER */
			ppp->last_recv = jiffies;

		if ((ppp->dev->flags & IFF_UP) == 0
		    || ppp->npmode[npi] != NPMODE_PASS) {

	struct channel *ch;
	int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;

	if (!pskb_may_pull(skb, mphdrlen + 1) || ppp->mrru == 0)
		goto err;		/* no good, throw it away */

	/* Decode sequence number and begin/end bits */




	struct pppoe_hdr *ph;
	struct pppox_sock *po;

	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
		goto drop;

	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
		goto out;

	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
		goto drop;

	ph = pppoe_hdr(skb);

	po = get_item((unsigned long) ph->sid, eth_hdr(skb)->h_source, dev->ifindex);

{
	struct pppox_sock *po = pppox_sk(sk);
	struct net_device *dev = po->pppoe_dev;
	struct pppoe_hdr hdr;
	struct pppoe_hdr *ph;
	int headroom = skb_headroom(skb);
	int data_len = skb->len;
	struct sk_buff *skb2;

	if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED))
		goto abort;

	hdr.ver	= 1;
	hdr.type = 1;
	hdr.code = 0;
	hdr.sid	= po->num;
	hdr.length = htons(skb->len);

	if (!dev)
		goto abort;

	/* Copy the data if there is no space for the header or if it's
	 * read-only.
	 */
	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
		goto abort;

		if (skb2 == NULL)
			goto abort;

		skb_reserve(skb2, dev->hard_header_len + sizeof(struct pppoe_hdr));
		skb_copy_from_linear_data(skb, skb_put(skb2, skb->len),
					  skb->len);
	} else {
		/* Make a clone so as to not disturb the original skb,
		 * give dev_queue_xmit something it can free.
		 */
		skb2 = skb_clone(skb, GFP_ATOMIC);

		if (skb2 == NULL)
			goto abort;
	}

	__skb_push(skb, sizeof(*ph));
	skb_reset_network_header(skb);
	skb2->protocol = __constant_htons(ETH_P_PPP_SES);

	ph = pppoe_hdr(skb);
	ph->ver	= 1;
	ph->type = 1;
	ph->code = 0;
	ph->sid	= po->num;
	ph->length = htons(data_len);

	skb->protocol = __constant_htons(ETH_P_PPP_SES);
	skb->dev = dev;

	dev->hard_header(skb, dev, ETH_P_PPP_SES,
			 po->pppoe_pa.remote, NULL, data_len);

	if (dev_queue_xmit(skb) < 0)
	 * will free it.  The generic ppp layer however, is expecting
	 * that we give back 'skb' (not 'skb2') in case of failure,
	 * but free it in case of success.
	 */

	if (dev_queue_xmit(skb2) < 0)
		goto abort;

	kfree_skb(skb);
	return 1;

abort:
	kfree_skb(skb);
	return 1;
}






	       skb_headroom(skb) + len <= skb->hdr_len;
}

static inline int __skb_cow(struct sk_buff *skb, unsigned int headroom,
			    int cloned)
{
	int delta = 0;

	if (headroom < NET_SKB_PAD)
		headroom = NET_SKB_PAD;
	if (headroom > skb_headroom(skb))
		delta = headroom - skb_headroom(skb);

	if (delta || cloned)
		return pskb_expand_head(skb, ALIGN(delta, NET_SKB_PAD), 0,
					GFP_ATOMIC);
	return 0;
}

/**
 *	skb_cow - copy header of skb when it is required
 *	@skb: buffer to cow

 */
static inline int skb_cow(struct sk_buff *skb, unsigned int headroom)
{
	return __skb_cow(skb, headroom, skb_cloned(skb));
}

	if (delta < 0)
		delta = 0;

/**
 *	skb_cow_head - skb_cow but only making the head writable
 *	@skb: buffer to cow
 *	@headroom: needed headroom
 *
 *	This function is identical to skb_cow except that we replace the
 *	skb_cloned check by skb_header_cloned.  It should be used when
 *	you only need to push on some header and do not need to modify
 *	the data.
 */
static inline int skb_cow_head(struct sk_buff *skb, unsigned int headroom)
{
	return __skb_cow(skb, headroom, skb_header_cloned(skb));
}

/**

Lines 41-51 int br_dev_xmit(struct sk_buff skb, struct net_device dev) Link Here

(-)a/net/bridge/br_device.c (-2 / +2 lines)
41	skb_pull(skb, ETH_HLEN);	41	skb_pull(skb, ETH_HLEN);
42		42
43	if (dest[0] & 1)	43	if (dest[0] & 1)
44	br_flood_deliver(br, skb, 0);	44	br_flood_deliver(br, skb);
45	else if ((dst = __br_fdb_get(br, dest)) != NULL)	45	else if ((dst = __br_fdb_get(br, dest)) != NULL)
46	br_deliver(dst->dst, skb);	46	br_deliver(dst->dst, skb);
47	else	47	else
48	br_flood_deliver(br, skb, 0);	48	br_flood_deliver(br, skb);
49		49
50	return 0;	50	return 0;
51	}	51	}




}

/* called under bridge lock */
static void br_flood(struct net_bridge *br, struct sk_buff *skb,
	void (*__packet_hook)(const struct net_bridge_port *p,
			      struct sk_buff *skb))
{
	struct net_bridge_port *p;
	struct net_bridge_port *prev;

	if (clone) {
		struct sk_buff *skb2;

		if ((skb2 = skb_clone(skb, GFP_ATOMIC)) == NULL) {
			br->statistics.tx_dropped++;
			return;
		}

		skb = skb2;
	}

	prev = NULL;

	list_for_each_entry_rcu(p, &br->port_list, list) {



/* called with rcu_read_lock */
void br_flood_deliver(struct net_bridge *br, struct sk_buff *skb)
{
	br_flood(br, skb, __br_deliver);
}

/* called under bridge lock */
void br_flood_forward(struct net_bridge *br, struct sk_buff *skb)
{
	br_flood(br, skb, __br_forward);
}




	struct net_bridge_port *p = rcu_dereference(skb->dev->br_port);
	struct net_bridge *br;
	struct net_bridge_fdb_entry *dst;
	struct sk_buff *skb2;

	if (!p || p->state == BR_STATE_DISABLED)
		goto drop;

	if (p->state == BR_STATE_LEARNING)
		goto drop;

	/* The packet skb2 goes to the local host (NULL to skip). */
	skb2 = NULL;

	if (br->dev->flags & IFF_PROMISC)
		skb2 = skb;

	dst = NULL;
		}
	}

	if (is_multicast_ether_addr(dest)) {
		br->statistics.multicast++;
		skb2 = skb;
	} else if ((dst = __br_fdb_get(br, dest)) && dst->is_local) {
		skb2 = skb;
		/* Do not forward the packet since it's local. */
		skb = NULL;
	}

	if (skb2 == skb)
		skb2 = skb_clone(skb, GFP_ATOMIC);
		if (!passedup)
			br_pass_frame_up(br, skb);
		else
			kfree_skb(skb);
		goto out;
	}

	if (skb2)
		br_pass_frame_up(br, skb2);
		goto out;
	}

	if (skb) {
		if (dst)
			br_forward(dst->dst, skb);
		else
			br_flood_forward(br, skb);
	}

out:
	return 0;

Lines 183-189 int nf_bridge_copy_header(struct sk_buff *skb) Link Here

(-)a/net/bridge/br_netfilter.c (-1 / +1 lines)
183	int err;	183	int err;
184	int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);	184	int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
185		185
186	err = skb_cow(skb, header_size);	186	err = skb_cow_head(skb, header_size);
187	if (err)	187	if (err)
188	return err;	188	return err;
189		189




extern void br_forward(const struct net_bridge_port *to,
		struct sk_buff *skb);
extern int br_forward_finish(struct sk_buff *skb);
extern void br_flood_deliver(struct net_bridge *br, struct sk_buff *skb);
extern void br_flood_forward(struct net_bridge *br, struct sk_buff *skb);
		      int clone);
extern void br_flood_forward(struct net_bridge *br,
		      struct sk_buff *skb,
		      int clone);

/* br_if.c */
extern void br_port_carrier_check(struct net_bridge_port *p);

Return to bug 194059

Lines 899-915 ppp_start_xmit(struct sk_buff skb, struct net_device dev) Link Here

(-)a/drivers/net/ppp_generic.c (-30 / +28 lines)
899		899
900	/* Put the 2-byte PPP protocol number on the front,	900	/* Put the 2-byte PPP protocol number on the front,
901	making sure there is room for the address and control fields. */	901	making sure there is room for the address and control fields. */
902	if (skb_headroom(skb) < PPP_HDRLEN) {	902	if (skb_cow_head(skb, PPP_HDRLEN))
903	struct sk_buff *ns;	903	goto outf;
904		904
905	ns = alloc_skb(skb->len + dev->hard_header_len, GFP_ATOMIC);
906	if (ns == 0)
907	goto outf;
908	skb_reserve(ns, dev->hard_header_len);
909	skb_copy_bits(skb, 0, skb_put(ns, skb->len), skb->len);
910	kfree_skb(skb);
911	skb = ns;
912	}
913	pp = skb_push(skb, 2);	905	pp = skb_push(skb, 2);
914	proto = npindex_to_proto[npi];	906	proto = npindex_to_proto[npi];
915	pp[0] = proto >> 8;	907	pp[0] = proto >> 8;
Lines 1533-1539 ppp_input_error(struct ppp_channel *chan, int code) Link Here
1533	static void	1525	static void
1534	ppp_receive_frame(struct ppp ppp, struct sk_buff skb, struct channel *pch)	1526	ppp_receive_frame(struct ppp ppp, struct sk_buff skb, struct channel *pch)
1535	{	1527	{
1536	if (skb->len >= 2) {	1528	if (pskb_may_pull(skb, 2)) {
1537	#ifdef CONFIG_PPP_MULTILINK	1529	#ifdef CONFIG_PPP_MULTILINK
1538	/* XXX do channel-level decompression here */	1530	/* XXX do channel-level decompression here */
1539	if (PPP_PROTO(skb) == PPP_MP)	1531	if (PPP_PROTO(skb) == PPP_MP)
Lines 1585-1591 ppp_receive_nonmp_frame(struct ppp ppp, struct sk_buff skb) Link Here
1585	if (ppp->vj == 0 \|\| (ppp->flags & SC_REJ_COMP_TCP))	1577	if (ppp->vj == 0 \|\| (ppp->flags & SC_REJ_COMP_TCP))
1586	goto err;	1578	goto err;
1587		1579
1588	if (skb_tailroom(skb) < 124) {	1580	if (skb_tailroom(skb) < 124 \|\| skb_cloned(skb)) {
1589	/* copy to a new sk_buff with more tailroom */	1581	/* copy to a new sk_buff with more tailroom */
1590	ns = dev_alloc_skb(skb->len + 128);	1582	ns = dev_alloc_skb(skb->len + 128);
1591	if (ns == 0) {	1583	if (ns == 0) {
Lines 1656-1678 ppp_receive_nonmp_frame(struct ppp ppp, struct sk_buff skb) Link Here
1656	/* check if the packet passes the pass and active filters */	1648	/* check if the packet passes the pass and active filters */
1657	/* the filter instructions are constructed assuming	1649	/* the filter instructions are constructed assuming
1658	a four-byte PPP header on each packet */	1650	a four-byte PPP header on each packet */
1659	*skb_push(skb, 2) = 0;	1651	if (ppp->pass_filter \|\| ppp->active_filter) {
1660	if (ppp->pass_filter	1652	if (skb_cloned(skb) &&
1661	&& sk_run_filter(skb, ppp->pass_filter,	1653	pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
1662	ppp->pass_len) == 0) {	1654	goto err;
1663	if (ppp->debug & 1)	1655
1664	printk(KERN_DEBUG "PPP: inbound frame not passed\n");	1656	*skb_push(skb, 2) = 0;
1665	kfree_skb(skb);	1657	if (ppp->pass_filter
1666	return;	1658	&& sk_run_filter(skb, ppp->pass_filter,
1667	}	1659	ppp->pass_len) == 0) {
1668	if (!(ppp->active_filter	1660	if (ppp->debug & 1)
1669	&& sk_run_filter(skb, ppp->active_filter,	1661	printk(KERN_DEBUG "PPP: inbound frame "
1670	ppp->active_len) == 0))	1662	"not passed\n");
1671	ppp->last_recv = jiffies;	1663	kfree_skb(skb);
1672	skb_pull(skb, 2);	1664	return;
1673	#else	1665	}
1674	ppp->last_recv = jiffies;	1666	if (!(ppp->active_filter
		1667	&& sk_run_filter(skb, ppp->active_filter,
		1668	ppp->active_len) == 0))
		1669	ppp->last_recv = jiffies;
		1670	__skb_pull(skb, 2);
		1671	} else
1675	#endif /* CONFIG_PPP_FILTER */	1672	#endif /* CONFIG_PPP_FILTER */
		1673	ppp->last_recv = jiffies;
1676		1674
1677	if ((ppp->dev->flags & IFF_UP) == 0	1675	if ((ppp->dev->flags & IFF_UP) == 0
1678	\|\| ppp->npmode[npi] != NPMODE_PASS) {	1676	\|\| ppp->npmode[npi] != NPMODE_PASS) {
Lines 1770-1776 ppp_receive_mp_frame(struct ppp ppp, struct sk_buff skb, struct channel *pch) Link Here
1770	struct channel *ch;	1768	struct channel *ch;
1771	int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;	1769	int mphdrlen = (ppp->flags & SC_MP_SHORTSEQ)? MPHDRLEN_SSN: MPHDRLEN;
1772		1770
1773	if (!pskb_may_pull(skb, mphdrlen) \|\| ppp->mrru == 0)	1771	if (!pskb_may_pull(skb, mphdrlen + 1) \|\| ppp->mrru == 0)
1774	goto err; /* no good, throw it away */	1772	goto err; /* no good, throw it away */
1775		1773
1776	/* Decode sequence number and begin/end bits */	1774	/* Decode sequence number and begin/end bits */

Lines 385-396 static int pppoe_rcv(struct sk_buff *skb, Link Here

(-)a/drivers/net/pppoe.c (-48 / +22 lines)
385	struct pppoe_hdr *ph;	385	struct pppoe_hdr *ph;
386	struct pppox_sock *po;	386	struct pppox_sock *po;
387		387
388	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
389	goto drop;
390
391	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))	388	if (!(skb = skb_share_check(skb, GFP_ATOMIC)))
392	goto out;	389	goto out;
393		390
		391	if (!pskb_may_pull(skb, sizeof(struct pppoe_hdr)))
		392	goto drop;
		393
394	ph = pppoe_hdr(skb);	394	ph = pppoe_hdr(skb);
395		395
396	po = get_item((unsigned long) ph->sid, eth_hdr(skb)->h_source, dev->ifindex);	396	po = get_item((unsigned long) ph->sid, eth_hdr(skb)->h_source, dev->ifindex);
Lines 848-918 static int __pppoe_xmit(struct sock sk, struct sk_buff skb) Link Here
848	{	848	{
849	struct pppox_sock *po = pppox_sk(sk);	849	struct pppox_sock *po = pppox_sk(sk);
850	struct net_device *dev = po->pppoe_dev;	850	struct net_device *dev = po->pppoe_dev;
851	struct pppoe_hdr hdr;
852	struct pppoe_hdr *ph;	851	struct pppoe_hdr *ph;
853	int headroom = skb_headroom(skb);
854	int data_len = skb->len;	852	int data_len = skb->len;
855	struct sk_buff *skb2;
856		853
857	if (sock_flag(sk, SOCK_DEAD) \|\| !(sk->sk_state & PPPOX_CONNECTED))	854	if (sock_flag(sk, SOCK_DEAD) \|\| !(sk->sk_state & PPPOX_CONNECTED))
858	goto abort;	855	goto abort;
859		856
860	hdr.ver = 1;
861	hdr.type = 1;
862	hdr.code = 0;
863	hdr.sid = po->num;
864	hdr.length = htons(skb->len);
865
866	if (!dev)	857	if (!dev)
867	goto abort;	858	goto abort;
868		859
869	/* Copy the skb if there is no space for the header. */	860	/* Copy the data if there is no space for the header or if it's
870	if (headroom < (sizeof(struct pppoe_hdr) + dev->hard_header_len)) {	861	* read-only.
871	skb2 = dev_alloc_skb(32+skb->len +	862	*/
872	sizeof(struct pppoe_hdr) +	863	if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
873	dev->hard_header_len);	864	goto abort;
874
875	if (skb2 == NULL)
876	goto abort;
877
878	skb_reserve(skb2, dev->hard_header_len + sizeof(struct pppoe_hdr));
879	skb_copy_from_linear_data(skb, skb_put(skb2, skb->len),
880	skb->len);
881	} else {
882	/* Make a clone so as to not disturb the original skb,
883	* give dev_queue_xmit something it can free.
884	*/
885	skb2 = skb_clone(skb, GFP_ATOMIC);
886
887	if (skb2 == NULL)
888	goto abort;
889	}
890		865
891	ph = (struct pppoe_hdr *) skb_push(skb2, sizeof(struct pppoe_hdr));	866	__skb_push(skb, sizeof(*ph));
892	memcpy(ph, &hdr, sizeof(struct pppoe_hdr));	867	skb_reset_network_header(skb);
893	skb2->protocol = __constant_htons(ETH_P_PPP_SES);
894		868
895	skb_reset_network_header(skb2);	869	ph = pppoe_hdr(skb);
		870	ph->ver = 1;
		871	ph->type = 1;
		872	ph->code = 0;
		873	ph->sid = po->num;
		874	ph->length = htons(data_len);
896		875
897	skb2->dev = dev;	876	skb->protocol = __constant_htons(ETH_P_PPP_SES);
		877	skb->dev = dev;
898		878
899	dev->hard_header(skb2, dev, ETH_P_PPP_SES,	879	dev->hard_header(skb, dev, ETH_P_PPP_SES,
900	po->pppoe_pa.remote, NULL, data_len);	880	po->pppoe_pa.remote, NULL, data_len);
901		881
902	/* We're transmitting skb2, and assuming that dev_queue_xmit	882	if (dev_queue_xmit(skb) < 0)
903	* will free it. The generic ppp layer however, is expecting
904	* that we give back 'skb' (not 'skb2') in case of failure,
905	* but free it in case of success.
906	*/
907
908	if (dev_queue_xmit(skb2) < 0)
909	goto abort;	883	goto abort;
910		884
911	kfree_skb(skb);
912	return 1;	885	return 1;
913		886
914	abort:	887	abort:
915	return 0;	888	kfree_skb(skb);
		889	return 1;
916	}	890	}
917		891
918		892

Lines 1352-1357 static inline int skb_clone_writable(struct sk_buff *skb, int len) Link Here

(-)a/include/linux/skbuff.h (-9 / +31 lines)
1352	skb_headroom(skb) + len <= skb->hdr_len;	1352	skb_headroom(skb) + len <= skb->hdr_len;
1353	}	1353	}
1354		1354
		1355	static inline int __skb_cow(struct sk_buff *skb, unsigned int headroom,
		1356	int cloned)
		1357	{
		1358	int delta = 0;
		1359
		1360	if (headroom < NET_SKB_PAD)
		1361	headroom = NET_SKB_PAD;
		1362	if (headroom > skb_headroom(skb))
		1363	delta = headroom - skb_headroom(skb);
		1364
		1365	if (delta \|\| cloned)
		1366	return pskb_expand_head(skb, ALIGN(delta, NET_SKB_PAD), 0,
		1367	GFP_ATOMIC);
		1368	return 0;
		1369	}
		1370
1355	/**	1371	/**
1356	* skb_cow - copy header of skb when it is required	1372	* skb_cow - copy header of skb when it is required
1357	* @skb: buffer to cow	1373	* @skb: buffer to cow
Lines 1366-1381 static inline int skb_clone_writable(struct sk_buff *skb, int len) Link Here
1366	*/	1382	*/
1367	static inline int skb_cow(struct sk_buff *skb, unsigned int headroom)	1383	static inline int skb_cow(struct sk_buff *skb, unsigned int headroom)
1368	{	1384	{
1369	int delta = (headroom > NET_SKB_PAD ? headroom : NET_SKB_PAD) -	1385	return __skb_cow(skb, headroom, skb_cloned(skb));
1370	skb_headroom(skb);	1386	}
1371
1372	if (delta < 0)
1373	delta = 0;
1374		1387
1375	if (delta \|\| skb_cloned(skb))	1388	/**
1376	return pskb_expand_head(skb, (delta + (NET_SKB_PAD-1)) &	1389	* skb_cow_head - skb_cow but only making the head writable
1377	~(NET_SKB_PAD-1), 0, GFP_ATOMIC);	1390	* @skb: buffer to cow
1378	return 0;	1391	* @headroom: needed headroom
		1392	*
		1393	* This function is identical to skb_cow except that we replace the
		1394	* skb_cloned check by skb_header_cloned. It should be used when
		1395	* you only need to push on some header and do not need to modify
		1396	* the data.
		1397	*/
		1398	static inline int skb_cow_head(struct sk_buff *skb, unsigned int headroom)
		1399	{
		1400	return __skb_cow(skb, headroom, skb_header_cloned(skb));
1379	}	1401	}
1380		1402
1381	/**	1403	/**

Lines 100-123 void br_forward(const struct net_bridge_port to, struct sk_buff skb) Link Here

(-)a/net/bridge/br_forward.c (-16 / +5 lines)
100	}	100	}
101		101
102	/* called under bridge lock */	102	/* called under bridge lock */
103	static void br_flood(struct net_bridge br, struct sk_buff skb, int clone,	103	static void br_flood(struct net_bridge br, struct sk_buff skb,
104	void (__packet_hook)(const struct net_bridge_port p,	104	void (__packet_hook)(const struct net_bridge_port p,
105	struct sk_buff *skb))	105	struct sk_buff *skb))
106	{	106	{
107	struct net_bridge_port *p;	107	struct net_bridge_port *p;
108	struct net_bridge_port *prev;	108	struct net_bridge_port *prev;
109		109
110	if (clone) {
111	struct sk_buff *skb2;
112
113	if ((skb2 = skb_clone(skb, GFP_ATOMIC)) == NULL) {
114	br->statistics.tx_dropped++;
115	return;
116	}
117
118	skb = skb2;
119	}
120
121	prev = NULL;	110	prev = NULL;
122		111
123	list_for_each_entry_rcu(p, &br->port_list, list) {	112	list_for_each_entry_rcu(p, &br->port_list, list) {
Lines 148-160 static void br_flood(struct net_bridge br, struct sk_buff skb, int clone, Link Here
148		137
149		138
150	/* called with rcu_read_lock */	139	/* called with rcu_read_lock */
151	void br_flood_deliver(struct net_bridge br, struct sk_buff skb, int clone)	140	void br_flood_deliver(struct net_bridge br, struct sk_buff skb)
152	{	141	{
153	br_flood(br, skb, clone, __br_deliver);	142	br_flood(br, skb, __br_deliver);
154	}	143	}
155		144
156	/* called under bridge lock */	145	/* called under bridge lock */
157	void br_flood_forward(struct net_bridge br, struct sk_buff skb, int clone)	146	void br_flood_forward(struct net_bridge br, struct sk_buff skb)
158	{	147	{
159	br_flood(br, skb, clone, __br_forward);	148	br_flood(br, skb, __br_forward);
160	}	149	}

Lines 170-181 extern int br_dev_queue_push_xmit(struct sk_buff *skb); Link Here

(-)a/net/bridge/br_private.h (-6 / +2 lines)
170	extern void br_forward(const struct net_bridge_port *to,	170	extern void br_forward(const struct net_bridge_port *to,
171	struct sk_buff *skb);	171	struct sk_buff *skb);
172	extern int br_forward_finish(struct sk_buff *skb);	172	extern int br_forward_finish(struct sk_buff *skb);
173	extern void br_flood_deliver(struct net_bridge *br,	173	extern void br_flood_deliver(struct net_bridge br, struct sk_buff skb);
174	struct sk_buff *skb,	174	extern void br_flood_forward(struct net_bridge br, struct sk_buff skb);
175	int clone);
176	extern void br_flood_forward(struct net_bridge *br,
177	struct sk_buff *skb,
178	int clone);
179		175
180	/* br_if.c */	176	/* br_if.c */
181	extern void br_port_carrier_check(struct net_bridge_port *p);	177	extern void br_port_carrier_check(struct net_bridge_port *p);

Lines 43-49 int br_handle_frame_finish(struct sk_buff *skb) Link Here

(-)a/net/bridge/br_input.c (-26 / +22 lines)
43	struct net_bridge_port *p = rcu_dereference(skb->dev->br_port);	43	struct net_bridge_port *p = rcu_dereference(skb->dev->br_port);
44	struct net_bridge *br;	44	struct net_bridge *br;
45	struct net_bridge_fdb_entry *dst;	45	struct net_bridge_fdb_entry *dst;
46	int passedup = 0;	46	struct sk_buff *skb2;
47		47
48	if (!p \|\| p->state == BR_STATE_DISABLED)	48	if (!p \|\| p->state == BR_STATE_DISABLED)
49	goto drop;	49	goto drop;
Lines 55-93 int br_handle_frame_finish(struct sk_buff *skb) Link Here
55	if (p->state == BR_STATE_LEARNING)	55	if (p->state == BR_STATE_LEARNING)
56	goto drop;	56	goto drop;
57		57
58	if (br->dev->flags & IFF_PROMISC) {	58	/* The packet skb2 goes to the local host (NULL to skip). */
59	struct sk_buff *skb2;	59	skb2 = NULL;
60		60
61	skb2 = skb_clone(skb, GFP_ATOMIC);	61	if (br->dev->flags & IFF_PROMISC)
62	if (skb2 != NULL) {	62	skb2 = skb;
63	passedup = 1;	63
64	br_pass_frame_up(br, skb2);	64	dst = NULL;
65	}
66	}
67		65
68	if (is_multicast_ether_addr(dest)) {	66	if (is_multicast_ether_addr(dest)) {
69	br->statistics.multicast++;	67	br->statistics.multicast++;
70	br_flood_forward(br, skb, !passedup);	68	skb2 = skb;
71	if (!passedup)	69	} else if ((dst = __br_fdb_get(br, dest)) && dst->is_local) {
72	br_pass_frame_up(br, skb);	70	skb2 = skb;
73	goto out;	71	/* Do not forward the packet since it's local. */
		72	skb = NULL;
74	}	73	}
75		74
76	dst = __br_fdb_get(br, dest);	75	if (skb2 == skb)
77	if (dst != NULL && dst->is_local) {	76	skb2 = skb_clone(skb, GFP_ATOMIC);
78	if (!passedup)
79	br_pass_frame_up(br, skb);
80	else
81	kfree_skb(skb);
82	goto out;
83	}
84		77
85	if (dst != NULL) {	78	if (skb2)
86	br_forward(dst->dst, skb);	79	br_pass_frame_up(br, skb2);
87	goto out;
88	}
89		80
90	br_flood_forward(br, skb, 0);	81	if (skb) {
		82	if (dst)
		83	br_forward(dst->dst, skb);
		84	else
		85	br_flood_forward(br, skb);
		86	}
91		87
92	out:	88	out:
93	return 0;	89	return 0;