Commit 18cdb37e authored by John Fastabend's avatar John Fastabend Committed by David S. Miller

net: sched: do not use tcf_proto 'tp' argument from call_rcu

Using the tcf_proto pointer 'tp' from inside the classifiers callback
is not valid because it may have been cleaned up by another call_rcu
occuring on another CPU.

'tp' is currently being used by tcf_unbind_filter() in this patch we
move instances of tcf_unbind_filter outside of the call_rcu() context.
This is safe to do because any running schedulers will either read the
valid class field or it will be zeroed.

And all schedulers today when the class is 0 do a lookup using the
same call used by the tcf_exts_bind(). So even if we have a running
classifier hit the null class pointer it will do a lookup and get
to the same result. This is particularly fragile at the moment because
the only way to verify this is to audit the schedulers call sites.
Reported-by: default avatarCong Wang <xiyou.wangconf@gmail.com>
Signed-off-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
Acked-by: default avatarCong Wang <cwang@twopensource.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 13990f81
...@@ -91,9 +91,7 @@ static int basic_init(struct tcf_proto *tp) ...@@ -91,9 +91,7 @@ static int basic_init(struct tcf_proto *tp)
static void basic_delete_filter(struct rcu_head *head) static void basic_delete_filter(struct rcu_head *head)
{ {
struct basic_filter *f = container_of(head, struct basic_filter, rcu); struct basic_filter *f = container_of(head, struct basic_filter, rcu);
struct tcf_proto *tp = f->tp;
tcf_unbind_filter(tp, &f->res);
tcf_exts_destroy(&f->exts); tcf_exts_destroy(&f->exts);
tcf_em_tree_destroy(&f->ematches); tcf_em_tree_destroy(&f->ematches);
kfree(f); kfree(f);
...@@ -106,6 +104,7 @@ static void basic_destroy(struct tcf_proto *tp) ...@@ -106,6 +104,7 @@ static void basic_destroy(struct tcf_proto *tp)
list_for_each_entry_safe(f, n, &head->flist, link) { list_for_each_entry_safe(f, n, &head->flist, link) {
list_del_rcu(&f->link); list_del_rcu(&f->link);
tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, basic_delete_filter); call_rcu(&f->rcu, basic_delete_filter);
} }
RCU_INIT_POINTER(tp->root, NULL); RCU_INIT_POINTER(tp->root, NULL);
...@@ -120,6 +119,7 @@ static int basic_delete(struct tcf_proto *tp, unsigned long arg) ...@@ -120,6 +119,7 @@ static int basic_delete(struct tcf_proto *tp, unsigned long arg)
list_for_each_entry(t, &head->flist, link) list_for_each_entry(t, &head->flist, link)
if (t == f) { if (t == f) {
list_del_rcu(&t->link); list_del_rcu(&t->link);
tcf_unbind_filter(tp, &t->res);
call_rcu(&t->rcu, basic_delete_filter); call_rcu(&t->rcu, basic_delete_filter);
return 0; return 0;
} }
...@@ -222,6 +222,7 @@ static int basic_change(struct net *net, struct sk_buff *in_skb, ...@@ -222,6 +222,7 @@ static int basic_change(struct net *net, struct sk_buff *in_skb,
if (fold) { if (fold) {
list_replace_rcu(&fold->link, &fnew->link); list_replace_rcu(&fold->link, &fnew->link);
tcf_unbind_filter(tp, &fold->res);
call_rcu(&fold->rcu, basic_delete_filter); call_rcu(&fold->rcu, basic_delete_filter);
} else { } else {
list_add_rcu(&fnew->link, &head->flist); list_add_rcu(&fnew->link, &head->flist);
......
...@@ -92,7 +92,6 @@ static int cls_bpf_init(struct tcf_proto *tp) ...@@ -92,7 +92,6 @@ static int cls_bpf_init(struct tcf_proto *tp)
static void cls_bpf_delete_prog(struct tcf_proto *tp, struct cls_bpf_prog *prog) static void cls_bpf_delete_prog(struct tcf_proto *tp, struct cls_bpf_prog *prog)
{ {
tcf_unbind_filter(tp, &prog->res);
tcf_exts_destroy(&prog->exts); tcf_exts_destroy(&prog->exts);
bpf_prog_destroy(prog->filter); bpf_prog_destroy(prog->filter);
...@@ -116,6 +115,7 @@ static int cls_bpf_delete(struct tcf_proto *tp, unsigned long arg) ...@@ -116,6 +115,7 @@ static int cls_bpf_delete(struct tcf_proto *tp, unsigned long arg)
list_for_each_entry(prog, &head->plist, link) { list_for_each_entry(prog, &head->plist, link) {
if (prog == todel) { if (prog == todel) {
list_del_rcu(&prog->link); list_del_rcu(&prog->link);
tcf_unbind_filter(tp, &prog->res);
call_rcu(&prog->rcu, __cls_bpf_delete_prog); call_rcu(&prog->rcu, __cls_bpf_delete_prog);
return 0; return 0;
} }
...@@ -131,6 +131,7 @@ static void cls_bpf_destroy(struct tcf_proto *tp) ...@@ -131,6 +131,7 @@ static void cls_bpf_destroy(struct tcf_proto *tp)
list_for_each_entry_safe(prog, tmp, &head->plist, link) { list_for_each_entry_safe(prog, tmp, &head->plist, link) {
list_del_rcu(&prog->link); list_del_rcu(&prog->link);
tcf_unbind_filter(tp, &prog->res);
call_rcu(&prog->rcu, __cls_bpf_delete_prog); call_rcu(&prog->rcu, __cls_bpf_delete_prog);
} }
...@@ -282,6 +283,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, ...@@ -282,6 +283,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
if (oldprog) { if (oldprog) {
list_replace_rcu(&prog->link, &oldprog->link); list_replace_rcu(&prog->link, &oldprog->link);
tcf_unbind_filter(tp, &oldprog->res);
call_rcu(&oldprog->rcu, __cls_bpf_delete_prog); call_rcu(&oldprog->rcu, __cls_bpf_delete_prog);
} else { } else {
list_add_rcu(&prog->link, &head->plist); list_add_rcu(&prog->link, &head->plist);
......
...@@ -123,9 +123,7 @@ static int fw_init(struct tcf_proto *tp) ...@@ -123,9 +123,7 @@ static int fw_init(struct tcf_proto *tp)
static void fw_delete_filter(struct rcu_head *head) static void fw_delete_filter(struct rcu_head *head)
{ {
struct fw_filter *f = container_of(head, struct fw_filter, rcu); struct fw_filter *f = container_of(head, struct fw_filter, rcu);
struct tcf_proto *tp = f->tp;
tcf_unbind_filter(tp, &f->res);
tcf_exts_destroy(&f->exts); tcf_exts_destroy(&f->exts);
kfree(f); kfree(f);
} }
...@@ -143,6 +141,7 @@ static void fw_destroy(struct tcf_proto *tp) ...@@ -143,6 +141,7 @@ static void fw_destroy(struct tcf_proto *tp)
while ((f = rtnl_dereference(head->ht[h])) != NULL) { while ((f = rtnl_dereference(head->ht[h])) != NULL) {
RCU_INIT_POINTER(head->ht[h], RCU_INIT_POINTER(head->ht[h],
rtnl_dereference(f->next)); rtnl_dereference(f->next));
tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, fw_delete_filter); call_rcu(&f->rcu, fw_delete_filter);
} }
} }
...@@ -166,6 +165,7 @@ static int fw_delete(struct tcf_proto *tp, unsigned long arg) ...@@ -166,6 +165,7 @@ static int fw_delete(struct tcf_proto *tp, unsigned long arg)
fp = &pfp->next, pfp = rtnl_dereference(*fp)) { fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
if (pfp == f) { if (pfp == f) {
RCU_INIT_POINTER(*fp, rtnl_dereference(f->next)); RCU_INIT_POINTER(*fp, rtnl_dereference(f->next));
tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, fw_delete_filter); call_rcu(&f->rcu, fw_delete_filter);
return 0; return 0;
} }
...@@ -280,6 +280,7 @@ static int fw_change(struct net *net, struct sk_buff *in_skb, ...@@ -280,6 +280,7 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next)); RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next));
rcu_assign_pointer(*fp, fnew); rcu_assign_pointer(*fp, fnew);
tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, fw_delete_filter); call_rcu(&f->rcu, fw_delete_filter);
*arg = (unsigned long)fnew; *arg = (unsigned long)fnew;
......
...@@ -269,9 +269,7 @@ static void ...@@ -269,9 +269,7 @@ static void
route4_delete_filter(struct rcu_head *head) route4_delete_filter(struct rcu_head *head)
{ {
struct route4_filter *f = container_of(head, struct route4_filter, rcu); struct route4_filter *f = container_of(head, struct route4_filter, rcu);
struct tcf_proto *tp = f->tp;
tcf_unbind_filter(tp, &f->res);
tcf_exts_destroy(&f->exts); tcf_exts_destroy(&f->exts);
kfree(f); kfree(f);
} }
...@@ -297,6 +295,7 @@ static void route4_destroy(struct tcf_proto *tp) ...@@ -297,6 +295,7 @@ static void route4_destroy(struct tcf_proto *tp)
next = rtnl_dereference(f->next); next = rtnl_dereference(f->next);
RCU_INIT_POINTER(b->ht[h2], next); RCU_INIT_POINTER(b->ht[h2], next);
tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, route4_delete_filter); call_rcu(&f->rcu, route4_delete_filter);
} }
} }
...@@ -338,6 +337,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg) ...@@ -338,6 +337,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
route4_reset_fastmap(head); route4_reset_fastmap(head);
/* Delete it */ /* Delete it */
tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, route4_delete_filter); call_rcu(&f->rcu, route4_delete_filter);
/* Strip RTNL protected tree */ /* Strip RTNL protected tree */
...@@ -545,8 +545,10 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, ...@@ -545,8 +545,10 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
route4_reset_fastmap(head); route4_reset_fastmap(head);
*arg = (unsigned long)f; *arg = (unsigned long)f;
if (fold) if (fold) {
tcf_unbind_filter(tp, &fold->res);
call_rcu(&fold->rcu, route4_delete_filter); call_rcu(&fold->rcu, route4_delete_filter);
}
return 0; return 0;
errout: errout:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment