net_sched: move the empty tp check from ->destroy() to ->delete()

We could have a race condition where in ->classify() path we
dereference tp->root and meanwhile a parallel ->destroy() makes it
a NULL. Daniel cured this bug in commit d936377414fa
("net, sched: respect rcu grace period on cls destruction").

This happens when ->destroy() is called for deleting a filter to
check if we are the last one in tp, this tp is still linked and
visible at that time. The root cause of this problem is the semantic
of ->destroy(), it does two things (for non-force case):

1) check if tp is empty
2) if tp is empty we could really destroy it

and its caller, if cares, needs to check its return value to see if it
is really destroyed. Therefore we can't unlink tp unless we know it is
empty.

As suggested by Daniel, we could actually move the test logic to ->delete()
so that we can safely unlink tp after ->delete() tells us the last one is
just deleted and before ->destroy().

Fixes: 1e052be69d04 ("net_sched: destroy proto tp when all filters are gone")
Cc: Roi Dayan <roid@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 15 insertions, 14 deletions

diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index a371075c1d7a..f4d687e04240 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -276,20 +276,13 @@ static void route4_delete_filter(struct rcu_head *head)
         kfree(f);
 }
 
-static bool route4_destroy(struct tcf_proto *tp, bool force)
+static void route4_destroy(struct tcf_proto *tp)
 {
         struct route4_head *head = rtnl_dereference(tp->root);
         int h1, h2;
 
         if (head == NULL)
-                return true;
-
-        if (!force) {
-                for (h1 = 0; h1 <= 256; h1++) {
-                        if (rcu_access_pointer(head->table[h1]))
-                                return false;
-                }
-        }
+                return;
 
         for (h1 = 0; h1 <= 256; h1++) {
                 struct route4_bucket *b;
@@ -314,10 +307,9 @@ static bool route4_destroy(struct tcf_proto *tp, bool force)
         }
         RCU_INIT_POINTER(tp->root, NULL);
         kfree_rcu(head, rcu);
-        return true;
 }
 
-static int route4_delete(struct tcf_proto *tp, unsigned long arg)
+static int route4_delete(struct tcf_proto *tp, unsigned long arg, bool *last)
 {
         struct route4_head *head = rtnl_dereference(tp->root);
         struct route4_filter *f = (struct route4_filter *)arg;
@@ -325,7 +317,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
         struct route4_filter *nf;
         struct route4_bucket *b;
         unsigned int h = 0;
-        int i;
+        int i, h1;
 
         if (!head || !f)
                 return -EINVAL;
@@ -356,16 +348,25 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
 
                                 rt = rtnl_dereference(b->ht[i]);
                                 if (rt)
-                                        return 0;
+                                        goto out;
                         }
 
                         /* OK, session has no flows */
                         RCU_INIT_POINTER(head->table[to_hash(h)], NULL);
                         kfree_rcu(b, rcu);
+                        break;
+                }
+        }
 
-                        return 0;
+out:
+        *last = true;
+        for (h1 = 0; h1 <= 256; h1++) {
+                if (rcu_access_pointer(head->table[h1])) {
+                        *last = false;
+                        break;
                 }
         }
+
         return 0;
 }