diff options
author | John Fastabend <john.fastabend@gmail.com> | 2014-10-06 00:28:52 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-10-06 18:02:33 -0400 |
commit | 18cdb37ebf4c986d9502405cbd16b0ac29770c25 (patch) | |
tree | 2bf659bf5d527447c11845ca06d15d1b69b9ab31 /net/sched/cls_route.c | |
parent | 13990f8156862fe945a1a226850a6550c8988a33 (diff) |
net: sched: do not use tcf_proto 'tp' argument from call_rcu
Using the tcf_proto pointer 'tp' from inside the classifiers callback
is not valid because it may have been cleaned up by another call_rcu
occuring on another CPU.
'tp' is currently being used by tcf_unbind_filter() in this patch we
move instances of tcf_unbind_filter outside of the call_rcu() context.
This is safe to do because any running schedulers will either read the
valid class field or it will be zeroed.
And all schedulers today when the class is 0 do a lookup using the
same call used by the tcf_exts_bind(). So even if we have a running
classifier hit the null class pointer it will do a lookup and get
to the same result. This is particularly fragile at the moment because
the only way to verify this is to audit the schedulers call sites.
Reported-by: Cong Wang <xiyou.wangconf@gmail.com>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/cls_route.c')
-rw-r--r-- | net/sched/cls_route.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c index b665aee661f7..6f22baae0afa 100644 --- a/net/sched/cls_route.c +++ b/net/sched/cls_route.c | |||
@@ -269,9 +269,7 @@ static void | |||
269 | route4_delete_filter(struct rcu_head *head) | 269 | route4_delete_filter(struct rcu_head *head) |
270 | { | 270 | { |
271 | struct route4_filter *f = container_of(head, struct route4_filter, rcu); | 271 | struct route4_filter *f = container_of(head, struct route4_filter, rcu); |
272 | struct tcf_proto *tp = f->tp; | ||
273 | 272 | ||
274 | tcf_unbind_filter(tp, &f->res); | ||
275 | tcf_exts_destroy(&f->exts); | 273 | tcf_exts_destroy(&f->exts); |
276 | kfree(f); | 274 | kfree(f); |
277 | } | 275 | } |
@@ -297,6 +295,7 @@ static void route4_destroy(struct tcf_proto *tp) | |||
297 | 295 | ||
298 | next = rtnl_dereference(f->next); | 296 | next = rtnl_dereference(f->next); |
299 | RCU_INIT_POINTER(b->ht[h2], next); | 297 | RCU_INIT_POINTER(b->ht[h2], next); |
298 | tcf_unbind_filter(tp, &f->res); | ||
300 | call_rcu(&f->rcu, route4_delete_filter); | 299 | call_rcu(&f->rcu, route4_delete_filter); |
301 | } | 300 | } |
302 | } | 301 | } |
@@ -338,6 +337,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg) | |||
338 | route4_reset_fastmap(head); | 337 | route4_reset_fastmap(head); |
339 | 338 | ||
340 | /* Delete it */ | 339 | /* Delete it */ |
340 | tcf_unbind_filter(tp, &f->res); | ||
341 | call_rcu(&f->rcu, route4_delete_filter); | 341 | call_rcu(&f->rcu, route4_delete_filter); |
342 | 342 | ||
343 | /* Strip RTNL protected tree */ | 343 | /* Strip RTNL protected tree */ |
@@ -545,8 +545,10 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, | |||
545 | 545 | ||
546 | route4_reset_fastmap(head); | 546 | route4_reset_fastmap(head); |
547 | *arg = (unsigned long)f; | 547 | *arg = (unsigned long)f; |
548 | if (fold) | 548 | if (fold) { |
549 | tcf_unbind_filter(tp, &fold->res); | ||
549 | call_rcu(&fold->rcu, route4_delete_filter); | 550 | call_rcu(&fold->rcu, route4_delete_filter); |
551 | } | ||
550 | return 0; | 552 | return 0; |
551 | 553 | ||
552 | errout: | 554 | errout: |