net: sched: do not use tcf_proto 'tp' argument from call_rcu

Using the tcf_proto pointer 'tp' from inside the classifiers callback is not valid because it may have been cleaned up by another call_rcu occuring on another CPU. 'tp' is currently being used by tcf_unbind_filter() in this patch we move instances of tcf_unbind_filter outside of the call_rcu() context. This is safe to do because any running schedulers will either read the valid class field or it will be zeroed. And all schedulers today when the class is 0 do a lookup using the same call used by the tcf_exts_bind(). So even if we have a running classifier hit the null class pointer it will do a lookup and get to the same result. This is particularly fragile at the moment because the only way to verify this is to audit the schedulers call sites. Reported-by: Cong Wang <xiyou.wangconf@gmail.com> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: John Fastabend <john.fastabend@gmail.com> 2014-10-06 00:28:52 -0400
committer: David S. Miller <davem@davemloft.net> 2014-10-06 18:02:33 -0400
commit: 18cdb37ebf4c986d9502405cbd16b0ac29770c25 (patch)
tree: 2bf659bf5d527447c11845ca06d15d1b69b9ab31 /net
parent: 13990f8156862fe945a1a226850a6550c8988a33 (diff)
4 files changed, 14 insertions, 8 deletions
diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c
index 90647a8af8ca..cd61280941e5 100644
--- a/net/sched/cls_basic.c
+++ b/net/sched/cls_basic.c
@@ -91,9 +91,7 @@ static int basic_init(struct tcf_proto *tp)
 static void basic_delete_filter(struct rcu_head *head)
 {
        struct basic_filter *f = container_of(head, struct basic_filter, rcu);
-        struct tcf_proto *tp = f->tp;
-        tcf_unbind_filter(tp, &f->res);
        tcf_exts_destroy(&f->exts);
        tcf_em_tree_destroy(&f->ematches);
        kfree(f);
@@ -106,6 +104,7 @@ static void basic_destroy(struct tcf_proto *tp)
        list_for_each_entry_safe(f, n, &head->flist, link) {
                list_del_rcu(&f->link);
+                tcf_unbind_filter(tp, &f->res);
                call_rcu(&f->rcu, basic_delete_filter);
        }
        RCU_INIT_POINTER(tp->root, NULL);
@@ -120,6 +119,7 @@ static int basic_delete(struct tcf_proto *tp, unsigned long arg)
        list_for_each_entry(t, &head->flist, link)
                if (t == f) {
                        list_del_rcu(&t->link);
+                        tcf_unbind_filter(tp, &t->res);
                        call_rcu(&t->rcu, basic_delete_filter);
                        return 0;
                }
@@ -222,6 +222,7 @@ static int basic_change(struct net *net, struct sk_buff *in_skb,
        if (fold) {
                list_replace_rcu(&fold->link, &fnew->link);
+                tcf_unbind_filter(tp, &fold->res);
                call_rcu(&fold->rcu, basic_delete_filter);
        } else {
                list_add_rcu(&fnew->link, &head->flist);
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 4318d067b0a0..eed49d1d0878 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -92,7 +92,6 @@ static int cls_bpf_init(struct tcf_proto *tp)
 static void cls_bpf_delete_prog(struct tcf_proto *tp, struct cls_bpf_prog *prog)
 {
-        tcf_unbind_filter(tp, &prog->res);
        tcf_exts_destroy(&prog->exts);
        bpf_prog_destroy(prog->filter);
@@ -116,6 +115,7 @@ static int cls_bpf_delete(struct tcf_proto *tp, unsigned long arg)
        list_for_each_entry(prog, &head->plist, link) {
                if (prog == todel) {
                        list_del_rcu(&prog->link);
+                        tcf_unbind_filter(tp, &prog->res);
                        call_rcu(&prog->rcu, __cls_bpf_delete_prog);
                        return 0;
                }
@@ -131,6 +131,7 @@ static void cls_bpf_destroy(struct tcf_proto *tp)
        list_for_each_entry_safe(prog, tmp, &head->plist, link) {
                list_del_rcu(&prog->link);
+                tcf_unbind_filter(tp, &prog->res);
                call_rcu(&prog->rcu, __cls_bpf_delete_prog);
        }
@@ -282,6 +283,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
        if (oldprog) {
                list_replace_rcu(&prog->link, &oldprog->link);
+                tcf_unbind_filter(tp, &oldprog->res);
                call_rcu(&oldprog->rcu, __cls_bpf_delete_prog);
        } else {
                list_add_rcu(&prog->link, &head->plist);
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index da805aeeb65c..dbfdfd1f1a9f 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -123,9 +123,7 @@ static int fw_init(struct tcf_proto *tp)
 static void fw_delete_filter(struct rcu_head *head)
 {
        struct fw_filter *f = container_of(head, struct fw_filter, rcu);
-        struct tcf_proto *tp = f->tp;
-        tcf_unbind_filter(tp, &f->res);
        tcf_exts_destroy(&f->exts);
        kfree(f);
 }
@@ -143,6 +141,7 @@ static void fw_destroy(struct tcf_proto *tp)
                while ((f = rtnl_dereference(head->ht[h])) != NULL) {
                        RCU_INIT_POINTER(head->ht[h],
                                         rtnl_dereference(f->next));
+                        tcf_unbind_filter(tp, &f->res);
                        call_rcu(&f->rcu, fw_delete_filter);
                }
        }
@@ -166,6 +165,7 @@ static int fw_delete(struct tcf_proto *tp, unsigned long arg)
             fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
                if (pfp == f) {
                        RCU_INIT_POINTER(*fp, rtnl_dereference(f->next));
+                        tcf_unbind_filter(tp, &f->res);
                        call_rcu(&f->rcu, fw_delete_filter);
                        return 0;
                }
@@ -280,6 +280,7 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
                RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next));
                rcu_assign_pointer(*fp, fnew);
+                tcf_unbind_filter(tp, &f->res);
                call_rcu(&f->rcu, fw_delete_filter);
                *arg = (unsigned long)fnew;
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index b665aee661f7..6f22baae0afa 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -269,9 +269,7 @@ static void
 route4_delete_filter(struct rcu_head *head)
 {
        struct route4_filter *f = container_of(head, struct route4_filter, rcu);
-        struct tcf_proto *tp = f->tp;
-        tcf_unbind_filter(tp, &f->res);
        tcf_exts_destroy(&f->exts);
        kfree(f);
 }
@@ -297,6 +295,7 @@ static void route4_destroy(struct tcf_proto *tp)
                                        next = rtnl_dereference(f->next);
                                        RCU_INIT_POINTER(b->ht[h2], next);
+                                        tcf_unbind_filter(tp, &f->res);
                                        call_rcu(&f->rcu, route4_delete_filter);
                                }
                        }
@@ -338,6 +337,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
                        route4_reset_fastmap(head);
                        /* Delete it */
+                        tcf_unbind_filter(tp, &f->res);
                        call_rcu(&f->rcu, route4_delete_filter);
                        /* Strip RTNL protected tree */
@@ -545,8 +545,10 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
        route4_reset_fastmap(head);
        *arg = (unsigned long)f;
-        if (fold)
+        if (fold) {
+                tcf_unbind_filter(tp, &fold->res);
                call_rcu(&fold->rcu, route4_delete_filter);
+        }
        return 0;
 errout:
author	John Fastabend <john.fastabend@gmail.com>	2014-10-06 00:28:52 -0400
committer	David S. Miller <davem@davemloft.net>	2014-10-06 18:02:33 -0400
commit	18cdb37ebf4c986d9502405cbd16b0ac29770c25 (patch)
tree	2bf659bf5d527447c11845ca06d15d1b69b9ab31 /net
parent	13990f8156862fe945a1a226850a6550c8988a33 (diff)