diff options
author | David S. Miller <davem@davemloft.net> | 2019-05-28 17:22:15 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-05-28 17:22:15 -0700 |
commit | 2e56571d820d46d9d54c1ae0e113a91d1c07814f (patch) | |
tree | 3a2cd75dc3f1b69cae61b597b8f1f42c006757a1 | |
parent | selftests/net: ipv6 flowlabel (diff) | |
parent | inet: frags: fix use-after-free read in inet_frag_destroy_rcu (diff) | |
download | linux-dev-2e56571d820d46d9d54c1ae0e113a91d1c07814f.tar.xz linux-dev-2e56571d820d46d9d54c1ae0e113a91d1c07814f.zip |
Merge branch 'inet-frags-followup'
Eric Dumazet says:
====================
inet: frags: followup to 'inet-frags-avoid-possible-races-at-netns-dismantle'
Latest patch series ('inet-frags-avoid-possible-races-at-netns-dismantle')
brought another syzbot report shown in the third patch changelog.
While fixing the issue, I had to call inet_frags_fini() later
in IPv6 and ilowpan.
Also I believe a completion is needed to ensure proper dismantle
at module removal.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/inet_frag.h | 23 | ||||
-rw-r--r-- | net/ieee802154/6lowpan/reassembly.c | 2 | ||||
-rw-r--r-- | net/ipv4/inet_fragment.c | 39 | ||||
-rw-r--r-- | net/ipv6/reassembly.c | 2 |
4 files changed, 43 insertions, 23 deletions
diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h index 002f23c1a1a7..e91b79ad4e4a 100644 --- a/include/net/inet_frag.h +++ b/include/net/inet_frag.h @@ -3,6 +3,7 @@ #define __NET_FRAG_H__ #include <linux/rhashtable-types.h> +#include <linux/completion.h> /* Per netns frag queues directory */ struct fqdir { @@ -104,30 +105,14 @@ struct inet_frags { struct kmem_cache *frags_cachep; const char *frags_cache_name; struct rhashtable_params rhash_params; + refcount_t refcnt; + struct completion completion; }; int inet_frags_init(struct inet_frags *); void inet_frags_fini(struct inet_frags *); -static inline int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, - struct net *net) -{ - struct fqdir *fqdir = kzalloc(sizeof(*fqdir), GFP_KERNEL); - int res; - - if (!fqdir) - return -ENOMEM; - fqdir->f = f; - fqdir->net = net; - res = rhashtable_init(&fqdir->rhashtable, &fqdir->f->rhash_params); - if (res < 0) { - kfree(fqdir); - return res; - } - *fqdirp = fqdir; - return 0; -} - +int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net); void fqdir_exit(struct fqdir *fqdir); void inet_frag_kill(struct inet_frag_queue *q); diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c index e59c3b708969..5b56f16ed86b 100644 --- a/net/ieee802154/6lowpan/reassembly.c +++ b/net/ieee802154/6lowpan/reassembly.c @@ -540,7 +540,7 @@ err_sysctl: void lowpan_net_frag_exit(void) { - inet_frags_fini(&lowpan_frags); lowpan_frags_sysctl_unregister(); unregister_pernet_subsys(&lowpan_frags_ops); + inet_frags_fini(&lowpan_frags); } diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index 6ca9523374da..2b816f1ebbb4 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -110,14 +110,18 @@ int inet_frags_init(struct inet_frags *f) if (!f->frags_cachep) return -ENOMEM; + refcount_set(&f->refcnt, 1); + init_completion(&f->completion); return 0; } EXPORT_SYMBOL(inet_frags_init); void inet_frags_fini(struct inet_frags *f) { - /* We must wait that all inet_frag_destroy_rcu() have completed. */ - rcu_barrier(); + if (refcount_dec_and_test(&f->refcnt)) + complete(&f->completion); + + wait_for_completion(&f->completion); kmem_cache_destroy(f->frags_cachep); f->frags_cachep = NULL; @@ -149,11 +153,42 @@ static void fqdir_rwork_fn(struct work_struct *work) { struct fqdir *fqdir = container_of(to_rcu_work(work), struct fqdir, destroy_rwork); + struct inet_frags *f = fqdir->f; rhashtable_free_and_destroy(&fqdir->rhashtable, inet_frags_free_cb, NULL); + + /* We need to make sure all ongoing call_rcu(..., inet_frag_destroy_rcu) + * have completed, since they need to dereference fqdir. + * Would it not be nice to have kfree_rcu_barrier() ? :) + */ + rcu_barrier(); + + if (refcount_dec_and_test(&f->refcnt)) + complete(&f->completion); + kfree(fqdir); } +int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net) +{ + struct fqdir *fqdir = kzalloc(sizeof(*fqdir), GFP_KERNEL); + int res; + + if (!fqdir) + return -ENOMEM; + fqdir->f = f; + fqdir->net = net; + res = rhashtable_init(&fqdir->rhashtable, &fqdir->f->rhash_params); + if (res < 0) { + kfree(fqdir); + return res; + } + refcount_inc(&f->refcnt); + *fqdirp = fqdir; + return 0; +} +EXPORT_SYMBOL(fqdir_init); + void fqdir_exit(struct fqdir *fqdir) { fqdir->high_thresh = 0; /* prevent creation of new frags */ diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c index 836ea964cf14..ff5b6d8de2c6 100644 --- a/net/ipv6/reassembly.c +++ b/net/ipv6/reassembly.c @@ -583,8 +583,8 @@ err_protocol: void ipv6_frag_exit(void) { - inet_frags_fini(&ip6_frags); ip6_frags_sysctl_unregister(); unregister_pernet_subsys(&ip6_frags_ops); inet6_del_protocol(&frag_protocol, IPPROTO_FRAGMENT); + inet_frags_fini(&ip6_frags); } |