diff options
| author |   John Fastabend <john.fastabend@gmail.com> | 2014-10-05 21:28:52 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2014-10-06 18:02:33 -0400 |
| commit | 18cdb37ebf4c986d9502405cbd16b0ac29770c25 (patch) | |
| tree | 2bf659bf5d527447c11845ca06d15d1b69b9ab31 /REPORTING-BUGS | |
| parent | net: sched: cls_cgroup tear down exts and ematch from rcu callback (diff) | |
| download | linux-dev-18cdb37ebf4c986d9502405cbd16b0ac29770c25.tar.xz linux-dev-18cdb37ebf4c986d9502405cbd16b0ac29770c25.zip | |
net: sched: do not use tcf_proto 'tp' argument from call_rcu
Using the tcf_proto pointer 'tp' from inside the classifiers callback
is not valid because it may have been cleaned up by another call_rcu
occuring on another CPU.
'tp' is currently being used by tcf_unbind_filter() in this patch we
move instances of tcf_unbind_filter outside of the call_rcu() context.
This is safe to do because any running schedulers will either read the
valid class field or it will be zeroed.
And all schedulers today when the class is 0 do a lookup using the
same call used by the tcf_exts_bind(). So even if we have a running
classifier hit the null class pointer it will do a lookup and get
to the same result. This is particularly fragile at the moment because
the only way to verify this is to audit the schedulers call sites.
Reported-by: Cong Wang <xiyou.wangconf@gmail.com>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'REPORTING-BUGS')
0 files changed, 0 insertions, 0 deletions