authorJohn Fastabend <john.fastabend@gmail.com>2014-10-05 21:28:52 -0700
committerDavid S. Miller <davem@davemloft.net>2014-10-06 18:02:33 -0400
net: sched: do not use tcf_proto 'tp' argument from call_rcu
Using the tcf_proto pointer 'tp' from inside the classifiers callback is not valid because it may have been cleaned up by another call_rcu occuring on another CPU. 'tp' is currently being used by tcf_unbind_filter() in this patch we move instances of tcf_unbind_filter outside of the call_rcu() context. This is safe to do because any running schedulers will either read the valid class field or it will be zeroed. And all schedulers today when the class is 0 do a lookup using the same call used by the tcf_exts_bind(). So even if we have a running classifier hit the null class pointer it will do a lookup and get to the same result. This is particularly fragile at the moment because the only way to verify this is to audit the schedulers call sites. Reported-by: Cong Wang <xiyou.wangconf@gmail.com> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 files changed, 3 insertions, 2 deletions
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index da805aeeb65c..dbfdfd1f1a9f 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -123,9 +123,7 @@ static int fw_init(struct tcf_proto *tp)
static void fw_delete_filter(struct rcu_head *head)
struct fw_filter *f = container_of(head, struct fw_filter, rcu);
- struct tcf_proto *tp = f->tp;
- tcf_unbind_filter(tp, &f->res);
@@ -143,6 +141,7 @@ static void fw_destroy(struct tcf_proto *tp)
while ((f = rtnl_dereference(head->ht[h])) != NULL) {
+ tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, fw_delete_filter);
@@ -166,6 +165,7 @@ static int fw_delete(struct tcf_proto *tp, unsigned long arg)
fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
if (pfp == f) {
RCU_INIT_POINTER(*fp, rtnl_dereference(f->next));
+ tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, fw_delete_filter);
return 0;
@@ -280,6 +280,7 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next));
rcu_assign_pointer(*fp, fnew);
+ tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, fw_delete_filter);
*arg = (unsigned long)fnew;