From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Yotam Gigi <yotamg@mellanox.com>, Jiri Pirko <jiri@mellanox.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 03/32] net/sched: matchall: Fix configuration race
Date: Thu, 16 Feb 2017 09:54:39 -0800 [thread overview]
Message-ID: <20170216175312.583846878@linuxfoundation.org> (raw)
In-Reply-To: <20170216175312.436156263@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yotam Gigi <yotamg@mellanox.com>
[ Upstream commit fd62d9f5c575f0792f150109f1fd24a0d4b3f854 ]
In the current version, the matchall internal state is split into two
structs: cls_matchall_head and cls_matchall_filter. This makes little
sense, as matchall instance supports only one filter, and there is no
situation where one exists and the other does not. In addition, that led
to some races when filter was deleted while packet was processed.
Unify that two structs into one, thus simplifying the process of matchall
creation and deletion. As a result, the new, delete and get callbacks have
a dummy implementation where all the work is done in destroy and change
callbacks, as was done in cls_cgroup.
Fixes: bf3994d2ed31 ("net/sched: introduce Match-all classifier")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/cls_matchall.c | 127 ++++++++++++++++-------------------------------
1 file changed, 45 insertions(+), 82 deletions(-)
--- a/net/sched/cls_matchall.c
+++ b/net/sched/cls_matchall.c
@@ -16,16 +16,11 @@
#include <net/sch_generic.h>
#include <net/pkt_cls.h>
-struct cls_mall_filter {
+struct cls_mall_head {
struct tcf_exts exts;
struct tcf_result res;
u32 handle;
- struct rcu_head rcu;
u32 flags;
-};
-
-struct cls_mall_head {
- struct cls_mall_filter *filter;
struct rcu_head rcu;
};
@@ -33,38 +28,29 @@ static int mall_classify(struct sk_buff
struct tcf_result *res)
{
struct cls_mall_head *head = rcu_dereference_bh(tp->root);
- struct cls_mall_filter *f = head->filter;
- if (tc_skip_sw(f->flags))
+ if (tc_skip_sw(head->flags))
return -1;
- return tcf_exts_exec(skb, &f->exts, res);
+ return tcf_exts_exec(skb, &head->exts, res);
}
static int mall_init(struct tcf_proto *tp)
{
- struct cls_mall_head *head;
-
- head = kzalloc(sizeof(*head), GFP_KERNEL);
- if (!head)
- return -ENOBUFS;
-
- rcu_assign_pointer(tp->root, head);
-
return 0;
}
-static void mall_destroy_filter(struct rcu_head *head)
+static void mall_destroy_rcu(struct rcu_head *rcu)
{
- struct cls_mall_filter *f = container_of(head, struct cls_mall_filter, rcu);
+ struct cls_mall_head *head = container_of(rcu, struct cls_mall_head,
+ rcu);
- tcf_exts_destroy(&f->exts);
-
- kfree(f);
+ tcf_exts_destroy(&head->exts);
+ kfree(head);
}
static int mall_replace_hw_filter(struct tcf_proto *tp,
- struct cls_mall_filter *f,
+ struct cls_mall_head *head,
unsigned long cookie)
{
struct net_device *dev = tp->q->dev_queue->dev;
@@ -74,7 +60,7 @@ static int mall_replace_hw_filter(struct
offload.type = TC_SETUP_MATCHALL;
offload.cls_mall = &mall_offload;
offload.cls_mall->command = TC_CLSMATCHALL_REPLACE;
- offload.cls_mall->exts = &f->exts;
+ offload.cls_mall->exts = &head->exts;
offload.cls_mall->cookie = cookie;
return dev->netdev_ops->ndo_setup_tc(dev, tp->q->handle, tp->protocol,
@@ -82,7 +68,7 @@ static int mall_replace_hw_filter(struct
}
static void mall_destroy_hw_filter(struct tcf_proto *tp,
- struct cls_mall_filter *f,
+ struct cls_mall_head *head,
unsigned long cookie)
{
struct net_device *dev = tp->q->dev_queue->dev;
@@ -103,29 +89,20 @@ static bool mall_destroy(struct tcf_prot
{
struct cls_mall_head *head = rtnl_dereference(tp->root);
struct net_device *dev = tp->q->dev_queue->dev;
- struct cls_mall_filter *f = head->filter;
- if (!force && f)
- return false;
+ if (!head)
+ return true;
- if (f) {
- if (tc_should_offload(dev, tp, f->flags))
- mall_destroy_hw_filter(tp, f, (unsigned long) f);
+ if (tc_should_offload(dev, tp, head->flags))
+ mall_destroy_hw_filter(tp, head, (unsigned long) head);
- call_rcu(&f->rcu, mall_destroy_filter);
- }
- kfree_rcu(head, rcu);
+ call_rcu(&head->rcu, mall_destroy_rcu);
return true;
}
static unsigned long mall_get(struct tcf_proto *tp, u32 handle)
{
- struct cls_mall_head *head = rtnl_dereference(tp->root);
- struct cls_mall_filter *f = head->filter;
-
- if (f && f->handle == handle)
- return (unsigned long) f;
- return 0;
+ return 0UL;
}
static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = {
@@ -134,7 +111,7 @@ static const struct nla_policy mall_poli
};
static int mall_set_parms(struct net *net, struct tcf_proto *tp,
- struct cls_mall_filter *f,
+ struct cls_mall_head *head,
unsigned long base, struct nlattr **tb,
struct nlattr *est, bool ovr)
{
@@ -147,11 +124,11 @@ static int mall_set_parms(struct net *ne
return err;
if (tb[TCA_MATCHALL_CLASSID]) {
- f->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]);
- tcf_bind_filter(tp, &f->res, base);
+ head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]);
+ tcf_bind_filter(tp, &head->res, base);
}
- tcf_exts_change(tp, &f->exts, &e);
+ tcf_exts_change(tp, &head->exts, &e);
return 0;
}
@@ -162,21 +139,17 @@ static int mall_change(struct net *net,
unsigned long *arg, bool ovr)
{
struct cls_mall_head *head = rtnl_dereference(tp->root);
- struct cls_mall_filter *fold = (struct cls_mall_filter *) *arg;
struct net_device *dev = tp->q->dev_queue->dev;
- struct cls_mall_filter *f;
struct nlattr *tb[TCA_MATCHALL_MAX + 1];
+ struct cls_mall_head *new;
u32 flags = 0;
int err;
if (!tca[TCA_OPTIONS])
return -EINVAL;
- if (head->filter)
- return -EBUSY;
-
- if (fold)
- return -EINVAL;
+ if (head)
+ return -EEXIST;
err = nla_parse_nested(tb, TCA_MATCHALL_MAX,
tca[TCA_OPTIONS], mall_policy);
@@ -189,23 +162,23 @@ static int mall_change(struct net *net,
return -EINVAL;
}
- f = kzalloc(sizeof(*f), GFP_KERNEL);
- if (!f)
+ new = kzalloc(sizeof(*new), GFP_KERNEL);
+ if (!new)
return -ENOBUFS;
- tcf_exts_init(&f->exts, TCA_MATCHALL_ACT, 0);
+ tcf_exts_init(&new->exts, TCA_MATCHALL_ACT, 0);
if (!handle)
handle = 1;
- f->handle = handle;
- f->flags = flags;
+ new->handle = handle;
+ new->flags = flags;
- err = mall_set_parms(net, tp, f, base, tb, tca[TCA_RATE], ovr);
+ err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], ovr);
if (err)
goto errout;
if (tc_should_offload(dev, tp, flags)) {
- err = mall_replace_hw_filter(tp, f, (unsigned long) f);
+ err = mall_replace_hw_filter(tp, new, (unsigned long) new);
if (err) {
if (tc_skip_sw(flags))
goto errout;
@@ -214,39 +187,29 @@ static int mall_change(struct net *net,
}
}
- *arg = (unsigned long) f;
- rcu_assign_pointer(head->filter, f);
-
+ *arg = (unsigned long) head;
+ rcu_assign_pointer(tp->root, new);
+ if (head)
+ call_rcu(&head->rcu, mall_destroy_rcu);
return 0;
errout:
- kfree(f);
+ kfree(new);
return err;
}
static int mall_delete(struct tcf_proto *tp, unsigned long arg)
{
- struct cls_mall_head *head = rtnl_dereference(tp->root);
- struct cls_mall_filter *f = (struct cls_mall_filter *) arg;
- struct net_device *dev = tp->q->dev_queue->dev;
-
- if (tc_should_offload(dev, tp, f->flags))
- mall_destroy_hw_filter(tp, f, (unsigned long) f);
-
- RCU_INIT_POINTER(head->filter, NULL);
- tcf_unbind_filter(tp, &f->res);
- call_rcu(&f->rcu, mall_destroy_filter);
- return 0;
+ return -EOPNOTSUPP;
}
static void mall_walk(struct tcf_proto *tp, struct tcf_walker *arg)
{
struct cls_mall_head *head = rtnl_dereference(tp->root);
- struct cls_mall_filter *f = head->filter;
if (arg->count < arg->skip)
goto skip;
- if (arg->fn(tp, (unsigned long) f, arg) < 0)
+ if (arg->fn(tp, (unsigned long) head, arg) < 0)
arg->stop = 1;
skip:
arg->count++;
@@ -255,28 +218,28 @@ skip:
static int mall_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
struct sk_buff *skb, struct tcmsg *t)
{
- struct cls_mall_filter *f = (struct cls_mall_filter *) fh;
+ struct cls_mall_head *head = (struct cls_mall_head *) fh;
struct nlattr *nest;
- if (!f)
+ if (!head)
return skb->len;
- t->tcm_handle = f->handle;
+ t->tcm_handle = head->handle;
nest = nla_nest_start(skb, TCA_OPTIONS);
if (!nest)
goto nla_put_failure;
- if (f->res.classid &&
- nla_put_u32(skb, TCA_MATCHALL_CLASSID, f->res.classid))
+ if (head->res.classid &&
+ nla_put_u32(skb, TCA_MATCHALL_CLASSID, head->res.classid))
goto nla_put_failure;
- if (tcf_exts_dump(skb, &f->exts))
+ if (tcf_exts_dump(skb, &head->exts))
goto nla_put_failure;
nla_nest_end(skb, nest);
- if (tcf_exts_dump_stats(skb, &f->exts) < 0)
+ if (tcf_exts_dump_stats(skb, &head->exts) < 0)
goto nla_put_failure;
return skb->len;
next prev parent reply other threads:[~2017-02-16 17:55 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 17:54 [PATCH 4.9 00/32] 4.9.11-stable review Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 01/32] can: Fix kernel panic at security_sock_rcv_skb Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 02/32] net/mlx5e: Fix update of hash function/key via ethtool Greg Kroah-Hartman
2017-02-16 17:54 ` Greg Kroah-Hartman [this message]
2017-02-16 17:54 ` [PATCH 4.9 04/32] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 05/32] ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 06/32] tcp: fix 0 divide in __tcp_select_window() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 07/32] stmmac: Discard masked flags in interrupt status register Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 08/32] net: use a work queue to defer net_disable_timestamp() work Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 09/32] ipv4: keep skb->dst around in presence of IP options Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 10/32] netlabel: out of bound access in cipso_v4_validate() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 11/32] ip6_gre: fix ip6gre_err() invalid reads Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 12/32] ipv6: tcp: add a missing tcp_v6_restore_cb() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 13/32] tcp: avoid infinite loop in tcp_splice_read() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 14/32] tun: read vnet_hdr_sz once Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 15/32] macvtap: read vnet_hdr_size once Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 17/32] rtl8150: Use heap buffers for all register access Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 18/32] catc: Combine failure cleanup code in catc_probe() Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 19/32] catc: Use heap buffer for memory size test Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 20/32] mlx4: Invoke softirqs after napi_reschedule Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 21/32] sctp: avoid BUG_ON on sctp_wait_for_sndbuf Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 22/32] lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled Greg Kroah-Hartman
2017-02-16 17:54 ` [PATCH 4.9 23/32] sit: fix a double free on error path Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 24/32] net: introduce device min_header_len Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 25/32] packet: round up linear to header len Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 26/32] ping: fix a null pointer dereference Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 27/32] net: dsa: Do not destroy invalid network devices Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 28/32] l2tp: do not use udp_ioctl() Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 29/32] mld: do not remove mld souce list info when set link down Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 30/32] igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 31/32] tcp: fix mark propagation with fwmark_reflect enabled Greg Kroah-Hartman
2017-02-16 17:55 ` [PATCH 4.9 32/32] net/mlx5: Dont unlock fte while still using it Greg Kroah-Hartman
2017-02-17 10:38 ` [PATCH 4.9 00/32] 4.9.11-stable review Guenter Roeck
2017-02-17 18:12 ` Greg Kroah-Hartman
[not found] ` <58a74eec.cfa8190a.ae52b.6ef7@mx.google.com>
2017-02-17 23:43 ` Greg Kroah-Hartman
2017-02-20 22:36 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170216175312.583846878@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jiri@mellanox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yotamg@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).