summaryrefslogtreecommitdiff
path: root/net/sched/cls_route.c
diff options
context:
space:
mode:
authorJohn Fastabend <john.fastabend@gmail.com>2014-10-06 08:28:52 +0400
committerDavid S. Miller <davem@davemloft.net>2014-10-07 02:02:33 +0400
commit18cdb37ebf4c986d9502405cbd16b0ac29770c25 (patch)
tree2bf659bf5d527447c11845ca06d15d1b69b9ab31 /net/sched/cls_route.c
parent13990f8156862fe945a1a226850a6550c8988a33 (diff)
downloadlinux-18cdb37ebf4c986d9502405cbd16b0ac29770c25.tar.xz
net: sched: do not use tcf_proto 'tp' argument from call_rcu
Using the tcf_proto pointer 'tp' from inside the classifiers callback is not valid because it may have been cleaned up by another call_rcu occuring on another CPU. 'tp' is currently being used by tcf_unbind_filter() in this patch we move instances of tcf_unbind_filter outside of the call_rcu() context. This is safe to do because any running schedulers will either read the valid class field or it will be zeroed. And all schedulers today when the class is 0 do a lookup using the same call used by the tcf_exts_bind(). So even if we have a running classifier hit the null class pointer it will do a lookup and get to the same result. This is particularly fragile at the moment because the only way to verify this is to audit the schedulers call sites. Reported-by: Cong Wang <xiyou.wangconf@gmail.com> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/cls_route.c')
-rw-r--r--net/sched/cls_route.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index b665aee661f7..6f22baae0afa 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -269,9 +269,7 @@ static void
route4_delete_filter(struct rcu_head *head)
{
struct route4_filter *f = container_of(head, struct route4_filter, rcu);
- struct tcf_proto *tp = f->tp;
- tcf_unbind_filter(tp, &f->res);
tcf_exts_destroy(&f->exts);
kfree(f);
}
@@ -297,6 +295,7 @@ static void route4_destroy(struct tcf_proto *tp)
next = rtnl_dereference(f->next);
RCU_INIT_POINTER(b->ht[h2], next);
+ tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, route4_delete_filter);
}
}
@@ -338,6 +337,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
route4_reset_fastmap(head);
/* Delete it */
+ tcf_unbind_filter(tp, &f->res);
call_rcu(&f->rcu, route4_delete_filter);
/* Strip RTNL protected tree */
@@ -545,8 +545,10 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
route4_reset_fastmap(head);
*arg = (unsigned long)f;
- if (fold)
+ if (fold) {
+ tcf_unbind_filter(tp, &fold->res);
call_rcu(&fold->rcu, route4_delete_filter);
+ }
return 0;
errout: