From 822e86d997e4d8f942818ea6ac1711f59a66ebef Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Mon, 30 Oct 2017 11:10:09 -0700 Subject: net_sched: remove tcf_block_put_deferred() In commit 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks of tc filter") I defer tcf_chain_flush() to a workqueue, this causes a use-after-free because qdisc is already destroyed after we queue this work. The tcf_block_put_deferred() is no longer necessary after we get RTNL for each tc filter destroy work, no others could jump in at this point. Same for tcf_chain_hold(), we are fully serialized now. This also reduces one indirection therefore makes the code more readable. Note this brings back a rcu_barrier(), however comparing to the code prior to commit 7aa0045dadb6 we still reduced one rcu_barrier(). For net-next, we can consider to refcnt tcf block to avoid it. Fixes: 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks of tc filter") Cc: Daniel Borkmann Cc: Jiri Pirko Cc: John Fastabend Cc: Jamal Hadi Salim Cc: "Paul E. McKenney" Cc: Eric Dumazet Signed-off-by: Cong Wang Signed-off-by: David S. Miller --- net/sched/cls_api.c | 37 ++++++++----------------------------- 1 file changed, 8 insertions(+), 29 deletions(-) (limited to 'net/sched') diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 231181c602ed..b2d310745487 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -280,8 +280,8 @@ static void tcf_block_put_final(struct work_struct *work) struct tcf_block *block = container_of(work, struct tcf_block, work); struct tcf_chain *chain, *tmp; - /* At this point, all the chains should have refcnt == 1. */ rtnl_lock(); + /* Only chain 0 should be still here. */ list_for_each_entry_safe(chain, tmp, &block->chain_list, list) tcf_chain_put(chain); rtnl_unlock(); @@ -289,23 +289,17 @@ static void tcf_block_put_final(struct work_struct *work) } /* XXX: Standalone actions are not allowed to jump to any chain, and bound - * actions should be all removed after flushing. However, filters are destroyed - * in RCU callbacks, we have to hold the chains first, otherwise we would - * always race with RCU callbacks on this list without proper locking. + * actions should be all removed after flushing. However, filters are now + * destroyed in tc filter workqueue with RTNL lock, they can not race here. */ -static void tcf_block_put_deferred(struct work_struct *work) +void tcf_block_put(struct tcf_block *block) { - struct tcf_block *block = container_of(work, struct tcf_block, work); - struct tcf_chain *chain; + struct tcf_chain *chain, *tmp; - rtnl_lock(); - /* Hold a refcnt for all chains, except 0, in case they are gone. */ - list_for_each_entry(chain, &block->chain_list, list) - if (chain->index) - tcf_chain_hold(chain); + if (!block) + return; - /* No race on the list, because no chain could be destroyed. */ - list_for_each_entry(chain, &block->chain_list, list) + list_for_each_entry_safe(chain, tmp, &block->chain_list, list) tcf_chain_flush(chain); INIT_WORK(&block->work, tcf_block_put_final); @@ -314,21 +308,6 @@ static void tcf_block_put_deferred(struct work_struct *work) */ rcu_barrier(); tcf_queue_work(&block->work); - rtnl_unlock(); -} - -void tcf_block_put(struct tcf_block *block) -{ - if (!block) - return; - - INIT_WORK(&block->work, tcf_block_put_deferred); - /* Wait for existing RCU callbacks to cool down, make sure their works - * have been queued before this. We can not flush pending works here - * because we are holding the RTNL lock. - */ - rcu_barrier(); - tcf_queue_work(&block->work); } EXPORT_SYMBOL(tcf_block_put); -- cgit v1.2.3 From f1fd20c36181f526ed2fbd0707b6957f907ee64b Mon Sep 17 00:00:00 2001 From: Yotam Gigi Date: Mon, 30 Oct 2017 11:41:36 +0200 Subject: MAINTAINERS: Update Yotam's E-mail For the time being I will be available in my private mail. Update both the MAINTAINERS file and the individual modules MODULE_AUTHOR directive with the new address. Signed-off-by: Yotam Gigi Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller --- MAINTAINERS | 4 ++-- net/ife/ife.c | 2 +- net/psample/psample.c | 2 +- net/sched/act_sample.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) (limited to 'net/sched') diff --git a/MAINTAINERS b/MAINTAINERS index af0cb69f6a3e..83ef0e41625f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -6671,7 +6671,7 @@ F: include/net/ieee802154_netdev.h F: Documentation/networking/ieee802154.txt IFE PROTOCOL -M: Yotam Gigi +M: Yotam Gigi M: Jamal Hadi Salim F: net/ife F: include/net/ife.h @@ -10890,7 +10890,7 @@ S: Maintained F: drivers/block/ps3vram.c PSAMPLE PACKET SAMPLING SUPPORT: -M: Yotam Gigi +M: Yotam Gigi S: Maintained F: net/psample F: include/net/psample.h diff --git a/net/ife/ife.c b/net/ife/ife.c index f360341c72eb..7d1ec76e7f43 100644 --- a/net/ife/ife.c +++ b/net/ife/ife.c @@ -137,6 +137,6 @@ int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen, const void *dval) EXPORT_SYMBOL_GPL(ife_tlv_meta_encode); MODULE_AUTHOR("Jamal Hadi Salim "); -MODULE_AUTHOR("Yotam Gigi "); +MODULE_AUTHOR("Yotam Gigi "); MODULE_DESCRIPTION("Inter-FE LFB action"); MODULE_LICENSE("GPL"); diff --git a/net/psample/psample.c b/net/psample/psample.c index 3a6ad0f438dc..64f95624f219 100644 --- a/net/psample/psample.c +++ b/net/psample/psample.c @@ -296,6 +296,6 @@ static void __exit psample_module_exit(void) module_init(psample_module_init); module_exit(psample_module_exit); -MODULE_AUTHOR("Yotam Gigi "); +MODULE_AUTHOR("Yotam Gigi "); MODULE_DESCRIPTION("netlink channel for packet sampling"); MODULE_LICENSE("GPL v2"); diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c index a9f9a2ccc664..8b5abcd2f32f 100644 --- a/net/sched/act_sample.c +++ b/net/sched/act_sample.c @@ -271,6 +271,6 @@ static void __exit sample_cleanup_module(void) module_init(sample_init_module); module_exit(sample_cleanup_module); -MODULE_AUTHOR("Yotam Gigi "); +MODULE_AUTHOR("Yotam Gigi "); MODULE_DESCRIPTION("Packet sampling action"); MODULE_LICENSE("GPL v2"); -- cgit v1.2.3