mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 d936377414
			
		
	
	
		d936377414
		
	
	
	
	
		
			
			Roi reported a crash in flower where tp->root was NULL in ->classify() callbacks. Reason is that in ->destroy() tp->root is set to NULL via RCU_INIT_POINTER(). It's problematic for some of the classifiers, because this doesn't respect RCU grace period for them, and as a result, still outstanding readers from tc_classify() will try to blindly dereference a NULL tp->root. The tp->root object is strictly private to the classifier implementation and holds internal data the core such as tc_ctl_tfilter() doesn't know about. Within some classifiers, such as cls_bpf, cls_basic, etc, tp->root is only checked for NULL in ->get() callback, but nowhere else. This is misleading and seemed to be copied from old classifier code that was not cleaned up properly. For example,d3fa76ee6b("[NET_SCHED]: cls_basic: fix NULL pointer dereference") moved tp->root initialization into ->init() routine, where before it was part of ->change(), so ->get() had to deal with tp->root being NULL back then, so that was indeed a valid case, afterd3fa76ee6b, not really anymore. We used to set tp->root to NULL long ago in ->destroy(), see47a1a1d4be("pkt_sched: remove unnecessary xchg() in packet classifiers"); but the NULLifying was reintroduced with the RCUification, but it's not correct for every classifier implementation. In the cases that are fixed here with one exception of cls_cgroup, tp->root object is allocated and initialized inside ->init() callback, which is always performed at a point in time after we allocate a new tp, which means tp and thus tp->root was not globally visible in the tp chain yet (see tc_ctl_tfilter()). Also, on destruction tp->root is strictly kfree_rcu()'ed in ->destroy() handler, same for the tp which is kfree_rcu()'ed right when we return from ->destroy() in tcf_destroy(). This means, the head object's lifetime for such classifiers is always tied to the tp lifetime. The RCU callback invocation for the two kfree_rcu() could be out of order, but that's fine since both are independent. Dropping the RCU_INIT_POINTER(tp->root, NULL) for these classifiers here means that 1) we don't need a useless NULL check in fast-path and, 2) that outstanding readers of that tp in tc_classify() can still execute under respect with RCU grace period as it is actually expected. Things that haven't been touched here: cls_fw and cls_route. They each handle tp->root being NULL in ->classify() path for historic reasons, so their ->destroy() implementation can stay as is. If someone actually cares, they could get cleaned up at some point to avoid the test in fast path. cls_u32 doesn't set tp->root to NULL. For cls_rsvp, I just added a !head should anyone actually be using/testing it, so it at least aligns with cls_fw and cls_route. For cls_flower we additionally need to defer rhashtable destruction (to a sleepable context) after RCU grace period as concurrent readers might still access it. (Note that in this case we need to hold module reference to keep work callback address intact, since we only wait on module unload for all call_rcu()s to finish.) This fixes one race to bring RCU grace period guarantees back. Next step as worked on by Cong however is to fix1e052be69d("net_sched: destroy proto tp when all filters are gone") to get the order of unlinking the tp in tc_ctl_tfilter() for the RTM_DELTFILTER case right by moving RCU_INIT_POINTER() before tcf_destroy() and let the notification for removal be done through the prior ->delete() callback. Both are independant issues. Once we have that right, we can then clean tp->root up for a number of classifiers by not making them RCU pointers, which requires a new callback (->uninit) that is triggered from tp's RCU callback, where we just kfree() tp->root from there. Fixes:1f947bf151("net: sched: rcu'ify cls_bpf") Fixes:9888faefe1("net: sched: cls_basic use RCU") Fixes:70da9f0bf9("net: sched: cls_flow use RCU") Fixes:77b9900ef5("tc: introduce Flower classifier") Fixes:bf3994d2ed("net/sched: introduce Match-all classifier") Fixes:952313bd62("net: sched: cls_cgroup use RCU") Reported-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: Roi Dayan <roid@mellanox.com> Cc: Jiri Pirko <jiri@mellanox.com> Acked-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
		
			
				
	
	
		
			221 lines
		
	
	
		
			4.9 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			221 lines
		
	
	
		
			4.9 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * net/sched/cls_cgroup.c	Control Group Classifier
 | |
|  *
 | |
|  *		This program is free software; you can redistribute it and/or
 | |
|  *		modify it under the terms of the GNU General Public License
 | |
|  *		as published by the Free Software Foundation; either version
 | |
|  *		2 of the License, or (at your option) any later version.
 | |
|  *
 | |
|  * Authors:	Thomas Graf <tgraf@suug.ch>
 | |
|  */
 | |
| 
 | |
| #include <linux/module.h>
 | |
| #include <linux/slab.h>
 | |
| #include <linux/skbuff.h>
 | |
| #include <linux/rcupdate.h>
 | |
| #include <net/rtnetlink.h>
 | |
| #include <net/pkt_cls.h>
 | |
| #include <net/sock.h>
 | |
| #include <net/cls_cgroup.h>
 | |
| 
 | |
| struct cls_cgroup_head {
 | |
| 	u32			handle;
 | |
| 	struct tcf_exts		exts;
 | |
| 	struct tcf_ematch_tree	ematches;
 | |
| 	struct tcf_proto	*tp;
 | |
| 	struct rcu_head		rcu;
 | |
| };
 | |
| 
 | |
| static int cls_cgroup_classify(struct sk_buff *skb, const struct tcf_proto *tp,
 | |
| 			       struct tcf_result *res)
 | |
| {
 | |
| 	struct cls_cgroup_head *head = rcu_dereference_bh(tp->root);
 | |
| 	u32 classid = task_get_classid(skb);
 | |
| 
 | |
| 	if (!classid)
 | |
| 		return -1;
 | |
| 	if (!tcf_em_tree_match(skb, &head->ematches, NULL))
 | |
| 		return -1;
 | |
| 
 | |
| 	res->classid = classid;
 | |
| 	res->class = 0;
 | |
| 
 | |
| 	return tcf_exts_exec(skb, &head->exts, res);
 | |
| }
 | |
| 
 | |
| static unsigned long cls_cgroup_get(struct tcf_proto *tp, u32 handle)
 | |
| {
 | |
| 	return 0UL;
 | |
| }
 | |
| 
 | |
| static int cls_cgroup_init(struct tcf_proto *tp)
 | |
| {
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static const struct nla_policy cgroup_policy[TCA_CGROUP_MAX + 1] = {
 | |
| 	[TCA_CGROUP_EMATCHES]	= { .type = NLA_NESTED },
 | |
| };
 | |
| 
 | |
| static void cls_cgroup_destroy_rcu(struct rcu_head *root)
 | |
| {
 | |
| 	struct cls_cgroup_head *head = container_of(root,
 | |
| 						    struct cls_cgroup_head,
 | |
| 						    rcu);
 | |
| 
 | |
| 	tcf_exts_destroy(&head->exts);
 | |
| 	tcf_em_tree_destroy(&head->ematches);
 | |
| 	kfree(head);
 | |
| }
 | |
| 
 | |
| static int cls_cgroup_change(struct net *net, struct sk_buff *in_skb,
 | |
| 			     struct tcf_proto *tp, unsigned long base,
 | |
| 			     u32 handle, struct nlattr **tca,
 | |
| 			     unsigned long *arg, bool ovr)
 | |
| {
 | |
| 	struct nlattr *tb[TCA_CGROUP_MAX + 1];
 | |
| 	struct cls_cgroup_head *head = rtnl_dereference(tp->root);
 | |
| 	struct cls_cgroup_head *new;
 | |
| 	struct tcf_ematch_tree t;
 | |
| 	struct tcf_exts e;
 | |
| 	int err;
 | |
| 
 | |
| 	if (!tca[TCA_OPTIONS])
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	if (!head && !handle)
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	if (head && handle != head->handle)
 | |
| 		return -ENOENT;
 | |
| 
 | |
| 	new = kzalloc(sizeof(*head), GFP_KERNEL);
 | |
| 	if (!new)
 | |
| 		return -ENOBUFS;
 | |
| 
 | |
| 	err = tcf_exts_init(&new->exts, TCA_CGROUP_ACT, TCA_CGROUP_POLICE);
 | |
| 	if (err < 0)
 | |
| 		goto errout;
 | |
| 	new->handle = handle;
 | |
| 	new->tp = tp;
 | |
| 	err = nla_parse_nested(tb, TCA_CGROUP_MAX, tca[TCA_OPTIONS],
 | |
| 			       cgroup_policy);
 | |
| 	if (err < 0)
 | |
| 		goto errout;
 | |
| 
 | |
| 	err = tcf_exts_init(&e, TCA_CGROUP_ACT, TCA_CGROUP_POLICE);
 | |
| 	if (err < 0)
 | |
| 		goto errout;
 | |
| 	err = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &e, ovr);
 | |
| 	if (err < 0) {
 | |
| 		tcf_exts_destroy(&e);
 | |
| 		goto errout;
 | |
| 	}
 | |
| 
 | |
| 	err = tcf_em_tree_validate(tp, tb[TCA_CGROUP_EMATCHES], &t);
 | |
| 	if (err < 0) {
 | |
| 		tcf_exts_destroy(&e);
 | |
| 		goto errout;
 | |
| 	}
 | |
| 
 | |
| 	tcf_exts_change(tp, &new->exts, &e);
 | |
| 	tcf_em_tree_change(tp, &new->ematches, &t);
 | |
| 
 | |
| 	rcu_assign_pointer(tp->root, new);
 | |
| 	if (head)
 | |
| 		call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
 | |
| 	return 0;
 | |
| errout:
 | |
| 	tcf_exts_destroy(&new->exts);
 | |
| 	kfree(new);
 | |
| 	return err;
 | |
| }
 | |
| 
 | |
| static bool cls_cgroup_destroy(struct tcf_proto *tp, bool force)
 | |
| {
 | |
| 	struct cls_cgroup_head *head = rtnl_dereference(tp->root);
 | |
| 
 | |
| 	if (!force)
 | |
| 		return false;
 | |
| 	/* Head can still be NULL due to cls_cgroup_init(). */
 | |
| 	if (head)
 | |
| 		call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
 | |
| 
 | |
| 	return true;
 | |
| }
 | |
| 
 | |
| static int cls_cgroup_delete(struct tcf_proto *tp, unsigned long arg)
 | |
| {
 | |
| 	return -EOPNOTSUPP;
 | |
| }
 | |
| 
 | |
| static void cls_cgroup_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 | |
| {
 | |
| 	struct cls_cgroup_head *head = rtnl_dereference(tp->root);
 | |
| 
 | |
| 	if (arg->count < arg->skip)
 | |
| 		goto skip;
 | |
| 
 | |
| 	if (arg->fn(tp, (unsigned long) head, arg) < 0) {
 | |
| 		arg->stop = 1;
 | |
| 		return;
 | |
| 	}
 | |
| skip:
 | |
| 	arg->count++;
 | |
| }
 | |
| 
 | |
| static int cls_cgroup_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
 | |
| 			   struct sk_buff *skb, struct tcmsg *t)
 | |
| {
 | |
| 	struct cls_cgroup_head *head = rtnl_dereference(tp->root);
 | |
| 	struct nlattr *nest;
 | |
| 
 | |
| 	t->tcm_handle = head->handle;
 | |
| 
 | |
| 	nest = nla_nest_start(skb, TCA_OPTIONS);
 | |
| 	if (nest == NULL)
 | |
| 		goto nla_put_failure;
 | |
| 
 | |
| 	if (tcf_exts_dump(skb, &head->exts) < 0 ||
 | |
| 	    tcf_em_tree_dump(skb, &head->ematches, TCA_CGROUP_EMATCHES) < 0)
 | |
| 		goto nla_put_failure;
 | |
| 
 | |
| 	nla_nest_end(skb, nest);
 | |
| 
 | |
| 	if (tcf_exts_dump_stats(skb, &head->exts) < 0)
 | |
| 		goto nla_put_failure;
 | |
| 
 | |
| 	return skb->len;
 | |
| 
 | |
| nla_put_failure:
 | |
| 	nla_nest_cancel(skb, nest);
 | |
| 	return -1;
 | |
| }
 | |
| 
 | |
| static struct tcf_proto_ops cls_cgroup_ops __read_mostly = {
 | |
| 	.kind		=	"cgroup",
 | |
| 	.init		=	cls_cgroup_init,
 | |
| 	.change		=	cls_cgroup_change,
 | |
| 	.classify	=	cls_cgroup_classify,
 | |
| 	.destroy	=	cls_cgroup_destroy,
 | |
| 	.get		=	cls_cgroup_get,
 | |
| 	.delete		=	cls_cgroup_delete,
 | |
| 	.walk		=	cls_cgroup_walk,
 | |
| 	.dump		=	cls_cgroup_dump,
 | |
| 	.owner		=	THIS_MODULE,
 | |
| };
 | |
| 
 | |
| static int __init init_cgroup_cls(void)
 | |
| {
 | |
| 	return register_tcf_proto_ops(&cls_cgroup_ops);
 | |
| }
 | |
| 
 | |
| static void __exit exit_cgroup_cls(void)
 | |
| {
 | |
| 	unregister_tcf_proto_ops(&cls_cgroup_ops);
 | |
| }
 | |
| 
 | |
| module_init(init_cgroup_cls);
 | |
| module_exit(exit_cgroup_cls);
 | |
| MODULE_LICENSE("GPL");
 |