summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCong Wang <xiyou.wangcong@gmail.com>2017-10-30 19:10:09 +0100
committerDavid S. Miller <davem@davemloft.net>2017-10-31 03:06:01 +0100
commit822e86d997e4d8f942818ea6ac1711f59a66ebef (patch)
tree2707ef3b0ec70f0d2332d7704a50a0ccc958fb52
parentl2tp: hold tunnel in pppol2tp_connect() (diff)
downloadlinux-822e86d997e4d8f942818ea6ac1711f59a66ebef.tar.xz
linux-822e86d997e4d8f942818ea6ac1711f59a66ebef.zip
net_sched: remove tcf_block_put_deferred()
In commit 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks of tc filter") I defer tcf_chain_flush() to a workqueue, this causes a use-after-free because qdisc is already destroyed after we queue this work. The tcf_block_put_deferred() is no longer necessary after we get RTNL for each tc filter destroy work, no others could jump in at this point. Same for tcf_chain_hold(), we are fully serialized now. This also reduces one indirection therefore makes the code more readable. Note this brings back a rcu_barrier(), however comparing to the code prior to commit 7aa0045dadb6 we still reduced one rcu_barrier(). For net-next, we can consider to refcnt tcf block to avoid it. Fixes: 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks of tc filter") Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Jiri Pirko <jiri@resnulli.us> Cc: John Fastabend <john.fastabend@gmail.com> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sched/cls_api.c37
1 files changed, 8 insertions, 29 deletions
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 231181c602ed..b2d310745487 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -280,8 +280,8 @@ static void tcf_block_put_final(struct work_struct *work)
struct tcf_block *block = container_of(work, struct tcf_block, work);
struct tcf_chain *chain, *tmp;
- /* At this point, all the chains should have refcnt == 1. */
rtnl_lock();
+ /* Only chain 0 should be still here. */
list_for_each_entry_safe(chain, tmp, &block->chain_list, list)
tcf_chain_put(chain);
rtnl_unlock();
@@ -289,23 +289,17 @@ static void tcf_block_put_final(struct work_struct *work)
}
/* XXX: Standalone actions are not allowed to jump to any chain, and bound
- * actions should be all removed after flushing. However, filters are destroyed
- * in RCU callbacks, we have to hold the chains first, otherwise we would
- * always race with RCU callbacks on this list without proper locking.
+ * actions should be all removed after flushing. However, filters are now
+ * destroyed in tc filter workqueue with RTNL lock, they can not race here.
*/
-static void tcf_block_put_deferred(struct work_struct *work)
+void tcf_block_put(struct tcf_block *block)
{
- struct tcf_block *block = container_of(work, struct tcf_block, work);
- struct tcf_chain *chain;
+ struct tcf_chain *chain, *tmp;
- rtnl_lock();
- /* Hold a refcnt for all chains, except 0, in case they are gone. */
- list_for_each_entry(chain, &block->chain_list, list)
- if (chain->index)
- tcf_chain_hold(chain);
+ if (!block)
+ return;
- /* No race on the list, because no chain could be destroyed. */
- list_for_each_entry(chain, &block->chain_list, list)
+ list_for_each_entry_safe(chain, tmp, &block->chain_list, list)
tcf_chain_flush(chain);
INIT_WORK(&block->work, tcf_block_put_final);
@@ -314,21 +308,6 @@ static void tcf_block_put_deferred(struct work_struct *work)
*/
rcu_barrier();
tcf_queue_work(&block->work);
- rtnl_unlock();
-}
-
-void tcf_block_put(struct tcf_block *block)
-{
- if (!block)
- return;
-
- INIT_WORK(&block->work, tcf_block_put_deferred);
- /* Wait for existing RCU callbacks to cool down, make sure their works
- * have been queued before this. We can not flush pending works here
- * because we are holding the RTNL lock.
- */
- rcu_barrier();
- tcf_queue_work(&block->work);
}
EXPORT_SYMBOL(tcf_block_put);