From 9888faefe1327909f3acf34d1feda87a368bb858 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Fri, 12 Sep 2014 20:05:59 -0700 Subject: net: sched: cls_basic use RCU Enable basic classifier for RCU. Dereferencing tp->root may look a bit strange here but it is needed by my accounting because it is allocated at init time and needs to be kfree'd at destroy time. However because it may be referenced in the classify() path we must wait an RCU grace period before free'ing it. We use kfree_rcu() and rcu_ APIs to enforce this. This pattern is used in all the classifiers. Also the hgenerator can be incremented without concern because it is always incremented under RTNL. Signed-off-by: John Fastabend Acked-by: Eric Dumazet Signed-off-by: David S. Miller --- net/sched/cls_basic.c | 80 +++++++++++++++++++++++++++++---------------------- 1 file changed, 45 insertions(+), 35 deletions(-) (limited to 'net/sched/cls_basic.c') diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c index 0ae1813e3e9..1937298d677 100644 --- a/net/sched/cls_basic.c +++ b/net/sched/cls_basic.c @@ -24,6 +24,7 @@ struct basic_head { u32 hgenerator; struct list_head flist; + struct rcu_head rcu; }; struct basic_filter { @@ -31,17 +32,19 @@ struct basic_filter { struct tcf_exts exts; struct tcf_ematch_tree ematches; struct tcf_result res; + struct tcf_proto *tp; struct list_head link; + struct rcu_head rcu; }; static int basic_classify(struct sk_buff *skb, const struct tcf_proto *tp, struct tcf_result *res) { int r; - struct basic_head *head = tp->root; + struct basic_head *head = rcu_dereference_bh(tp->root); struct basic_filter *f; - list_for_each_entry(f, &head->flist, link) { + list_for_each_entry_rcu(f, &head->flist, link) { if (!tcf_em_tree_match(skb, &f->ematches, NULL)) continue; *res = f->res; @@ -56,7 +59,7 @@ static int basic_classify(struct sk_buff *skb, const struct tcf_proto *tp, static unsigned long basic_get(struct tcf_proto *tp, u32 handle) { unsigned long l = 0UL; - struct basic_head *head = tp->root; + struct basic_head *head = rtnl_dereference(tp->root); struct basic_filter *f; if (head == NULL) @@ -81,12 +84,15 @@ static int basic_init(struct tcf_proto *tp) if (head == NULL) return -ENOBUFS; INIT_LIST_HEAD(&head->flist); - tp->root = head; + rcu_assign_pointer(tp->root, head); return 0; } -static void basic_delete_filter(struct tcf_proto *tp, struct basic_filter *f) +static void basic_delete_filter(struct rcu_head *head) { + struct basic_filter *f = container_of(head, struct basic_filter, rcu); + struct tcf_proto *tp = f->tp; + tcf_unbind_filter(tp, &f->res); tcf_exts_destroy(tp, &f->exts); tcf_em_tree_destroy(tp, &f->ematches); @@ -95,27 +101,26 @@ static void basic_delete_filter(struct tcf_proto *tp, struct basic_filter *f) static void basic_destroy(struct tcf_proto *tp) { - struct basic_head *head = tp->root; + struct basic_head *head = rtnl_dereference(tp->root); struct basic_filter *f, *n; list_for_each_entry_safe(f, n, &head->flist, link) { - list_del(&f->link); - basic_delete_filter(tp, f); + list_del_rcu(&f->link); + call_rcu(&f->rcu, basic_delete_filter); } - kfree(head); + RCU_INIT_POINTER(tp->root, NULL); + kfree_rcu(head, rcu); } static int basic_delete(struct tcf_proto *tp, unsigned long arg) { - struct basic_head *head = tp->root; + struct basic_head *head = rtnl_dereference(tp->root); struct basic_filter *t, *f = (struct basic_filter *) arg; list_for_each_entry(t, &head->flist, link) if (t == f) { - tcf_tree_lock(tp); - list_del(&t->link); - tcf_tree_unlock(tp); - basic_delete_filter(tp, t); + list_del_rcu(&t->link); + call_rcu(&t->rcu, basic_delete_filter); return 0; } @@ -152,6 +157,7 @@ static int basic_set_parms(struct net *net, struct tcf_proto *tp, tcf_exts_change(tp, &f->exts, &e); tcf_em_tree_change(tp, &f->ematches, &t); + f->tp = tp; return 0; errout: @@ -164,9 +170,10 @@ static int basic_change(struct net *net, struct sk_buff *in_skb, struct nlattr **tca, unsigned long *arg, bool ovr) { int err; - struct basic_head *head = tp->root; + struct basic_head *head = rtnl_dereference(tp->root); struct nlattr *tb[TCA_BASIC_MAX + 1]; - struct basic_filter *f = (struct basic_filter *) *arg; + struct basic_filter *fold = (struct basic_filter *) *arg; + struct basic_filter *fnew; if (tca[TCA_OPTIONS] == NULL) return -EINVAL; @@ -176,22 +183,23 @@ static int basic_change(struct net *net, struct sk_buff *in_skb, if (err < 0) return err; - if (f != NULL) { - if (handle && f->handle != handle) + if (fold != NULL) { + if (handle && fold->handle != handle) return -EINVAL; - return basic_set_parms(net, tp, f, base, tb, tca[TCA_RATE], ovr); } err = -ENOBUFS; - f = kzalloc(sizeof(*f), GFP_KERNEL); - if (f == NULL) + fnew = kzalloc(sizeof(*fnew), GFP_KERNEL); + if (fnew == NULL) goto errout; - tcf_exts_init(&f->exts, TCA_BASIC_ACT, TCA_BASIC_POLICE); + tcf_exts_init(&fnew->exts, TCA_BASIC_ACT, TCA_BASIC_POLICE); err = -EINVAL; - if (handle) - f->handle = handle; - else { + if (handle) { + fnew->handle = handle; + } else if (fold) { + fnew->handle = fold->handle; + } else { unsigned int i = 0x80000000; do { if (++head->hgenerator == 0x7FFFFFFF) @@ -203,29 +211,31 @@ static int basic_change(struct net *net, struct sk_buff *in_skb, goto errout; } - f->handle = head->hgenerator; + fnew->handle = head->hgenerator; } - err = basic_set_parms(net, tp, f, base, tb, tca[TCA_RATE], ovr); + err = basic_set_parms(net, tp, fnew, base, tb, tca[TCA_RATE], ovr); if (err < 0) goto errout; - tcf_tree_lock(tp); - list_add(&f->link, &head->flist); - tcf_tree_unlock(tp); - *arg = (unsigned long) f; + *arg = (unsigned long)fnew; + + if (fold) { + list_replace_rcu(&fold->link, &fnew->link); + call_rcu(&fold->rcu, basic_delete_filter); + } else { + list_add_rcu(&fnew->link, &head->flist); + } return 0; errout: - if (*arg == 0UL && f) - kfree(f); - + kfree(fnew); return err; } static void basic_walk(struct tcf_proto *tp, struct tcf_walker *arg) { - struct basic_head *head = tp->root; + struct basic_head *head = rtnl_dereference(tp->root); struct basic_filter *f; list_for_each_entry(f, &head->flist, link) { -- cgit v1.2.3-70-g09d2 From 18d0264f630e200772bf236ac5747c47e908501e Mon Sep 17 00:00:00 2001 From: WANG Cong Date: Thu, 25 Sep 2014 10:26:37 -0700 Subject: net_sched: remove the first parameter from tcf_exts_destroy() Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller --- include/net/pkt_cls.h | 2 +- net/sched/cls_api.c | 2 +- net/sched/cls_basic.c | 4 ++-- net/sched/cls_bpf.c | 4 ++-- net/sched/cls_cgroup.c | 6 +++--- net/sched/cls_flow.c | 4 ++-- net/sched/cls_fw.c | 4 ++-- net/sched/cls_route.c | 4 ++-- net/sched/cls_rsvp.h | 4 ++-- net/sched/cls_tcindex.c | 4 ++-- net/sched/cls_u32.c | 4 ++-- 11 files changed, 21 insertions(+), 21 deletions(-) (limited to 'net/sched/cls_basic.c') diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h index 6da46dcf104..73f9532ee58 100644 --- a/include/net/pkt_cls.h +++ b/include/net/pkt_cls.h @@ -137,7 +137,7 @@ tcf_exts_exec(struct sk_buff *skb, struct tcf_exts *exts, int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb, struct nlattr *rate_tlv, struct tcf_exts *exts, bool ovr); -void tcf_exts_destroy(struct tcf_proto *tp, struct tcf_exts *exts); +void tcf_exts_destroy(struct tcf_exts *exts); void tcf_exts_change(struct tcf_proto *tp, struct tcf_exts *dst, struct tcf_exts *src); int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts); diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index e547efdaba9..77147c8c4ac 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -496,7 +496,7 @@ out: return skb->len; } -void tcf_exts_destroy(struct tcf_proto *tp, struct tcf_exts *exts) +void tcf_exts_destroy(struct tcf_exts *exts) { #ifdef CONFIG_NET_CLS_ACT tcf_action_destroy(&exts->actions, TCA_ACT_UNBIND); diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c index 1937298d677..fe20826a79e 100644 --- a/net/sched/cls_basic.c +++ b/net/sched/cls_basic.c @@ -94,7 +94,7 @@ static void basic_delete_filter(struct rcu_head *head) struct tcf_proto *tp = f->tp; tcf_unbind_filter(tp, &f->res); - tcf_exts_destroy(tp, &f->exts); + tcf_exts_destroy(&f->exts); tcf_em_tree_destroy(tp, &f->ematches); kfree(f); } @@ -161,7 +161,7 @@ static int basic_set_parms(struct net *net, struct tcf_proto *tp, return 0; errout: - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index 4e3f5bfc0b2..4318d067b0a 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c @@ -93,7 +93,7 @@ static int cls_bpf_init(struct tcf_proto *tp) static void cls_bpf_delete_prog(struct tcf_proto *tp, struct cls_bpf_prog *prog) { tcf_unbind_filter(tp, &prog->res); - tcf_exts_destroy(tp, &prog->exts); + tcf_exts_destroy(&prog->exts); bpf_prog_destroy(prog->filter); @@ -217,7 +217,7 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, errout_free: kfree(bpf_ops); errout: - tcf_exts_destroy(tp, &exts); + tcf_exts_destroy(&exts); return ret; } diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c index 15c34d4ccd9..3409f168225 100644 --- a/net/sched/cls_cgroup.c +++ b/net/sched/cls_cgroup.c @@ -86,7 +86,7 @@ static void cls_cgroup_destroy_rcu(struct rcu_head *root) struct cls_cgroup_head, rcu); - tcf_exts_destroy(head->tp, &head->exts); + tcf_exts_destroy(&head->exts); tcf_em_tree_destroy(head->tp, &head->ematches); kfree(head); } @@ -135,7 +135,7 @@ static int cls_cgroup_change(struct net *net, struct sk_buff *in_skb, err = tcf_em_tree_validate(tp, tb[TCA_CGROUP_EMATCHES], &t); if (err < 0) { - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); goto errout; } @@ -156,7 +156,7 @@ static void cls_cgroup_destroy(struct tcf_proto *tp) struct cls_cgroup_head *head = rtnl_dereference(tp->root); if (head) { - tcf_exts_destroy(tp, &head->exts); + tcf_exts_destroy(&head->exts); tcf_em_tree_destroy(tp, &head->ematches); RCU_INIT_POINTER(tp->root, NULL); kfree_rcu(head, rcu); diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c index 95736fa479f..f18d27f7b5f 100644 --- a/net/sched/cls_flow.c +++ b/net/sched/cls_flow.c @@ -354,7 +354,7 @@ static void flow_destroy_filter(struct rcu_head *head) struct flow_filter *f = container_of(head, struct flow_filter, rcu); del_timer_sync(&f->perturb_timer); - tcf_exts_destroy(f->tp, &f->exts); + tcf_exts_destroy(&f->exts); tcf_em_tree_destroy(f->tp, &f->ematches); kfree(f); } @@ -533,7 +533,7 @@ err2: tcf_em_tree_destroy(tp, &t); kfree(fnew); err1: - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c index 2650285620e..da805aeeb65 100644 --- a/net/sched/cls_fw.c +++ b/net/sched/cls_fw.c @@ -126,7 +126,7 @@ static void fw_delete_filter(struct rcu_head *head) struct tcf_proto *tp = f->tp; tcf_unbind_filter(tp, &f->res); - tcf_exts_destroy(tp, &f->exts); + tcf_exts_destroy(&f->exts); kfree(f); } @@ -223,7 +223,7 @@ fw_change_attrs(struct net *net, struct tcf_proto *tp, struct fw_filter *f, return 0; errout: - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c index ba96deacf27..b665aee661f 100644 --- a/net/sched/cls_route.c +++ b/net/sched/cls_route.c @@ -272,7 +272,7 @@ route4_delete_filter(struct rcu_head *head) struct tcf_proto *tp = f->tp; tcf_unbind_filter(tp, &f->res); - tcf_exts_destroy(tp, &f->exts); + tcf_exts_destroy(&f->exts); kfree(f); } @@ -456,7 +456,7 @@ static int route4_set_parms(struct net *net, struct tcf_proto *tp, return 0; errout: - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h index b044c208b13..1c64a09753c 100644 --- a/net/sched/cls_rsvp.h +++ b/net/sched/cls_rsvp.h @@ -264,7 +264,7 @@ static void rsvp_delete_filter(struct tcf_proto *tp, struct rsvp_filter *f) { tcf_unbind_filter(tp, &f->res); - tcf_exts_destroy(tp, &f->exts); + tcf_exts_destroy(&f->exts); kfree_rcu(f, rcu); } @@ -577,7 +577,7 @@ insert: errout: kfree(f); errout2: - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c index 5054fae33a4..e3c6fa3ea3d 100644 --- a/net/sched/cls_tcindex.c +++ b/net/sched/cls_tcindex.c @@ -169,7 +169,7 @@ found: rcu_assign_pointer(*walk, rtnl_dereference(f->next)); } tcf_unbind_filter(tp, &r->res); - tcf_exts_destroy(tp, &r->exts); + tcf_exts_destroy(&r->exts); if (f) kfree_rcu(f, rcu); return 0; @@ -401,7 +401,7 @@ errout_alloc: kfree(cp->h); errout: kfree(cp); - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index ef97a646ee9..4be3ebf46d6 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -359,7 +359,7 @@ static int u32_destroy_key(struct tcf_proto *tp, bool free_pf) { tcf_unbind_filter(tp, &n->res); - tcf_exts_destroy(tp, &n->exts); + tcf_exts_destroy(&n->exts); if (n->ht_down) n->ht_down->refcnt--; #ifdef CONFIG_CLS_U32_PERF @@ -606,7 +606,7 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, return 0; errout: - tcf_exts_destroy(tp, &e); + tcf_exts_destroy(&e); return err; } -- cgit v1.2.3-70-g09d2 From 82a470f1119eb7d2e4941b915bf9cd6fd8d54494 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Sun, 5 Oct 2014 21:27:53 -0700 Subject: net: sched: remove tcf_proto from ematch calls This removes the tcf_proto argument from the ematch code paths that only need it to reference the net namespace. This allows simplifying qdisc code paths especially when we need to tear down the ematch from an RCU callback. In this case we can not guarentee that the tcf_proto structure is still valid. Signed-off-by: John Fastabend Acked-by: Cong Wang Signed-off-by: David S. Miller --- include/net/pkt_cls.h | 10 +++++----- net/sched/cls_basic.c | 2 +- net/sched/cls_cgroup.c | 4 ++-- net/sched/cls_flow.c | 4 ++-- net/sched/em_canid.c | 4 ++-- net/sched/em_ipset.c | 7 +++---- net/sched/em_meta.c | 4 ++-- net/sched/em_nbyte.c | 2 +- net/sched/em_text.c | 4 ++-- net/sched/ematch.c | 10 ++++++---- 10 files changed, 26 insertions(+), 25 deletions(-) (limited to 'net/sched/cls_basic.c') diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h index ef44ad9a642..bc49967e1a6 100644 --- a/include/net/pkt_cls.h +++ b/include/net/pkt_cls.h @@ -166,6 +166,7 @@ struct tcf_ematch { unsigned int datalen; u16 matchid; u16 flags; + struct net *net; }; static inline int tcf_em_is_container(struct tcf_ematch *em) @@ -229,12 +230,11 @@ struct tcf_ematch_tree { struct tcf_ematch_ops { int kind; int datalen; - int (*change)(struct tcf_proto *, void *, + int (*change)(struct net *net, void *, int, struct tcf_ematch *); int (*match)(struct sk_buff *, struct tcf_ematch *, struct tcf_pkt_info *); - void (*destroy)(struct tcf_proto *, - struct tcf_ematch *); + void (*destroy)(struct tcf_ematch *); int (*dump)(struct sk_buff *, struct tcf_ematch *); struct module *owner; struct list_head link; @@ -244,7 +244,7 @@ int tcf_em_register(struct tcf_ematch_ops *); void tcf_em_unregister(struct tcf_ematch_ops *); int tcf_em_tree_validate(struct tcf_proto *, struct nlattr *, struct tcf_ematch_tree *); -void tcf_em_tree_destroy(struct tcf_proto *, struct tcf_ematch_tree *); +void tcf_em_tree_destroy(struct tcf_ematch_tree *); int tcf_em_tree_dump(struct sk_buff *, struct tcf_ematch_tree *, int); int __tcf_em_tree_match(struct sk_buff *, struct tcf_ematch_tree *, struct tcf_pkt_info *); @@ -301,7 +301,7 @@ struct tcf_ematch_tree { }; #define tcf_em_tree_validate(tp, tb, t) ((void)(t), 0) -#define tcf_em_tree_destroy(tp, t) do { (void)(t); } while(0) +#define tcf_em_tree_destroy(t) do { (void)(t); } while(0) #define tcf_em_tree_dump(skb, t, tlv) (0) #define tcf_em_tree_change(tp, dst, src) do { } while(0) #define tcf_em_tree_match(skb, t, info) ((void)(info), 1) diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c index fe20826a79e..90647a8af8c 100644 --- a/net/sched/cls_basic.c +++ b/net/sched/cls_basic.c @@ -95,7 +95,7 @@ static void basic_delete_filter(struct rcu_head *head) tcf_unbind_filter(tp, &f->res); tcf_exts_destroy(&f->exts); - tcf_em_tree_destroy(tp, &f->ematches); + tcf_em_tree_destroy(&f->ematches); kfree(f); } diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c index 3409f168225..2f77a89655d 100644 --- a/net/sched/cls_cgroup.c +++ b/net/sched/cls_cgroup.c @@ -87,7 +87,7 @@ static void cls_cgroup_destroy_rcu(struct rcu_head *root) rcu); tcf_exts_destroy(&head->exts); - tcf_em_tree_destroy(head->tp, &head->ematches); + tcf_em_tree_destroy(&head->ematches); kfree(head); } @@ -157,7 +157,7 @@ static void cls_cgroup_destroy(struct tcf_proto *tp) if (head) { tcf_exts_destroy(&head->exts); - tcf_em_tree_destroy(tp, &head->ematches); + tcf_em_tree_destroy(&head->ematches); RCU_INIT_POINTER(tp->root, NULL); kfree_rcu(head, rcu); } diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c index f18d27f7b5f..a5d2b20db56 100644 --- a/net/sched/cls_flow.c +++ b/net/sched/cls_flow.c @@ -355,7 +355,7 @@ static void flow_destroy_filter(struct rcu_head *head) del_timer_sync(&f->perturb_timer); tcf_exts_destroy(&f->exts); - tcf_em_tree_destroy(f->tp, &f->ematches); + tcf_em_tree_destroy(&f->ematches); kfree(f); } @@ -530,7 +530,7 @@ static int flow_change(struct net *net, struct sk_buff *in_skb, return 0; err2: - tcf_em_tree_destroy(tp, &t); + tcf_em_tree_destroy(&t); kfree(fnew); err1: tcf_exts_destroy(&e); diff --git a/net/sched/em_canid.c b/net/sched/em_canid.c index 7c292d474f4..ddd883ca55b 100644 --- a/net/sched/em_canid.c +++ b/net/sched/em_canid.c @@ -120,7 +120,7 @@ static int em_canid_match(struct sk_buff *skb, struct tcf_ematch *m, return match; } -static int em_canid_change(struct tcf_proto *tp, void *data, int len, +static int em_canid_change(struct net *net, void *data, int len, struct tcf_ematch *m) { struct can_filter *conf = data; /* Array with rules */ @@ -183,7 +183,7 @@ static int em_canid_change(struct tcf_proto *tp, void *data, int len, return 0; } -static void em_canid_destroy(struct tcf_proto *tp, struct tcf_ematch *m) +static void em_canid_destroy(struct tcf_ematch *m) { struct canid_match *cm = em_canid_priv(m); diff --git a/net/sched/em_ipset.c b/net/sched/em_ipset.c index 527aeb7a3ff..5b4a4efe468 100644 --- a/net/sched/em_ipset.c +++ b/net/sched/em_ipset.c @@ -19,12 +19,11 @@ #include #include -static int em_ipset_change(struct tcf_proto *tp, void *data, int data_len, +static int em_ipset_change(struct net *net, void *data, int data_len, struct tcf_ematch *em) { struct xt_set_info *set = data; ip_set_id_t index; - struct net *net = dev_net(qdisc_dev(tp->q)); if (data_len != sizeof(*set)) return -EINVAL; @@ -42,11 +41,11 @@ static int em_ipset_change(struct tcf_proto *tp, void *data, int data_len, return -ENOMEM; } -static void em_ipset_destroy(struct tcf_proto *p, struct tcf_ematch *em) +static void em_ipset_destroy(struct tcf_ematch *em) { const struct xt_set_info *set = (const void *) em->data; if (set) { - ip_set_nfnl_put(dev_net(qdisc_dev(p->q)), set->index); + ip_set_nfnl_put(em->net, set->index); kfree((void *) em->data); } } diff --git a/net/sched/em_meta.c b/net/sched/em_meta.c index 9b8c0b0e60d..c8f8c399b99 100644 --- a/net/sched/em_meta.c +++ b/net/sched/em_meta.c @@ -856,7 +856,7 @@ static const struct nla_policy meta_policy[TCA_EM_META_MAX + 1] = { [TCA_EM_META_HDR] = { .len = sizeof(struct tcf_meta_hdr) }, }; -static int em_meta_change(struct tcf_proto *tp, void *data, int len, +static int em_meta_change(struct net *net, void *data, int len, struct tcf_ematch *m) { int err; @@ -908,7 +908,7 @@ errout: return err; } -static void em_meta_destroy(struct tcf_proto *tp, struct tcf_ematch *m) +static void em_meta_destroy(struct tcf_ematch *m) { if (m) meta_delete((struct meta_match *) m->data); diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c index a3bed07a008..df3110d6958 100644 --- a/net/sched/em_nbyte.c +++ b/net/sched/em_nbyte.c @@ -23,7 +23,7 @@ struct nbyte_data { char pattern[0]; }; -static int em_nbyte_change(struct tcf_proto *tp, void *data, int data_len, +static int em_nbyte_change(struct net *net, void *data, int data_len, struct tcf_ematch *em) { struct tcf_em_nbyte *nbyte = data; diff --git a/net/sched/em_text.c b/net/sched/em_text.c index 15d353d2e4b..f03c3de16c2 100644 --- a/net/sched/em_text.c +++ b/net/sched/em_text.c @@ -45,7 +45,7 @@ static int em_text_match(struct sk_buff *skb, struct tcf_ematch *m, return skb_find_text(skb, from, to, tm->config, &state) != UINT_MAX; } -static int em_text_change(struct tcf_proto *tp, void *data, int len, +static int em_text_change(struct net *net, void *data, int len, struct tcf_ematch *m) { struct text_match *tm; @@ -100,7 +100,7 @@ retry: return 0; } -static void em_text_destroy(struct tcf_proto *tp, struct tcf_ematch *m) +static void em_text_destroy(struct tcf_ematch *m) { if (EM_TEXT_PRIV(m) && EM_TEXT_PRIV(m)->config) textsearch_destroy(EM_TEXT_PRIV(m)->config); diff --git a/net/sched/ematch.c b/net/sched/ematch.c index ad57f4444b9..8250c36543d 100644 --- a/net/sched/ematch.c +++ b/net/sched/ematch.c @@ -178,6 +178,7 @@ static int tcf_em_validate(struct tcf_proto *tp, struct tcf_ematch_hdr *em_hdr = nla_data(nla); int data_len = nla_len(nla) - sizeof(*em_hdr); void *data = (void *) em_hdr + sizeof(*em_hdr); + struct net *net = dev_net(qdisc_dev(tp->q)); if (!TCF_EM_REL_VALID(em_hdr->flags)) goto errout; @@ -240,7 +241,7 @@ static int tcf_em_validate(struct tcf_proto *tp, goto errout; if (em->ops->change) { - err = em->ops->change(tp, data, data_len, em); + err = em->ops->change(net, data, data_len, em); if (err < 0) goto errout; } else if (data_len > 0) { @@ -271,6 +272,7 @@ static int tcf_em_validate(struct tcf_proto *tp, em->matchid = em_hdr->matchid; em->flags = em_hdr->flags; em->datalen = data_len; + em->net = net; err = 0; errout: @@ -378,7 +380,7 @@ errout: return err; errout_abort: - tcf_em_tree_destroy(tp, tree); + tcf_em_tree_destroy(tree); return err; } EXPORT_SYMBOL(tcf_em_tree_validate); @@ -393,7 +395,7 @@ EXPORT_SYMBOL(tcf_em_tree_validate); * tcf_em_tree_validate()/tcf_em_tree_change(). You must ensure that * the ematch tree is not in use before calling this function. */ -void tcf_em_tree_destroy(struct tcf_proto *tp, struct tcf_ematch_tree *tree) +void tcf_em_tree_destroy(struct tcf_ematch_tree *tree) { int i; @@ -405,7 +407,7 @@ void tcf_em_tree_destroy(struct tcf_proto *tp, struct tcf_ematch_tree *tree) if (em->ops) { if (em->ops->destroy) - em->ops->destroy(tp, em); + em->ops->destroy(em); else if (!tcf_em_is_simple(em)) kfree((void *) em->data); module_put(em->ops->owner); -- cgit v1.2.3-70-g09d2 From 18cdb37ebf4c986d9502405cbd16b0ac29770c25 Mon Sep 17 00:00:00 2001 From: John Fastabend Date: Sun, 5 Oct 2014 21:28:52 -0700 Subject: net: sched: do not use tcf_proto 'tp' argument from call_rcu Using the tcf_proto pointer 'tp' from inside the classifiers callback is not valid because it may have been cleaned up by another call_rcu occuring on another CPU. 'tp' is currently being used by tcf_unbind_filter() in this patch we move instances of tcf_unbind_filter outside of the call_rcu() context. This is safe to do because any running schedulers will either read the valid class field or it will be zeroed. And all schedulers today when the class is 0 do a lookup using the same call used by the tcf_exts_bind(). So even if we have a running classifier hit the null class pointer it will do a lookup and get to the same result. This is particularly fragile at the moment because the only way to verify this is to audit the schedulers call sites. Reported-by: Cong Wang Signed-off-by: John Fastabend Acked-by: Cong Wang Signed-off-by: David S. Miller --- net/sched/cls_basic.c | 5 +++-- net/sched/cls_bpf.c | 4 +++- net/sched/cls_fw.c | 5 +++-- net/sched/cls_route.c | 8 +++++--- 4 files changed, 14 insertions(+), 8 deletions(-) (limited to 'net/sched/cls_basic.c') diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c index 90647a8af8c..cd61280941e 100644 --- a/net/sched/cls_basic.c +++ b/net/sched/cls_basic.c @@ -91,9 +91,7 @@ static int basic_init(struct tcf_proto *tp) static void basic_delete_filter(struct rcu_head *head) { struct basic_filter *f = container_of(head, struct basic_filter, rcu); - struct tcf_proto *tp = f->tp; - tcf_unbind_filter(tp, &f->res); tcf_exts_destroy(&f->exts); tcf_em_tree_destroy(&f->ematches); kfree(f); @@ -106,6 +104,7 @@ static void basic_destroy(struct tcf_proto *tp) list_for_each_entry_safe(f, n, &head->flist, link) { list_del_rcu(&f->link); + tcf_unbind_filter(tp, &f->res); call_rcu(&f->rcu, basic_delete_filter); } RCU_INIT_POINTER(tp->root, NULL); @@ -120,6 +119,7 @@ static int basic_delete(struct tcf_proto *tp, unsigned long arg) list_for_each_entry(t, &head->flist, link) if (t == f) { list_del_rcu(&t->link); + tcf_unbind_filter(tp, &t->res); call_rcu(&t->rcu, basic_delete_filter); return 0; } @@ -222,6 +222,7 @@ static int basic_change(struct net *net, struct sk_buff *in_skb, if (fold) { list_replace_rcu(&fold->link, &fnew->link); + tcf_unbind_filter(tp, &fold->res); call_rcu(&fold->rcu, basic_delete_filter); } else { list_add_rcu(&fnew->link, &head->flist); diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index 4318d067b0a..eed49d1d087 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c @@ -92,7 +92,6 @@ static int cls_bpf_init(struct tcf_proto *tp) static void cls_bpf_delete_prog(struct tcf_proto *tp, struct cls_bpf_prog *prog) { - tcf_unbind_filter(tp, &prog->res); tcf_exts_destroy(&prog->exts); bpf_prog_destroy(prog->filter); @@ -116,6 +115,7 @@ static int cls_bpf_delete(struct tcf_proto *tp, unsigned long arg) list_for_each_entry(prog, &head->plist, link) { if (prog == todel) { list_del_rcu(&prog->link); + tcf_unbind_filter(tp, &prog->res); call_rcu(&prog->rcu, __cls_bpf_delete_prog); return 0; } @@ -131,6 +131,7 @@ static void cls_bpf_destroy(struct tcf_proto *tp) list_for_each_entry_safe(prog, tmp, &head->plist, link) { list_del_rcu(&prog->link); + tcf_unbind_filter(tp, &prog->res); call_rcu(&prog->rcu, __cls_bpf_delete_prog); } @@ -282,6 +283,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, if (oldprog) { list_replace_rcu(&prog->link, &oldprog->link); + tcf_unbind_filter(tp, &oldprog->res); call_rcu(&oldprog->rcu, __cls_bpf_delete_prog); } else { list_add_rcu(&prog->link, &head->plist); diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c index da805aeeb65..dbfdfd1f1a9 100644 --- a/net/sched/cls_fw.c +++ b/net/sched/cls_fw.c @@ -123,9 +123,7 @@ static int fw_init(struct tcf_proto *tp) static void fw_delete_filter(struct rcu_head *head) { struct fw_filter *f = container_of(head, struct fw_filter, rcu); - struct tcf_proto *tp = f->tp; - tcf_unbind_filter(tp, &f->res); tcf_exts_destroy(&f->exts); kfree(f); } @@ -143,6 +141,7 @@ static void fw_destroy(struct tcf_proto *tp) while ((f = rtnl_dereference(head->ht[h])) != NULL) { RCU_INIT_POINTER(head->ht[h], rtnl_dereference(f->next)); + tcf_unbind_filter(tp, &f->res); call_rcu(&f->rcu, fw_delete_filter); } } @@ -166,6 +165,7 @@ static int fw_delete(struct tcf_proto *tp, unsigned long arg) fp = &pfp->next, pfp = rtnl_dereference(*fp)) { if (pfp == f) { RCU_INIT_POINTER(*fp, rtnl_dereference(f->next)); + tcf_unbind_filter(tp, &f->res); call_rcu(&f->rcu, fw_delete_filter); return 0; } @@ -280,6 +280,7 @@ static int fw_change(struct net *net, struct sk_buff *in_skb, RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next)); rcu_assign_pointer(*fp, fnew); + tcf_unbind_filter(tp, &f->res); call_rcu(&f->rcu, fw_delete_filter); *arg = (unsigned long)fnew; diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c index b665aee661f..6f22baae0af 100644 --- a/net/sched/cls_route.c +++ b/net/sched/cls_route.c @@ -269,9 +269,7 @@ static void route4_delete_filter(struct rcu_head *head) { struct route4_filter *f = container_of(head, struct route4_filter, rcu); - struct tcf_proto *tp = f->tp; - tcf_unbind_filter(tp, &f->res); tcf_exts_destroy(&f->exts); kfree(f); } @@ -297,6 +295,7 @@ static void route4_destroy(struct tcf_proto *tp) next = rtnl_dereference(f->next); RCU_INIT_POINTER(b->ht[h2], next); + tcf_unbind_filter(tp, &f->res); call_rcu(&f->rcu, route4_delete_filter); } } @@ -338,6 +337,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg) route4_reset_fastmap(head); /* Delete it */ + tcf_unbind_filter(tp, &f->res); call_rcu(&f->rcu, route4_delete_filter); /* Strip RTNL protected tree */ @@ -545,8 +545,10 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, route4_reset_fastmap(head); *arg = (unsigned long)f; - if (fold) + if (fold) { + tcf_unbind_filter(tp, &fold->res); call_rcu(&fold->rcu, route4_delete_filter); + } return 0; errout: -- cgit v1.2.3-70-g09d2