From: Cong Wang <xiyou.wangcong@gmail.com>
To: Ido Schimmel <idosch@idosch.org>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
Jiri Pirko <jiri@resnulli.us>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Vlad Buslov <vladbu@mellanox.com>
Subject: Re: [Patch net-next v3] net_sched: change tcf_del_walker() to take idrinfo->lock
Date: Fri, 28 Sep 2018 10:56:47 -0700 [thread overview]
Message-ID: <CAM_iQpUav4UK6uzpaZejFiLn_eEbbvZQry7G6JgzSkj_Eq0fyQ@mail.gmail.com> (raw)
In-Reply-To: <20180928145900.GA17640@splinter>
On Fri, Sep 28, 2018 at 7:59 AM Ido Schimmel <idosch@idosch.org> wrote:
>
> On Wed, Sep 19, 2018 at 04:37:29PM -0700, Cong Wang wrote:
> > From: Vlad Buslov <vladbu@mellanox.com>
> >
> > From: Vlad Buslov <vladbu@mellanox.com>
> >
> > Action API was changed to work with actions and action_idr in concurrency
> > safe manner, however tcf_del_walker() still uses actions without taking a
> > reference or idrinfo->lock first, and deletes them directly, disregarding
> > possible concurrent delete.
> >
> > Change tcf_del_walker() to take idrinfo->lock while iterating over actions
> > and use new tcf_idr_release_unsafe() to release them while holding the
> > lock.
> >
> > And the blocking function fl_hw_destroy_tmplt() could be called when we
> > put a filter chain, so defer it to a work queue.
>
> I'm getting a use-after-free when running tc_chains.sh selftest and I
> believe it's caused by this patch.
>
> To reproduce:
> # cd tools/testing/selftests/net/forwarding
> # export TESTS="template_filter_fits"; ./tc_chains.sh veth0 veth1
>
> __tcf_chain_put()
> tc_chain_tmplt_del()
> fl_tmplt_destroy()
> tcf_queue_work(&tmplt->rwork, fl_tmplt_destroy_work)
> tcf_chain_destroy()
> kfree(chain)
>
> Some time later fl_tmplt_destroy_work() starts executing and
> dereferencing 'chain'.
Oops, forgot to hold the chain... I will test this:
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 92dd5071a708..cbb68d5515d6 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1444,6 +1444,7 @@ static void fl_tmplt_destroy_work(struct
work_struct *work)
struct fl_flow_tmplt, rwork);
fl_hw_destroy_tmplt(tmplt->chain, tmplt);
+ tcf_chain_put(tmplt->chain);
kfree(tmplt);
}
@@ -1451,6 +1452,7 @@ static void fl_tmplt_destroy(void *tmplt_priv)
{
struct fl_flow_tmplt *tmplt = tmplt_priv;
+ tcf_chain_hold(tmplt->chain);
tcf_queue_work(&tmplt->rwork, fl_tmplt_destroy_work);
}
next prev parent reply other threads:[~2018-09-29 0:21 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-19 23:37 [Patch net-next v3] net_sched: change tcf_del_walker() to take idrinfo->lock Cong Wang
2018-09-28 14:59 ` Ido Schimmel
2018-09-28 15:08 ` Ido Schimmel
2018-09-28 17:56 ` Cong Wang [this message]
2018-09-28 18:11 ` Ido Schimmel
2018-09-28 18:29 ` Cong Wang
2018-09-29 4:47 ` Cong Wang
2018-10-02 19:23 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAM_iQpUav4UK6uzpaZejFiLn_eEbbvZQry7G6JgzSkj_Eq0fyQ@mail.gmail.com \
--to=xiyou.wangcong@gmail.com \
--cc=idosch@idosch.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=netdev@vger.kernel.org \
--cc=vladbu@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.