[Patch net] act_mirred: avoid calling tcf_hash_release() when binding

[Patch net] act_mirred: avoid calling tcf_hash_release() when binding

[Cong Wang]

When we share an action within a filter, the bind refcnt
should increase, therefore we should not call tcf_hash_release().

Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
---
 net/sched/act_mirred.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index a42a3b2..2685450 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -98,6 +98,8 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
 			return ret;
 		ret = ACT_P_CREATED;
 	} else {
+		if (bind)
+			return 0;
 		if (!ovr) {
 			tcf_hash_release(a, bind);
 			return -EEXIST;
-- 
1.8.3.1

[Patch net] act_pedit: check binding before calling tcf_hash_release()

[Cong Wang]

When we share an action within a filter, the bind refcnt
should increase, therefore we should not call tcf_hash_release().

Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
---
 net/sched/act_pedit.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 17e6d66..ff8b466 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -68,13 +68,12 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
 		}
 		ret = ACT_P_CREATED;
 	} else {
-		p = to_pedit(a);
-		tcf_hash_release(a, bind);
 		if (bind)
 			return 0;
+		tcf_hash_release(a, bind);
 		if (!ovr)
 			return -EEXIST;
-
+		p = to_pedit(a);
 		if (p->tcfp_nkeys && p->tcfp_nkeys != parm->nkeys) {
 			keys = kmalloc(ksize, GFP_KERNEL);
 			if (keys == NULL)
-- 
1.8.3.1

Re: [Patch net] act_mirred: avoid calling tcf_hash_release() when binding

[Daniel Borkmann]

On 07/31/2015 02:12 AM, Cong Wang wrote:
> When we share an action within a filter, the bind refcnt
> should increase, therefore we should not call tcf_hash_release().
>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Cong Wang <cwang@twopensource.com>
> ---
>   net/sched/act_mirred.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
> index a42a3b2..2685450 100644
> --- a/net/sched/act_mirred.c
> +++ b/net/sched/act_mirred.c
> @@ -98,6 +98,8 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
>   			return ret;
>   		ret = ACT_P_CREATED;
>   	} else {
> +		if (bind)
> +			return 0;
>   		if (!ovr) {
>   			tcf_hash_release(a, bind);
>   			return -EEXIST;
>

Did you test all variants on this?

I.e. what happens when you replace an existing one, I think the
refcnt should also be dropped here. It looks like we only drop
it, in case we tried to add an action to an already existing index ...

	[...]
	} else {
		if (bind)
			return 0;
		tcf_hash_release(a, bind);
		if (!ovr)
			return -EEXIST;
	}
	[...]

Thanks,
Daniel

Re: [Patch net] act_pedit: check binding before calling tcf_hash_release()

[Daniel Borkmann]

On 07/31/2015 02:12 AM, Cong Wang wrote:
> When we share an action within a filter, the bind refcnt
> should increase, therefore we should not call tcf_hash_release().
>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Cong Wang <cwang@twopensource.com>

Seems like this slipped in via commit 1a29321ed045. The ugly thing is that
this leads to a use-after-free.

# tc actions add action pedit munge offset 2 u16 at 0 0f0000000 22 set 11500
# tc actions show action pedit
   action order 0:  pedit action pass keys 1
   index 1 ref 1 bind 0
   key #0  at 0: val 00002cec mask ffff0000
# tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action pedit index 1
# tc filter show dev foo
   filter parent 1: protocol all pref 49152 bpf
   filter parent 1: protocol all pref 49152 bpf handle 0x1 flowid 1:1 bytecode '1,6 0 0 4294967295'
   action order 1: pedit action pass keys 1
   index 1 ref 1 bind 0
   key #0  at 0: val 00002cec mask ffff0000
# tc actions del action pedit index 1

.... and now you can wait for the next egress packet. ;)

Thanks for the fix Cong!

Fixes: 1a29321ed045 ("net_sched: act: Dont increment refcnt on replace")
Acked-by: Daniel Borkmann <daniel@iogearbox.net>

Re: [Patch net] act_pedit: check binding before calling tcf_hash_release()

[David Miller]

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu, 30 Jul 2015 17:12:21 -0700

> When we share an action within a filter, the bind refcnt
> should increase, therefore we should not call tcf_hash_release().
> 
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Cong Wang <cwang@twopensource.com>

Applied.

Re: [Patch net] act_mirred: avoid calling tcf_hash_release() when binding

[Cong Wang]

On Fri, Jul 31, 2015 at 3:06 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
> Did you test all variants on this?
>
> I.e. what happens when you replace an existing one, I think the
> refcnt should also be dropped here. It looks like we only drop
> it, in case we tried to add an action to an already existing index ...
>

Yeah, clearly the replace case is anti-pattern too, like you showed.

But that is a different bug, right? Since 'bind' is independent of
'replace'. As in $subject, my patch only fixes the binding case.
I will send a following patch to fix replace case.

Re: [Patch net] act_mirred: avoid calling tcf_hash_release() when binding

[Daniel Borkmann]

On 08/01/2015 12:25 AM, Cong Wang wrote:
> On Fri, Jul 31, 2015 at 3:06 AM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>> Did you test all variants on this?
>>
>> I.e. what happens when you replace an existing one, I think the
>> refcnt should also be dropped here. It looks like we only drop
>> it, in case we tried to add an action to an already existing index ...
>
> Yeah, clearly the replace case is anti-pattern too, like you showed.
>
> But that is a different bug, right? Since 'bind' is independent of
> 'replace'. As in $subject, my patch only fixes the binding case.
> I will send a following patch to fix replace case.

I wasn't aware you planned to send an extra patch for the other issue,
probably not worth the split, but I don't mind.

Thanks,
Daniel

Re: [Patch net] act_mirred: avoid calling tcf_hash_release() when binding

[David Miller]

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu, 30 Jul 2015 17:12:20 -0700

> When we share an action within a filter, the bind refcnt
> should increase, therefore we should not call tcf_hash_release().
> 
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Cong Wang <cwang@twopensource.com>

Applied, thanks.