2019-05-27 09:55:01 +03:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-17 02:20:36 +04:00
|
|
|
/*
|
|
|
|
* net/sched/act_api.c Packet action API.
|
|
|
|
*
|
|
|
|
* Author: Jamal Hadi Salim
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/errno.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
|
|
|
#include <linux/slab.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/kmod.h>
|
2008-01-24 07:33:13 +03:00
|
|
|
#include <linux/err.h>
|
2011-05-27 17:12:25 +04:00
|
|
|
#include <linux/module.h>
|
2007-11-30 16:21:31 +03:00
|
|
|
#include <net/net_namespace.h>
|
|
|
|
#include <net/sock.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <net/sch_generic.h>
|
2017-01-24 15:02:41 +03:00
|
|
|
#include <net/pkt_cls.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <net/act_api.h>
|
2007-03-26 10:06:12 +04:00
|
|
|
#include <net/netlink.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2020-11-25 07:01:23 +03:00
|
|
|
#ifdef CONFIG_INET
|
|
|
|
DEFINE_STATIC_KEY_FALSE(tcf_frag_xmit_count);
|
|
|
|
EXPORT_SYMBOL_GPL(tcf_frag_xmit_count);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
int tcf_dev_queue_xmit(struct sk_buff *skb, int (*xmit)(struct sk_buff *skb))
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_INET
|
|
|
|
if (static_branch_unlikely(&tcf_frag_xmit_count))
|
|
|
|
return sch_frag_xmit_hook(skb, xmit);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return xmit(skb);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(tcf_dev_queue_xmit);
|
|
|
|
|
2017-05-17 12:08:03 +03:00
|
|
|
static void tcf_action_goto_chain_exec(const struct tc_action *a,
|
|
|
|
struct tcf_result *res)
|
|
|
|
{
|
2019-03-20 17:00:16 +03:00
|
|
|
const struct tcf_chain *chain = rcu_dereference_bh(a->goto_chain);
|
2017-05-17 12:08:03 +03:00
|
|
|
|
|
|
|
res->goto_tp = rcu_dereference_bh(chain->filter_chain);
|
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:23 +03:00
|
|
|
static void tcf_free_cookie_rcu(struct rcu_head *p)
|
|
|
|
{
|
|
|
|
struct tc_cookie *cookie = container_of(p, struct tc_cookie, rcu);
|
|
|
|
|
|
|
|
kfree(cookie->data);
|
|
|
|
kfree(cookie);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void tcf_set_action_cookie(struct tc_cookie __rcu **old_cookie,
|
|
|
|
struct tc_cookie *new_cookie)
|
|
|
|
{
|
|
|
|
struct tc_cookie *old;
|
|
|
|
|
2018-07-08 11:02:59 +03:00
|
|
|
old = xchg((__force struct tc_cookie **)old_cookie, new_cookie);
|
2018-07-05 17:24:23 +03:00
|
|
|
if (old)
|
|
|
|
call_rcu(&old->rcu, tcf_free_cookie_rcu);
|
|
|
|
}
|
|
|
|
|
net/sched: prepare TC actions to properly validate the control action
- pass a pointer to struct tcf_proto in each actions's init() handler,
to allow validating the control action, checking whether the chain
exists and (eventually) refcounting it.
- remove code that validates the control action after a successful call
to the action's init() handler, and replace it with a test that forbids
addition of actions having 'goto_chain' and NULL goto_chain pointer at
the same time.
- add tcf_action_check_ctrlact(), that will validate the control action
and eventually allocate the action 'goto_chain' within the init()
handler.
- add tcf_action_set_ctrlact(), that will assign the control action and
swap the current 'goto_chain' pointer with the new given one.
This disallows 'goto_chain' on actions that don't initialize it properly
in their init() handler, i.e. calling tcf_action_check_ctrlact() after
successful IDR reservation and then calling tcf_action_set_ctrlact()
to assign 'goto_chain' and 'tcf_action' consistently.
By doing this, the kernel does not leak anymore refcounts when a valid
'goto chain' handle is replaced in TC actions, causing kmemleak splats
like the following one:
# tc chain add dev dd0 chain 42 ingress protocol ip flower \
> ip_proto tcp action drop
# tc chain add dev dd0 chain 43 ingress protocol ip flower \
> ip_proto udp action drop
# tc filter add dev dd0 ingress matchall \
> action gact goto chain 42 index 66
# tc filter replace dev dd0 ingress matchall \
> action gact goto chain 43 index 66
# echo scan >/sys/kernel/debug/kmemleak
<...>
unreferenced object 0xffff93c0ee09f000 (size 1024):
comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
[<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
[<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
[<000000006126a348>] netlink_unicast+0x1a0/0x250
[<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
[<00000000a25a2171>] sock_sendmsg+0x36/0x40
[<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
[<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
[<000000007a6c61f9>] do_syscall_64+0x5b/0x180
[<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0000000013eaa334>] 0xffffffffffffffff
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 16:59:59 +03:00
|
|
|
int tcf_action_check_ctrlact(int action, struct tcf_proto *tp,
|
|
|
|
struct tcf_chain **newchain,
|
|
|
|
struct netlink_ext_ack *extack)
|
|
|
|
{
|
|
|
|
int opcode = TC_ACT_EXT_OPCODE(action), ret = -EINVAL;
|
|
|
|
u32 chain_index;
|
|
|
|
|
|
|
|
if (!opcode)
|
|
|
|
ret = action > TC_ACT_VALUE_MAX ? -EINVAL : 0;
|
|
|
|
else if (opcode <= TC_ACT_EXT_OPCODE_MAX || action == TC_ACT_UNSPEC)
|
|
|
|
ret = 0;
|
|
|
|
if (ret) {
|
|
|
|
NL_SET_ERR_MSG(extack, "invalid control action");
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (TC_ACT_EXT_CMP(action, TC_ACT_GOTO_CHAIN)) {
|
|
|
|
chain_index = action & TC_ACT_EXT_VAL_MASK;
|
|
|
|
if (!tp || !newchain) {
|
|
|
|
ret = -EINVAL;
|
|
|
|
NL_SET_ERR_MSG(extack,
|
|
|
|
"can't goto NULL proto/chain");
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
*newchain = tcf_chain_get_by_act(tp->chain->block, chain_index);
|
|
|
|
if (!*newchain) {
|
|
|
|
ret = -ENOMEM;
|
|
|
|
NL_SET_ERR_MSG(extack,
|
|
|
|
"can't allocate goto_chain");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
end:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(tcf_action_check_ctrlact);
|
|
|
|
|
|
|
|
struct tcf_chain *tcf_action_set_ctrlact(struct tc_action *a, int action,
|
2019-03-20 17:00:16 +03:00
|
|
|
struct tcf_chain *goto_chain)
|
net/sched: prepare TC actions to properly validate the control action
- pass a pointer to struct tcf_proto in each actions's init() handler,
to allow validating the control action, checking whether the chain
exists and (eventually) refcounting it.
- remove code that validates the control action after a successful call
to the action's init() handler, and replace it with a test that forbids
addition of actions having 'goto_chain' and NULL goto_chain pointer at
the same time.
- add tcf_action_check_ctrlact(), that will validate the control action
and eventually allocate the action 'goto_chain' within the init()
handler.
- add tcf_action_set_ctrlact(), that will assign the control action and
swap the current 'goto_chain' pointer with the new given one.
This disallows 'goto_chain' on actions that don't initialize it properly
in their init() handler, i.e. calling tcf_action_check_ctrlact() after
successful IDR reservation and then calling tcf_action_set_ctrlact()
to assign 'goto_chain' and 'tcf_action' consistently.
By doing this, the kernel does not leak anymore refcounts when a valid
'goto chain' handle is replaced in TC actions, causing kmemleak splats
like the following one:
# tc chain add dev dd0 chain 42 ingress protocol ip flower \
> ip_proto tcp action drop
# tc chain add dev dd0 chain 43 ingress protocol ip flower \
> ip_proto udp action drop
# tc filter add dev dd0 ingress matchall \
> action gact goto chain 42 index 66
# tc filter replace dev dd0 ingress matchall \
> action gact goto chain 43 index 66
# echo scan >/sys/kernel/debug/kmemleak
<...>
unreferenced object 0xffff93c0ee09f000 (size 1024):
comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
[<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
[<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
[<000000006126a348>] netlink_unicast+0x1a0/0x250
[<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
[<00000000a25a2171>] sock_sendmsg+0x36/0x40
[<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
[<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
[<000000007a6c61f9>] do_syscall_64+0x5b/0x180
[<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0000000013eaa334>] 0xffffffffffffffff
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 16:59:59 +03:00
|
|
|
{
|
|
|
|
a->tcfa_action = action;
|
2019-09-24 02:09:18 +03:00
|
|
|
goto_chain = rcu_replace_pointer(a->goto_chain, goto_chain, 1);
|
2019-03-20 17:00:16 +03:00
|
|
|
return goto_chain;
|
net/sched: prepare TC actions to properly validate the control action
- pass a pointer to struct tcf_proto in each actions's init() handler,
to allow validating the control action, checking whether the chain
exists and (eventually) refcounting it.
- remove code that validates the control action after a successful call
to the action's init() handler, and replace it with a test that forbids
addition of actions having 'goto_chain' and NULL goto_chain pointer at
the same time.
- add tcf_action_check_ctrlact(), that will validate the control action
and eventually allocate the action 'goto_chain' within the init()
handler.
- add tcf_action_set_ctrlact(), that will assign the control action and
swap the current 'goto_chain' pointer with the new given one.
This disallows 'goto_chain' on actions that don't initialize it properly
in their init() handler, i.e. calling tcf_action_check_ctrlact() after
successful IDR reservation and then calling tcf_action_set_ctrlact()
to assign 'goto_chain' and 'tcf_action' consistently.
By doing this, the kernel does not leak anymore refcounts when a valid
'goto chain' handle is replaced in TC actions, causing kmemleak splats
like the following one:
# tc chain add dev dd0 chain 42 ingress protocol ip flower \
> ip_proto tcp action drop
# tc chain add dev dd0 chain 43 ingress protocol ip flower \
> ip_proto udp action drop
# tc filter add dev dd0 ingress matchall \
> action gact goto chain 42 index 66
# tc filter replace dev dd0 ingress matchall \
> action gact goto chain 43 index 66
# echo scan >/sys/kernel/debug/kmemleak
<...>
unreferenced object 0xffff93c0ee09f000 (size 1024):
comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
[<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
[<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
[<000000006126a348>] netlink_unicast+0x1a0/0x250
[<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
[<00000000a25a2171>] sock_sendmsg+0x36/0x40
[<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
[<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
[<000000007a6c61f9>] do_syscall_64+0x5b/0x180
[<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0000000013eaa334>] 0xffffffffffffffff
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 16:59:59 +03:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(tcf_action_set_ctrlact);
|
|
|
|
|
2017-09-12 02:33:30 +03:00
|
|
|
/* XXX: For standalone actions, we don't need a RCU grace period either, because
|
|
|
|
* actions are always connected to filters and filters are already destroyed in
|
|
|
|
* RCU callbacks, so after a RCU grace period actions are already disconnected
|
|
|
|
* from filters. Readers later can not find us.
|
|
|
|
*/
|
|
|
|
static void free_tcf(struct tc_action *p)
|
2015-07-06 15:18:04 +03:00
|
|
|
{
|
2019-03-20 17:00:16 +03:00
|
|
|
struct tcf_chain *chain = rcu_dereference_protected(p->goto_chain, 1);
|
net/sched: prepare TC actions to properly validate the control action
- pass a pointer to struct tcf_proto in each actions's init() handler,
to allow validating the control action, checking whether the chain
exists and (eventually) refcounting it.
- remove code that validates the control action after a successful call
to the action's init() handler, and replace it with a test that forbids
addition of actions having 'goto_chain' and NULL goto_chain pointer at
the same time.
- add tcf_action_check_ctrlact(), that will validate the control action
and eventually allocate the action 'goto_chain' within the init()
handler.
- add tcf_action_set_ctrlact(), that will assign the control action and
swap the current 'goto_chain' pointer with the new given one.
This disallows 'goto_chain' on actions that don't initialize it properly
in their init() handler, i.e. calling tcf_action_check_ctrlact() after
successful IDR reservation and then calling tcf_action_set_ctrlact()
to assign 'goto_chain' and 'tcf_action' consistently.
By doing this, the kernel does not leak anymore refcounts when a valid
'goto chain' handle is replaced in TC actions, causing kmemleak splats
like the following one:
# tc chain add dev dd0 chain 42 ingress protocol ip flower \
> ip_proto tcp action drop
# tc chain add dev dd0 chain 43 ingress protocol ip flower \
> ip_proto udp action drop
# tc filter add dev dd0 ingress matchall \
> action gact goto chain 42 index 66
# tc filter replace dev dd0 ingress matchall \
> action gact goto chain 43 index 66
# echo scan >/sys/kernel/debug/kmemleak
<...>
unreferenced object 0xffff93c0ee09f000 (size 1024):
comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
[<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
[<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
[<000000006126a348>] netlink_unicast+0x1a0/0x250
[<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
[<00000000a25a2171>] sock_sendmsg+0x36/0x40
[<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
[<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
[<000000007a6c61f9>] do_syscall_64+0x5b/0x180
[<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0000000013eaa334>] 0xffffffffffffffff
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 16:59:59 +03:00
|
|
|
|
2015-07-06 15:18:04 +03:00
|
|
|
free_percpu(p->cpu_bstats);
|
2018-09-21 14:14:02 +03:00
|
|
|
free_percpu(p->cpu_bstats_hw);
|
2015-07-06 15:18:04 +03:00
|
|
|
free_percpu(p->cpu_qstats);
|
2017-01-24 15:02:41 +03:00
|
|
|
|
2018-07-05 17:24:23 +03:00
|
|
|
tcf_set_action_cookie(&p->act_cookie, NULL);
|
net/sched: prepare TC actions to properly validate the control action
- pass a pointer to struct tcf_proto in each actions's init() handler,
to allow validating the control action, checking whether the chain
exists and (eventually) refcounting it.
- remove code that validates the control action after a successful call
to the action's init() handler, and replace it with a test that forbids
addition of actions having 'goto_chain' and NULL goto_chain pointer at
the same time.
- add tcf_action_check_ctrlact(), that will validate the control action
and eventually allocate the action 'goto_chain' within the init()
handler.
- add tcf_action_set_ctrlact(), that will assign the control action and
swap the current 'goto_chain' pointer with the new given one.
This disallows 'goto_chain' on actions that don't initialize it properly
in their init() handler, i.e. calling tcf_action_check_ctrlact() after
successful IDR reservation and then calling tcf_action_set_ctrlact()
to assign 'goto_chain' and 'tcf_action' consistently.
By doing this, the kernel does not leak anymore refcounts when a valid
'goto chain' handle is replaced in TC actions, causing kmemleak splats
like the following one:
# tc chain add dev dd0 chain 42 ingress protocol ip flower \
> ip_proto tcp action drop
# tc chain add dev dd0 chain 43 ingress protocol ip flower \
> ip_proto udp action drop
# tc filter add dev dd0 ingress matchall \
> action gact goto chain 42 index 66
# tc filter replace dev dd0 ingress matchall \
> action gact goto chain 43 index 66
# echo scan >/sys/kernel/debug/kmemleak
<...>
unreferenced object 0xffff93c0ee09f000 (size 1024):
comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
[<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
[<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
[<000000006126a348>] netlink_unicast+0x1a0/0x250
[<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
[<00000000a25a2171>] sock_sendmsg+0x36/0x40
[<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
[<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
[<000000007a6c61f9>] do_syscall_64+0x5b/0x180
[<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0000000013eaa334>] 0xffffffffffffffff
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 16:59:59 +03:00
|
|
|
if (chain)
|
|
|
|
tcf_chain_put_by_act(chain);
|
2017-01-24 15:02:41 +03:00
|
|
|
|
2015-07-06 15:18:04 +03:00
|
|
|
kfree(p);
|
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:29 +03:00
|
|
|
static void tcf_action_cleanup(struct tc_action *p)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
2018-07-05 17:24:29 +03:00
|
|
|
if (p->ops->cleanup)
|
|
|
|
p->ops->cleanup(p);
|
|
|
|
|
2016-12-04 20:48:16 +03:00
|
|
|
gen_kill_estimator(&p->tcfa_rate_est);
|
2017-09-12 02:33:30 +03:00
|
|
|
free_tcf(p);
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:29 +03:00
|
|
|
static int __tcf_action_put(struct tc_action *p, bool bind)
|
|
|
|
{
|
|
|
|
struct tcf_idrinfo *idrinfo = p->idrinfo;
|
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
if (refcount_dec_and_mutex_lock(&p->tcfa_refcnt, &idrinfo->lock)) {
|
2018-07-05 17:24:29 +03:00
|
|
|
if (bind)
|
|
|
|
atomic_dec(&p->tcfa_bindcnt);
|
|
|
|
idr_remove(&idrinfo->action_idr, p->tcfa_index);
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:29 +03:00
|
|
|
|
|
|
|
tcf_action_cleanup(p);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (bind)
|
|
|
|
atomic_dec(&p->tcfa_bindcnt);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-30 09:31:59 +03:00
|
|
|
int __tcf_idr_release(struct tc_action *p, bool bind, bool strict)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
|
2018-07-05 17:24:24 +03:00
|
|
|
/* Release with strict==1 and bind==0 is only called through act API
|
|
|
|
* interface (classifiers always bind). Only case when action with
|
|
|
|
* positive reference count and zero bind count can exist is when it was
|
|
|
|
* also created with act API (unbinding last classifier will destroy the
|
|
|
|
* action if it was created by classifier). So only case when bind count
|
|
|
|
* can be changed after initial check is when unbound action is
|
|
|
|
* destroyed by act API while classifier binds to action with same id
|
|
|
|
* concurrently. This result either creation of new action(same behavior
|
|
|
|
* as before), or reusing existing action if concurrent process
|
|
|
|
* increments reference count before action is deleted. Both scenarios
|
|
|
|
* are acceptable.
|
|
|
|
*/
|
2006-08-22 10:54:55 +04:00
|
|
|
if (p) {
|
2018-07-05 17:24:29 +03:00
|
|
|
if (!bind && strict && atomic_read(&p->tcfa_bindcnt) > 0)
|
2014-02-12 05:07:34 +04:00
|
|
|
return -EPERM;
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-07-05 17:24:29 +03:00
|
|
|
if (__tcf_action_put(p, bind))
|
2016-02-23 02:57:52 +03:00
|
|
|
ret = ACT_P_DELETED;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
net: sched: fix refcount imbalance in actions
Since commit 55334a5db5cd ("net_sched: act: refuse to remove bound action
outside"), we end up with a wrong reference count for a tc action.
Test case 1:
FOO="1,6 0 0 4294967295,"
BAR="1,6 0 0 4294967294,"
tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 \
action bpf bytecode "$FOO"
tc actions show action bpf
action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe
index 1 ref 1 bind 1
tc actions replace action bpf bytecode "$BAR" index 1
tc actions show action bpf
action order 0: bpf bytecode '1,6 0 0 4294967294' default-action pipe
index 1 ref 2 bind 1
tc actions replace action bpf bytecode "$FOO" index 1
tc actions show action bpf
action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe
index 1 ref 3 bind 1
Test case 2:
FOO="1,6 0 0 4294967295,"
tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action ok
tc actions show action gact
action order 0: gact action pass
random type none pass val 0
index 1 ref 1 bind 1
tc actions add action drop index 1
RTNETLINK answers: File exists [...]
tc actions show action gact
action order 0: gact action pass
random type none pass val 0
index 1 ref 2 bind 1
tc actions add action drop index 1
RTNETLINK answers: File exists [...]
tc actions show action gact
action order 0: gact action pass
random type none pass val 0
index 1 ref 3 bind 1
What happens is that in tcf_hash_check(), we check tcf_common for a given
index and increase tcfc_refcnt and conditionally tcfc_bindcnt when we've
found an existing action. Now there are the following cases:
1) We do a late binding of an action. In that case, we leave the
tcfc_refcnt/tcfc_bindcnt increased and are done with the ->init()
handler. This is correctly handeled.
2) We replace the given action, or we try to add one without replacing
and find out that the action at a specific index already exists
(thus, we go out with error in that case).
In case of 2), we have to undo the reference count increase from
tcf_hash_check() in the tcf_hash_check() function. Currently, we fail to
do so because of the 'tcfc_bindcnt > 0' check which bails out early with
an -EPERM error.
Now, while commit 55334a5db5cd prevents 'tc actions del action ...' on an
already classifier-bound action to drop the reference count (which could
then become negative, wrap around etc), this restriction only accounts for
invocations outside a specific action's ->init() handler.
One possible solution would be to add a flag thus we possibly trigger
the -EPERM ony in situations where it is indeed relevant.
After the patch, above test cases have correct reference count again.
Fixes: 55334a5db5cd ("net_sched: act: refuse to remove bound action outside")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-07-30 00:35:25 +03:00
|
|
|
|
2006-08-22 10:54:55 +04:00
|
|
|
return ret;
|
|
|
|
}
|
2017-08-30 09:31:59 +03:00
|
|
|
EXPORT_SYMBOL(__tcf_idr_release);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-03-09 00:59:19 +03:00
|
|
|
static size_t tcf_action_shared_attrs_size(const struct tc_action *act)
|
|
|
|
{
|
2018-07-09 20:26:47 +03:00
|
|
|
struct tc_cookie *act_cookie;
|
2018-03-09 00:59:19 +03:00
|
|
|
u32 cookie_len = 0;
|
|
|
|
|
2018-07-09 20:26:47 +03:00
|
|
|
rcu_read_lock();
|
|
|
|
act_cookie = rcu_dereference(act->act_cookie);
|
|
|
|
|
|
|
|
if (act_cookie)
|
|
|
|
cookie_len = nla_total_size(act_cookie->len);
|
|
|
|
rcu_read_unlock();
|
2018-03-09 00:59:19 +03:00
|
|
|
|
|
|
|
return nla_total_size(0) /* action number nested */
|
|
|
|
+ nla_total_size(IFNAMSIZ) /* TCA_ACT_KIND */
|
|
|
|
+ cookie_len /* TCA_ACT_COOKIE */
|
2020-03-20 02:26:23 +03:00
|
|
|
+ nla_total_size(sizeof(struct nla_bitfield32)) /* TCA_ACT_HW_STATS */
|
2018-03-09 00:59:19 +03:00
|
|
|
+ nla_total_size(0) /* TCA_ACT_STATS nested */
|
2020-02-25 15:54:12 +03:00
|
|
|
+ nla_total_size(sizeof(struct nla_bitfield32)) /* TCA_ACT_FLAGS */
|
2018-03-09 00:59:19 +03:00
|
|
|
/* TCA_STATS_BASIC */
|
|
|
|
+ nla_total_size_64bit(sizeof(struct gnet_stats_basic))
|
2019-11-05 06:13:15 +03:00
|
|
|
/* TCA_STATS_PKT64 */
|
|
|
|
+ nla_total_size_64bit(sizeof(u64))
|
2018-03-09 00:59:19 +03:00
|
|
|
/* TCA_STATS_QUEUE */
|
|
|
|
+ nla_total_size_64bit(sizeof(struct gnet_stats_queue))
|
|
|
|
+ nla_total_size(0) /* TCA_OPTIONS nested */
|
|
|
|
+ nla_total_size(sizeof(struct tcf_t)); /* TCA_GACT_TM */
|
|
|
|
}
|
|
|
|
|
|
|
|
static size_t tcf_action_full_attrs_size(size_t sz)
|
|
|
|
{
|
|
|
|
return NLMSG_HDRLEN /* struct nlmsghdr */
|
|
|
|
+ sizeof(struct tcamsg)
|
|
|
|
+ nla_total_size(0) /* TCA_ACT_TAB nested */
|
|
|
|
+ sz;
|
|
|
|
}
|
|
|
|
|
|
|
|
static size_t tcf_action_fill_size(const struct tc_action *act)
|
|
|
|
{
|
|
|
|
size_t sz = tcf_action_shared_attrs_size(act);
|
|
|
|
|
|
|
|
if (act->ops->get_fill_size)
|
|
|
|
return act->ops->get_fill_size(act) + sz;
|
|
|
|
return sz;
|
|
|
|
}
|
|
|
|
|
2020-11-02 23:12:43 +03:00
|
|
|
static int
|
|
|
|
tcf_action_dump_terse(struct sk_buff *skb, struct tc_action *a, bool from_act)
|
|
|
|
{
|
|
|
|
unsigned char *b = skb_tail_pointer(skb);
|
|
|
|
struct tc_cookie *cookie;
|
|
|
|
|
|
|
|
if (nla_put_string(skb, TCA_KIND, a->ops->kind))
|
|
|
|
goto nla_put_failure;
|
|
|
|
if (tcf_action_copy_stats(skb, a, 0))
|
|
|
|
goto nla_put_failure;
|
|
|
|
if (from_act && nla_put_u32(skb, TCA_ACT_INDEX, a->tcfa_index))
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
cookie = rcu_dereference(a->act_cookie);
|
|
|
|
if (cookie) {
|
|
|
|
if (nla_put(skb, TCA_ACT_COOKIE, cookie->len, cookie->data)) {
|
|
|
|
rcu_read_unlock();
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
nlmsg_trim(skb, b);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2017-08-30 09:31:59 +03:00
|
|
|
static int tcf_dump_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
|
2016-07-26 02:09:41 +03:00
|
|
|
struct netlink_callback *cb)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
2017-08-30 09:31:59 +03:00
|
|
|
int err = 0, index = -1, s_i = 0, n_i = 0;
|
2017-07-30 20:24:51 +03:00
|
|
|
u32 act_flags = cb->args[2];
|
2017-07-30 20:24:52 +03:00
|
|
|
unsigned long jiffy_since = cb->args[3];
|
2008-01-24 07:34:11 +03:00
|
|
|
struct nlattr *nest;
|
2017-08-30 09:31:59 +03:00
|
|
|
struct idr *idr = &idrinfo->action_idr;
|
|
|
|
struct tc_action *p;
|
|
|
|
unsigned long id = 1;
|
2019-06-28 21:03:41 +03:00
|
|
|
unsigned long tmp;
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_lock(&idrinfo->lock);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
|
|
|
s_i = cb->args[0];
|
|
|
|
|
2019-06-28 21:03:41 +03:00
|
|
|
idr_for_each_entry_ul(idr, p, tmp, id) {
|
2017-08-30 09:31:59 +03:00
|
|
|
index++;
|
|
|
|
if (index < s_i)
|
|
|
|
continue;
|
2020-10-02 22:13:34 +03:00
|
|
|
if (IS_ERR(p))
|
|
|
|
continue;
|
2017-08-30 09:31:59 +03:00
|
|
|
|
|
|
|
if (jiffy_since &&
|
|
|
|
time_after(jiffy_since,
|
|
|
|
(unsigned long)p->tcfa_tm.lastuse))
|
|
|
|
continue;
|
|
|
|
|
2019-04-26 12:13:06 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, n_i);
|
2018-03-26 21:58:32 +03:00
|
|
|
if (!nest) {
|
|
|
|
index--;
|
2017-08-30 09:31:59 +03:00
|
|
|
goto nla_put_failure;
|
2018-03-26 21:58:32 +03:00
|
|
|
}
|
2020-11-24 19:40:54 +03:00
|
|
|
err = (act_flags & TCA_ACT_FLAG_TERSE_DUMP) ?
|
2020-11-02 23:12:43 +03:00
|
|
|
tcf_action_dump_terse(skb, p, true) :
|
|
|
|
tcf_action_dump_1(skb, p, 0, 0);
|
2017-08-30 09:31:59 +03:00
|
|
|
if (err < 0) {
|
|
|
|
index--;
|
|
|
|
nlmsg_trim(skb, nest);
|
|
|
|
goto done;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
2017-08-30 09:31:59 +03:00
|
|
|
nla_nest_end(skb, nest);
|
|
|
|
n_i++;
|
2020-11-24 19:40:54 +03:00
|
|
|
if (!(act_flags & TCA_ACT_FLAG_LARGE_DUMP_ON) &&
|
2017-08-30 09:31:59 +03:00
|
|
|
n_i >= TCA_ACT_MAX_PRIO)
|
|
|
|
goto done;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
|
|
|
done:
|
2017-07-30 20:24:52 +03:00
|
|
|
if (index >= 0)
|
|
|
|
cb->args[0] = index + 1;
|
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2017-07-30 20:24:51 +03:00
|
|
|
if (n_i) {
|
2020-11-24 19:40:54 +03:00
|
|
|
if (act_flags & TCA_ACT_FLAG_LARGE_DUMP_ON)
|
2017-07-30 20:24:51 +03:00
|
|
|
cb->args[1] = n_i;
|
|
|
|
}
|
2006-08-22 10:54:55 +04:00
|
|
|
return n_i;
|
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
nla_put_failure:
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_cancel(skb, nest);
|
2006-08-22 10:54:55 +04:00
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
2018-09-20 02:37:29 +03:00
|
|
|
static int tcf_idr_release_unsafe(struct tc_action *p)
|
|
|
|
{
|
|
|
|
if (atomic_read(&p->tcfa_bindcnt) > 0)
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
if (refcount_dec_and_test(&p->tcfa_refcnt)) {
|
|
|
|
idr_remove(&p->idrinfo->action_idr, p->tcfa_index);
|
|
|
|
tcf_action_cleanup(p);
|
|
|
|
return ACT_P_DELETED;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-30 09:31:59 +03:00
|
|
|
static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
|
2016-07-26 02:09:41 +03:00
|
|
|
const struct tc_action_ops *ops)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
2008-01-24 07:34:11 +03:00
|
|
|
struct nlattr *nest;
|
2017-08-30 09:31:59 +03:00
|
|
|
int n_i = 0;
|
2014-02-12 05:07:34 +04:00
|
|
|
int ret = -EINVAL;
|
2017-08-30 09:31:59 +03:00
|
|
|
struct idr *idr = &idrinfo->action_idr;
|
|
|
|
struct tc_action *p;
|
|
|
|
unsigned long id = 1;
|
2019-06-28 21:03:41 +03:00
|
|
|
unsigned long tmp;
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2019-04-26 12:13:06 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, 0);
|
2008-01-24 07:34:11 +03:00
|
|
|
if (nest == NULL)
|
|
|
|
goto nla_put_failure;
|
2016-07-26 02:09:41 +03:00
|
|
|
if (nla_put_string(skb, TCA_KIND, ops->kind))
|
2012-03-29 13:11:39 +04:00
|
|
|
goto nla_put_failure;
|
2017-08-30 09:31:59 +03:00
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_lock(&idrinfo->lock);
|
2019-06-28 21:03:41 +03:00
|
|
|
idr_for_each_entry_ul(idr, p, tmp, id) {
|
2020-09-23 06:56:24 +03:00
|
|
|
if (IS_ERR(p))
|
|
|
|
continue;
|
2018-09-20 02:37:29 +03:00
|
|
|
ret = tcf_idr_release_unsafe(p);
|
2017-08-30 09:31:59 +03:00
|
|
|
if (ret == ACT_P_DELETED) {
|
2017-09-13 18:32:37 +03:00
|
|
|
module_put(ops->owner);
|
2017-08-30 09:31:59 +03:00
|
|
|
n_i++;
|
|
|
|
} else if (ret < 0) {
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2017-08-30 09:31:59 +03:00
|
|
|
goto nla_put_failure;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
|
|
|
}
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-09-20 02:37:29 +03:00
|
|
|
|
2012-03-29 13:11:39 +04:00
|
|
|
if (nla_put_u32(skb, TCA_FCNT, n_i))
|
|
|
|
goto nla_put_failure;
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_end(skb, nest);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
|
|
|
return n_i;
|
2008-01-23 09:11:50 +03:00
|
|
|
nla_put_failure:
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_cancel(skb, nest);
|
2014-02-12 05:07:34 +04:00
|
|
|
return ret;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
|
|
|
|
2016-02-23 02:57:53 +03:00
|
|
|
int tcf_generic_walker(struct tc_action_net *tn, struct sk_buff *skb,
|
|
|
|
struct netlink_callback *cb, int type,
|
2018-02-15 18:54:59 +03:00
|
|
|
const struct tc_action_ops *ops,
|
|
|
|
struct netlink_ext_ack *extack)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
2017-08-30 09:31:59 +03:00
|
|
|
struct tcf_idrinfo *idrinfo = tn->idrinfo;
|
2016-02-23 02:57:53 +03:00
|
|
|
|
2006-08-22 10:54:55 +04:00
|
|
|
if (type == RTM_DELACTION) {
|
2017-08-30 09:31:59 +03:00
|
|
|
return tcf_del_walker(idrinfo, skb, ops);
|
2006-08-22 10:54:55 +04:00
|
|
|
} else if (type == RTM_GETACTION) {
|
2017-08-30 09:31:59 +03:00
|
|
|
return tcf_dump_walker(idrinfo, skb, cb);
|
2006-08-22 10:54:55 +04:00
|
|
|
} else {
|
2018-02-15 18:54:59 +03:00
|
|
|
WARN(1, "tcf_generic_walker: unknown command %d\n", type);
|
|
|
|
NL_SET_ERR_MSG(extack, "tcf_generic_walker: unknown command");
|
2006-08-22 10:54:55 +04:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
2016-02-23 02:57:53 +03:00
|
|
|
EXPORT_SYMBOL(tcf_generic_walker);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-08-19 22:22:08 +03:00
|
|
|
int tcf_idr_search(struct tc_action_net *tn, struct tc_action **a, u32 index)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
2018-07-05 17:24:26 +03:00
|
|
|
struct tcf_idrinfo *idrinfo = tn->idrinfo;
|
|
|
|
struct tc_action *p;
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_lock(&idrinfo->lock);
|
2017-11-28 18:01:24 +03:00
|
|
|
p = idr_find(&idrinfo->action_idr, index);
|
2018-08-19 22:22:08 +03:00
|
|
|
if (IS_ERR(p))
|
2018-07-05 17:24:32 +03:00
|
|
|
p = NULL;
|
2018-08-19 22:22:08 +03:00
|
|
|
else if (p)
|
2018-07-05 17:24:26 +03:00
|
|
|
refcount_inc(&p->tcfa_refcnt);
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-07-05 17:24:26 +03:00
|
|
|
if (p) {
|
|
|
|
*a = p;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
2017-08-30 09:31:59 +03:00
|
|
|
EXPORT_SYMBOL(tcf_idr_search);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2018-08-19 22:22:06 +03:00
|
|
|
static int tcf_idr_delete_index(struct tcf_idrinfo *idrinfo, u32 index)
|
2018-07-05 17:24:27 +03:00
|
|
|
{
|
|
|
|
struct tc_action *p;
|
|
|
|
int ret = 0;
|
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_lock(&idrinfo->lock);
|
2018-07-05 17:24:27 +03:00
|
|
|
p = idr_find(&idrinfo->action_idr, index);
|
|
|
|
if (!p) {
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:27 +03:00
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!atomic_read(&p->tcfa_bindcnt)) {
|
|
|
|
if (refcount_dec_and_test(&p->tcfa_refcnt)) {
|
|
|
|
struct module *owner = p->ops->owner;
|
|
|
|
|
|
|
|
WARN_ON(p != idr_remove(&idrinfo->action_idr,
|
|
|
|
p->tcfa_index));
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:27 +03:00
|
|
|
|
2018-07-05 17:24:29 +03:00
|
|
|
tcf_action_cleanup(p);
|
2018-07-05 17:24:27 +03:00
|
|
|
module_put(owner);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
ret = 0;
|
|
|
|
} else {
|
|
|
|
ret = -EPERM;
|
|
|
|
}
|
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:27 +03:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2017-08-30 09:31:59 +03:00
|
|
|
int tcf_idr_create(struct tc_action_net *tn, u32 index, struct nlattr *est,
|
|
|
|
struct tc_action **a, const struct tc_action_ops *ops,
|
2019-10-30 17:09:06 +03:00
|
|
|
int bind, bool cpustats, u32 flags)
|
2006-08-22 10:54:55 +04:00
|
|
|
{
|
2016-07-26 02:09:42 +03:00
|
|
|
struct tc_action *p = kzalloc(ops->size, GFP_KERNEL);
|
2017-08-30 09:31:59 +03:00
|
|
|
struct tcf_idrinfo *idrinfo = tn->idrinfo;
|
2015-07-06 15:18:04 +03:00
|
|
|
int err = -ENOMEM;
|
2006-08-22 10:54:55 +04:00
|
|
|
|
|
|
|
if (unlikely(!p))
|
2014-02-12 05:07:31 +04:00
|
|
|
return -ENOMEM;
|
2018-07-05 17:24:24 +03:00
|
|
|
refcount_set(&p->tcfa_refcnt, 1);
|
2006-08-22 10:54:55 +04:00
|
|
|
if (bind)
|
2018-07-05 17:24:24 +03:00
|
|
|
atomic_set(&p->tcfa_bindcnt, 1);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2015-07-06 15:18:04 +03:00
|
|
|
if (cpustats) {
|
|
|
|
p->cpu_bstats = netdev_alloc_pcpu_stats(struct gnet_stats_basic_cpu);
|
2017-11-28 18:28:15 +03:00
|
|
|
if (!p->cpu_bstats)
|
2015-07-06 15:18:04 +03:00
|
|
|
goto err1;
|
2018-09-21 14:14:02 +03:00
|
|
|
p->cpu_bstats_hw = netdev_alloc_pcpu_stats(struct gnet_stats_basic_cpu);
|
|
|
|
if (!p->cpu_bstats_hw)
|
|
|
|
goto err2;
|
2017-11-28 18:28:15 +03:00
|
|
|
p->cpu_qstats = alloc_percpu(struct gnet_stats_queue);
|
|
|
|
if (!p->cpu_qstats)
|
2018-09-21 14:14:02 +03:00
|
|
|
goto err3;
|
2015-07-06 15:18:04 +03:00
|
|
|
}
|
2016-07-26 02:09:42 +03:00
|
|
|
spin_lock_init(&p->tcfa_lock);
|
2017-11-28 18:28:15 +03:00
|
|
|
p->tcfa_index = index;
|
2016-07-26 02:09:42 +03:00
|
|
|
p->tcfa_tm.install = jiffies;
|
|
|
|
p->tcfa_tm.lastuse = jiffies;
|
|
|
|
p->tcfa_tm.firstuse = 0;
|
2019-10-30 17:09:06 +03:00
|
|
|
p->tcfa_flags = flags;
|
2008-11-26 08:12:32 +03:00
|
|
|
if (est) {
|
2016-07-26 02:09:42 +03:00
|
|
|
err = gen_new_estimator(&p->tcfa_bstats, p->cpu_bstats,
|
|
|
|
&p->tcfa_rate_est,
|
|
|
|
&p->tcfa_lock, NULL, est);
|
2017-11-28 18:28:15 +03:00
|
|
|
if (err)
|
2018-09-21 14:14:02 +03:00
|
|
|
goto err4;
|
2008-11-26 08:12:32 +03:00
|
|
|
}
|
|
|
|
|
2017-08-30 09:31:59 +03:00
|
|
|
p->idrinfo = idrinfo;
|
2016-07-26 02:09:42 +03:00
|
|
|
p->ops = ops;
|
|
|
|
*a = p;
|
2014-02-12 05:07:31 +04:00
|
|
|
return 0;
|
2018-09-21 14:14:02 +03:00
|
|
|
err4:
|
2017-11-28 18:28:15 +03:00
|
|
|
free_percpu(p->cpu_qstats);
|
2018-09-21 14:14:02 +03:00
|
|
|
err3:
|
|
|
|
free_percpu(p->cpu_bstats_hw);
|
2017-11-28 18:28:15 +03:00
|
|
|
err2:
|
|
|
|
free_percpu(p->cpu_bstats);
|
|
|
|
err1:
|
|
|
|
kfree(p);
|
|
|
|
return err;
|
2006-08-22 10:54:55 +04:00
|
|
|
}
|
2017-08-30 09:31:59 +03:00
|
|
|
EXPORT_SYMBOL(tcf_idr_create);
|
2006-08-22 10:54:55 +04:00
|
|
|
|
2019-10-30 17:09:06 +03:00
|
|
|
int tcf_idr_create_from_flags(struct tc_action_net *tn, u32 index,
|
|
|
|
struct nlattr *est, struct tc_action **a,
|
|
|
|
const struct tc_action_ops *ops, int bind,
|
|
|
|
u32 flags)
|
|
|
|
{
|
|
|
|
/* Set cpustats according to actions flags. */
|
|
|
|
return tcf_idr_create(tn, index, est, a, ops, bind,
|
|
|
|
!(flags & TCA_ACT_FLAGS_NO_PERCPU_STATS), flags);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(tcf_idr_create_from_flags);
|
|
|
|
|
2018-07-05 17:24:32 +03:00
|
|
|
/* Cleanup idr index that was allocated but not initialized. */
|
|
|
|
|
|
|
|
void tcf_idr_cleanup(struct tc_action_net *tn, u32 index)
|
|
|
|
{
|
|
|
|
struct tcf_idrinfo *idrinfo = tn->idrinfo;
|
|
|
|
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_lock(&idrinfo->lock);
|
2018-07-05 17:24:32 +03:00
|
|
|
/* Remove ERR_PTR(-EBUSY) allocated by tcf_idr_check_alloc */
|
|
|
|
WARN_ON(!IS_ERR(idr_remove(&idrinfo->action_idr, index)));
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:32 +03:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(tcf_idr_cleanup);
|
|
|
|
|
|
|
|
/* Check if action with specified index exists. If actions is found, increments
|
|
|
|
* its reference and bind counters, and return 1. Otherwise insert temporary
|
|
|
|
* error pointer (to prevent concurrent users from inserting actions with same
|
|
|
|
* index) and return 0.
|
|
|
|
*/
|
|
|
|
|
|
|
|
int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
|
|
|
|
struct tc_action **a, int bind)
|
|
|
|
{
|
|
|
|
struct tcf_idrinfo *idrinfo = tn->idrinfo;
|
|
|
|
struct tc_action *p;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
again:
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_lock(&idrinfo->lock);
|
2018-07-05 17:24:32 +03:00
|
|
|
if (*index) {
|
|
|
|
p = idr_find(&idrinfo->action_idr, *index);
|
|
|
|
if (IS_ERR(p)) {
|
|
|
|
/* This means that another process allocated
|
|
|
|
* index but did not assign the pointer yet.
|
|
|
|
*/
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:32 +03:00
|
|
|
goto again;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (p) {
|
|
|
|
refcount_inc(&p->tcfa_refcnt);
|
|
|
|
if (bind)
|
|
|
|
atomic_inc(&p->tcfa_bindcnt);
|
|
|
|
*a = p;
|
|
|
|
ret = 1;
|
|
|
|
} else {
|
|
|
|
*a = NULL;
|
|
|
|
ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,
|
2018-10-02 22:50:19 +03:00
|
|
|
*index, GFP_KERNEL);
|
2018-07-05 17:24:32 +03:00
|
|
|
if (!ret)
|
|
|
|
idr_replace(&idrinfo->action_idr,
|
|
|
|
ERR_PTR(-EBUSY), *index);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
*index = 1;
|
|
|
|
*a = NULL;
|
|
|
|
ret = idr_alloc_u32(&idrinfo->action_idr, NULL, index,
|
2018-10-02 22:50:19 +03:00
|
|
|
UINT_MAX, GFP_KERNEL);
|
2018-07-05 17:24:32 +03:00
|
|
|
if (!ret)
|
|
|
|
idr_replace(&idrinfo->action_idr, ERR_PTR(-EBUSY),
|
|
|
|
*index);
|
|
|
|
}
|
2018-10-02 22:50:19 +03:00
|
|
|
mutex_unlock(&idrinfo->lock);
|
2018-07-05 17:24:32 +03:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(tcf_idr_check_alloc);
|
|
|
|
|
2017-08-30 09:31:59 +03:00
|
|
|
void tcf_idrinfo_destroy(const struct tc_action_ops *ops,
|
|
|
|
struct tcf_idrinfo *idrinfo)
|
2016-02-23 02:57:52 +03:00
|
|
|
{
|
2017-08-30 09:31:59 +03:00
|
|
|
struct idr *idr = &idrinfo->action_idr;
|
|
|
|
struct tc_action *p;
|
|
|
|
int ret;
|
|
|
|
unsigned long id = 1;
|
2019-06-28 21:03:41 +03:00
|
|
|
unsigned long tmp;
|
2016-02-23 02:57:52 +03:00
|
|
|
|
2019-06-28 21:03:41 +03:00
|
|
|
idr_for_each_entry_ul(idr, p, tmp, id) {
|
2017-08-30 09:31:59 +03:00
|
|
|
ret = __tcf_idr_release(p, false, true);
|
|
|
|
if (ret == ACT_P_DELETED)
|
|
|
|
module_put(ops->owner);
|
|
|
|
else if (ret < 0)
|
|
|
|
return;
|
2016-02-23 02:57:52 +03:00
|
|
|
}
|
2017-08-30 09:31:59 +03:00
|
|
|
idr_destroy(&idrinfo->action_idr);
|
2016-02-23 02:57:52 +03:00
|
|
|
}
|
2017-08-30 09:31:59 +03:00
|
|
|
EXPORT_SYMBOL(tcf_idrinfo_destroy);
|
2016-02-23 02:57:52 +03:00
|
|
|
|
2013-12-16 08:15:10 +04:00
|
|
|
static LIST_HEAD(act_base);
|
2005-04-17 02:20:36 +04:00
|
|
|
static DEFINE_RWLOCK(act_mod_lock);
|
|
|
|
|
2016-02-23 02:57:53 +03:00
|
|
|
int tcf_register_action(struct tc_action_ops *act,
|
|
|
|
struct pernet_operations *ops)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2013-12-16 08:15:10 +04:00
|
|
|
struct tc_action_ops *a;
|
2016-02-23 02:57:53 +03:00
|
|
|
int ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2016-02-23 02:57:53 +03:00
|
|
|
if (!act->act || !act->dump || !act->init || !act->walk || !act->lookup)
|
2013-12-04 18:26:52 +04:00
|
|
|
return -EINVAL;
|
|
|
|
|
2016-10-11 20:56:45 +03:00
|
|
|
/* We have to register pernet ops before making the action ops visible,
|
|
|
|
* otherwise tcf_action_init_1() could get a partially initialized
|
|
|
|
* netns.
|
|
|
|
*/
|
|
|
|
ret = register_pernet_subsys(ops);
|
|
|
|
if (ret)
|
|
|
|
return ret;
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
write_lock(&act_mod_lock);
|
2013-12-16 08:15:10 +04:00
|
|
|
list_for_each_entry(a, &act_base, head) {
|
2019-02-10 15:25:00 +03:00
|
|
|
if (act->id == a->id || (strcmp(act->kind, a->kind) == 0)) {
|
2005-04-17 02:20:36 +04:00
|
|
|
write_unlock(&act_mod_lock);
|
2016-10-11 20:56:45 +03:00
|
|
|
unregister_pernet_subsys(ops);
|
2005-04-17 02:20:36 +04:00
|
|
|
return -EEXIST;
|
|
|
|
}
|
|
|
|
}
|
2013-12-16 08:15:10 +04:00
|
|
|
list_add_tail(&act->head, &act_base);
|
2005-04-17 02:20:36 +04:00
|
|
|
write_unlock(&act_mod_lock);
|
2016-02-23 02:57:53 +03:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
return 0;
|
|
|
|
}
|
2008-01-23 09:10:23 +03:00
|
|
|
EXPORT_SYMBOL(tcf_register_action);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2016-02-23 02:57:53 +03:00
|
|
|
int tcf_unregister_action(struct tc_action_ops *act,
|
|
|
|
struct pernet_operations *ops)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2013-12-16 08:15:10 +04:00
|
|
|
struct tc_action_ops *a;
|
2005-04-17 02:20:36 +04:00
|
|
|
int err = -ENOENT;
|
|
|
|
|
|
|
|
write_lock(&act_mod_lock);
|
2013-12-21 00:32:32 +04:00
|
|
|
list_for_each_entry(a, &act_base, head) {
|
|
|
|
if (a == act) {
|
|
|
|
list_del(&act->head);
|
|
|
|
err = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
2013-12-21 00:32:32 +04:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
write_unlock(&act_mod_lock);
|
2016-10-11 20:56:45 +03:00
|
|
|
if (!err)
|
|
|
|
unregister_pernet_subsys(ops);
|
2005-04-17 02:20:36 +04:00
|
|
|
return err;
|
|
|
|
}
|
2008-01-23 09:10:23 +03:00
|
|
|
EXPORT_SYMBOL(tcf_unregister_action);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
/* lookup by name */
|
|
|
|
static struct tc_action_ops *tc_lookup_action_n(char *kind)
|
|
|
|
{
|
2013-12-21 00:32:32 +04:00
|
|
|
struct tc_action_ops *a, *res = NULL;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
if (kind) {
|
|
|
|
read_lock(&act_mod_lock);
|
2013-12-16 08:15:10 +04:00
|
|
|
list_for_each_entry(a, &act_base, head) {
|
2005-04-17 02:20:36 +04:00
|
|
|
if (strcmp(kind, a->kind) == 0) {
|
2013-12-21 00:32:32 +04:00
|
|
|
if (try_module_get(a->owner))
|
|
|
|
res = a;
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
read_unlock(&act_mod_lock);
|
|
|
|
}
|
2013-12-21 00:32:32 +04:00
|
|
|
return res;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
/* lookup by nlattr */
|
|
|
|
static struct tc_action_ops *tc_lookup_action(struct nlattr *kind)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2013-12-21 00:32:32 +04:00
|
|
|
struct tc_action_ops *a, *res = NULL;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
if (kind) {
|
|
|
|
read_lock(&act_mod_lock);
|
2013-12-16 08:15:10 +04:00
|
|
|
list_for_each_entry(a, &act_base, head) {
|
2008-01-23 09:11:50 +03:00
|
|
|
if (nla_strcmp(kind, a->kind) == 0) {
|
2013-12-21 00:32:32 +04:00
|
|
|
if (try_module_get(a->owner))
|
|
|
|
res = a;
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
read_unlock(&act_mod_lock);
|
|
|
|
}
|
2013-12-21 00:32:32 +04:00
|
|
|
return res;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2020-11-09 10:02:17 +03:00
|
|
|
/*TCA_ACT_MAX_PRIO is 32, there count up to 32 */
|
2017-04-23 20:17:28 +03:00
|
|
|
#define TCA_ACT_MAX_PRIO_MASK 0x1FF
|
2016-08-14 08:35:00 +03:00
|
|
|
int tcf_action_exec(struct sk_buff *skb, struct tc_action **actions,
|
|
|
|
int nr_actions, struct tcf_result *res)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2017-04-23 20:17:28 +03:00
|
|
|
u32 jmp_prgcnt = 0;
|
|
|
|
u32 jmp_ttl = TCA_ACT_MAX_PRIO; /*matches actions per filter */
|
2017-08-04 15:29:02 +03:00
|
|
|
int i;
|
|
|
|
int ret = TC_ACT_OK;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2017-01-08 01:06:35 +03:00
|
|
|
if (skb_skip_tc_classify(skb))
|
|
|
|
return TC_ACT_OK;
|
|
|
|
|
2017-04-23 20:17:28 +03:00
|
|
|
restart_act_graph:
|
2016-08-14 08:35:00 +03:00
|
|
|
for (i = 0; i < nr_actions; i++) {
|
|
|
|
const struct tc_action *a = actions[i];
|
|
|
|
|
2017-04-23 20:17:28 +03:00
|
|
|
if (jmp_prgcnt > 0) {
|
|
|
|
jmp_prgcnt -= 1;
|
|
|
|
continue;
|
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
repeat:
|
2013-12-23 17:02:12 +04:00
|
|
|
ret = a->ops->act(skb, a, res);
|
|
|
|
if (ret == TC_ACT_REPEAT)
|
|
|
|
goto repeat; /* we need a ttl - JHS */
|
2017-04-23 20:17:28 +03:00
|
|
|
|
2017-05-02 11:12:00 +03:00
|
|
|
if (TC_ACT_EXT_CMP(ret, TC_ACT_JUMP)) {
|
2017-04-23 20:17:28 +03:00
|
|
|
jmp_prgcnt = ret & TCA_ACT_MAX_PRIO_MASK;
|
|
|
|
if (!jmp_prgcnt || (jmp_prgcnt > nr_actions)) {
|
|
|
|
/* faulty opcode, stop pipeline */
|
|
|
|
return TC_ACT_OK;
|
|
|
|
} else {
|
|
|
|
jmp_ttl -= 1;
|
|
|
|
if (jmp_ttl > 0)
|
|
|
|
goto restart_act_graph;
|
|
|
|
else /* faulty graph, stop pipeline */
|
|
|
|
return TC_ACT_OK;
|
|
|
|
}
|
2017-05-17 12:08:03 +03:00
|
|
|
} else if (TC_ACT_EXT_CMP(ret, TC_ACT_GOTO_CHAIN)) {
|
2019-03-20 17:00:16 +03:00
|
|
|
if (unlikely(!rcu_access_pointer(a->goto_chain))) {
|
|
|
|
net_warn_ratelimited("can't go to NULL chain!\n");
|
|
|
|
return TC_ACT_SHOT;
|
|
|
|
}
|
2017-05-17 12:08:03 +03:00
|
|
|
tcf_action_goto_chain_exec(a, res);
|
2017-04-23 20:17:28 +03:00
|
|
|
}
|
|
|
|
|
2013-12-23 17:02:12 +04:00
|
|
|
if (ret != TC_ACT_PIPE)
|
2017-01-08 01:06:35 +03:00
|
|
|
break;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2017-04-23 20:17:28 +03:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
return ret;
|
|
|
|
}
|
2008-01-23 09:10:23 +03:00
|
|
|
EXPORT_SYMBOL(tcf_action_exec);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
int tcf_action_destroy(struct tc_action *actions[], int bind)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2017-09-13 18:32:37 +03:00
|
|
|
const struct tc_action_ops *ops;
|
2018-07-05 17:24:33 +03:00
|
|
|
struct tc_action *a;
|
|
|
|
int ret = 0, i;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) {
|
|
|
|
a = actions[i];
|
|
|
|
actions[i] = NULL;
|
2017-09-13 18:32:37 +03:00
|
|
|
ops = a->ops;
|
2017-08-30 09:31:59 +03:00
|
|
|
ret = __tcf_idr_release(a, bind, true);
|
2014-02-12 05:07:34 +04:00
|
|
|
if (ret == ACT_P_DELETED)
|
2017-09-13 18:32:37 +03:00
|
|
|
module_put(ops->owner);
|
2014-02-12 05:07:34 +04:00
|
|
|
else if (ret < 0)
|
|
|
|
return ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2014-02-12 05:07:34 +04:00
|
|
|
return ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:29 +03:00
|
|
|
static int tcf_action_put(struct tc_action *p)
|
|
|
|
{
|
|
|
|
return __tcf_action_put(p, false);
|
|
|
|
}
|
|
|
|
|
2018-08-19 22:22:05 +03:00
|
|
|
/* Put all actions in this array, skip those NULL's. */
|
2018-07-05 17:24:33 +03:00
|
|
|
static void tcf_action_put_many(struct tc_action *actions[])
|
2018-07-05 17:24:31 +03:00
|
|
|
{
|
2018-07-05 17:24:33 +03:00
|
|
|
int i;
|
2018-07-05 17:24:31 +03:00
|
|
|
|
2018-08-19 22:22:05 +03:00
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO; i++) {
|
2018-07-05 17:24:33 +03:00
|
|
|
struct tc_action *a = actions[i];
|
2018-08-19 22:22:05 +03:00
|
|
|
const struct tc_action_ops *ops;
|
2018-07-05 17:24:31 +03:00
|
|
|
|
2018-08-19 22:22:05 +03:00
|
|
|
if (!a)
|
|
|
|
continue;
|
|
|
|
ops = a->ops;
|
2018-07-05 17:24:31 +03:00
|
|
|
if (tcf_action_put(a))
|
|
|
|
module_put(ops->owner);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
int
|
|
|
|
tcf_action_dump_old(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
|
|
|
|
{
|
|
|
|
return a->ops->dump(skb, a, bind, ref);
|
|
|
|
}
|
|
|
|
|
2020-05-15 14:40:12 +03:00
|
|
|
int
|
|
|
|
tcf_action_dump_1(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
|
|
|
|
{
|
|
|
|
int err = -EINVAL;
|
|
|
|
unsigned char *b = skb_tail_pointer(skb);
|
|
|
|
struct nlattr *nest;
|
|
|
|
|
2020-11-02 23:12:43 +03:00
|
|
|
if (tcf_action_dump_terse(skb, a, false))
|
2020-05-15 14:40:12 +03:00
|
|
|
goto nla_put_failure;
|
|
|
|
|
2020-03-28 18:37:42 +03:00
|
|
|
if (a->hw_stats != TCA_ACT_HW_STATS_ANY &&
|
|
|
|
nla_put_bitfield32(skb, TCA_ACT_HW_STATS,
|
|
|
|
a->hw_stats, TCA_ACT_HW_STATS_ANY))
|
|
|
|
goto nla_put_failure;
|
2019-10-30 17:09:06 +03:00
|
|
|
|
2020-03-28 18:37:43 +03:00
|
|
|
if (a->used_hw_stats_valid &&
|
|
|
|
nla_put_bitfield32(skb, TCA_ACT_USED_HW_STATS,
|
|
|
|
a->used_hw_stats, TCA_ACT_HW_STATS_ANY))
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2020-03-28 18:37:42 +03:00
|
|
|
if (a->tcfa_flags &&
|
|
|
|
nla_put_bitfield32(skb, TCA_ACT_FLAGS,
|
|
|
|
a->tcfa_flags, a->tcfa_flags))
|
|
|
|
goto nla_put_failure;
|
2019-10-30 17:09:06 +03:00
|
|
|
|
2019-04-26 12:13:06 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, TCA_OPTIONS);
|
2008-01-24 07:34:11 +03:00
|
|
|
if (nest == NULL)
|
|
|
|
goto nla_put_failure;
|
2011-01-19 22:26:56 +03:00
|
|
|
err = tcf_action_dump_old(skb, a, bind, ref);
|
|
|
|
if (err > 0) {
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_end(skb, nest);
|
2005-04-17 02:20:36 +04:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
nla_put_failure:
|
2007-03-26 10:06:12 +04:00
|
|
|
nlmsg_trim(skb, b);
|
2005-04-17 02:20:36 +04:00
|
|
|
return -1;
|
|
|
|
}
|
2008-01-23 09:10:23 +03:00
|
|
|
EXPORT_SYMBOL(tcf_action_dump_1);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
int tcf_action_dump(struct sk_buff *skb, struct tc_action *actions[],
|
2020-05-15 14:40:12 +03:00
|
|
|
int bind, int ref, bool terse)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct tc_action *a;
|
2018-07-05 17:24:33 +03:00
|
|
|
int err = -EINVAL, i;
|
2008-01-24 07:34:11 +03:00
|
|
|
struct nlattr *nest;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) {
|
|
|
|
a = actions[i];
|
2019-05-23 09:32:31 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, i + 1);
|
2008-01-24 07:34:11 +03:00
|
|
|
if (nest == NULL)
|
|
|
|
goto nla_put_failure;
|
2020-11-02 23:12:43 +03:00
|
|
|
err = terse ? tcf_action_dump_terse(skb, a, false) :
|
2020-05-15 14:40:12 +03:00
|
|
|
tcf_action_dump_1(skb, a, bind, ref);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (err < 0)
|
2006-07-06 07:47:28 +04:00
|
|
|
goto errout;
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_end(skb, nest);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
nla_put_failure:
|
2006-07-06 07:47:28 +04:00
|
|
|
err = -EINVAL;
|
|
|
|
errout:
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_cancel(skb, nest);
|
2006-07-06 07:47:28 +04:00
|
|
|
return err;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2017-04-20 15:08:26 +03:00
|
|
|
static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb)
|
2017-01-24 15:02:41 +03:00
|
|
|
{
|
2017-04-20 15:08:26 +03:00
|
|
|
struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL);
|
|
|
|
if (!c)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
|
|
|
|
if (!c->data) {
|
|
|
|
kfree(c);
|
|
|
|
return NULL;
|
2017-01-24 15:02:41 +03:00
|
|
|
}
|
2017-04-20 15:08:26 +03:00
|
|
|
c->len = nla_len(tb[TCA_ACT_COOKIE]);
|
2017-01-24 15:02:41 +03:00
|
|
|
|
2017-04-20 15:08:26 +03:00
|
|
|
return c;
|
2017-01-24 15:02:41 +03:00
|
|
|
}
|
|
|
|
|
2020-03-20 02:26:23 +03:00
|
|
|
static u8 tcf_action_hw_stats_get(struct nlattr *hw_stats_attr)
|
2020-03-07 14:40:20 +03:00
|
|
|
{
|
2020-03-20 02:26:23 +03:00
|
|
|
struct nla_bitfield32 hw_stats_bf;
|
2020-03-07 14:40:20 +03:00
|
|
|
|
|
|
|
/* If the user did not pass the attr, that means he does
|
|
|
|
* not care about the type. Return "any" in that case
|
|
|
|
* which is setting on all supported types.
|
|
|
|
*/
|
2020-03-20 02:26:23 +03:00
|
|
|
if (!hw_stats_attr)
|
|
|
|
return TCA_ACT_HW_STATS_ANY;
|
|
|
|
hw_stats_bf = nla_get_bitfield32(hw_stats_attr);
|
|
|
|
return hw_stats_bf.value;
|
2020-03-07 14:40:20 +03:00
|
|
|
}
|
|
|
|
|
2019-09-19 04:44:43 +03:00
|
|
|
static const struct nla_policy tcf_action_policy[TCA_ACT_MAX + 1] = {
|
2019-10-07 23:26:29 +03:00
|
|
|
[TCA_ACT_KIND] = { .type = NLA_STRING },
|
2019-09-19 04:44:43 +03:00
|
|
|
[TCA_ACT_INDEX] = { .type = NLA_U32 },
|
|
|
|
[TCA_ACT_COOKIE] = { .type = NLA_BINARY,
|
|
|
|
.len = TC_COOKIE_MAX_SIZE },
|
|
|
|
[TCA_ACT_OPTIONS] = { .type = NLA_NESTED },
|
2020-04-30 23:13:05 +03:00
|
|
|
[TCA_ACT_FLAGS] = NLA_POLICY_BITFIELD32(TCA_ACT_FLAGS_NO_PERCPU_STATS),
|
|
|
|
[TCA_ACT_HW_STATS] = NLA_POLICY_BITFIELD32(TCA_ACT_HW_STATS_ANY),
|
2019-09-19 04:44:43 +03:00
|
|
|
};
|
|
|
|
|
2021-02-16 19:22:00 +03:00
|
|
|
void tcf_idr_insert_many(struct tc_action *actions[])
|
2020-09-23 06:56:23 +03:00
|
|
|
{
|
2020-09-23 06:56:24 +03:00
|
|
|
int i;
|
2020-09-23 06:56:23 +03:00
|
|
|
|
2020-09-23 06:56:24 +03:00
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO; i++) {
|
|
|
|
struct tc_action *a = actions[i];
|
|
|
|
struct tcf_idrinfo *idrinfo;
|
|
|
|
|
|
|
|
if (!a)
|
|
|
|
continue;
|
|
|
|
idrinfo = a->idrinfo;
|
|
|
|
mutex_lock(&idrinfo->lock);
|
|
|
|
/* Replace ERR_PTR(-EBUSY) allocated by tcf_idr_check_alloc if
|
|
|
|
* it is just created, otherwise this is just a nop.
|
|
|
|
*/
|
|
|
|
idr_replace(&idrinfo->action_idr, a, a->tcfa_index);
|
|
|
|
mutex_unlock(&idrinfo->lock);
|
|
|
|
}
|
2020-09-23 06:56:23 +03:00
|
|
|
}
|
|
|
|
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
struct tc_action_ops *tc_action_load_ops(char *name, struct nlattr *nla,
|
|
|
|
bool rtnl_held,
|
|
|
|
struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
struct nlattr *tb[TCA_ACT_MAX + 1];
|
2005-04-17 02:20:36 +04:00
|
|
|
struct tc_action_ops *a_o;
|
|
|
|
char act_name[IFNAMSIZ];
|
2008-01-23 09:11:50 +03:00
|
|
|
struct nlattr *kind;
|
2008-01-24 07:33:13 +03:00
|
|
|
int err;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
if (name == NULL) {
|
2019-09-19 04:44:43 +03:00
|
|
|
err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
|
|
|
|
tcf_action_policy, extack);
|
2008-01-24 07:33:32 +03:00
|
|
|
if (err < 0)
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
return ERR_PTR(err);
|
2008-01-24 07:33:32 +03:00
|
|
|
err = -EINVAL;
|
2008-01-23 09:11:50 +03:00
|
|
|
kind = tb[TCA_ACT_KIND];
|
2018-02-15 18:54:55 +03:00
|
|
|
if (!kind) {
|
|
|
|
NL_SET_ERR_MSG(extack, "TC action kind must be specified");
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
return ERR_PTR(err);
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2020-11-15 20:08:06 +03:00
|
|
|
if (nla_strscpy(act_name, kind, IFNAMSIZ) < 0) {
|
2019-10-07 23:26:29 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "TC action name too long");
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
return ERR_PTR(err);
|
2019-10-07 23:26:29 +03:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
} else {
|
2018-02-15 18:54:55 +03:00
|
|
|
if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ) {
|
|
|
|
NL_SET_ERR_MSG(extack, "TC action name too long");
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
return ERR_PTR(-EINVAL);
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
a_o = tc_lookup_action_n(act_name);
|
|
|
|
if (a_o == NULL) {
|
2008-10-17 02:24:51 +04:00
|
|
|
#ifdef CONFIG_MODULES
|
2018-07-05 17:24:25 +03:00
|
|
|
if (rtnl_held)
|
|
|
|
rtnl_unlock();
|
2006-01-09 09:22:14 +03:00
|
|
|
request_module("act_%s", act_name);
|
2018-07-05 17:24:25 +03:00
|
|
|
if (rtnl_held)
|
|
|
|
rtnl_lock();
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
a_o = tc_lookup_action_n(act_name);
|
|
|
|
|
|
|
|
/* We dropped the RTNL semaphore in order to
|
|
|
|
* perform the module load. So, even if we
|
|
|
|
* succeeded in loading the module we have to
|
|
|
|
* tell the caller to replay the request. We
|
|
|
|
* indicate this using -EAGAIN.
|
|
|
|
*/
|
|
|
|
if (a_o != NULL) {
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
module_put(a_o->owner);
|
|
|
|
return ERR_PTR(-EAGAIN);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
#endif
|
2018-02-15 18:54:55 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Failed to load TC action module");
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
return ERR_PTR(-ENOENT);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
return a_o;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp,
|
|
|
|
struct nlattr *nla, struct nlattr *est,
|
|
|
|
char *name, int ovr, int bind,
|
2021-04-07 18:36:03 +03:00
|
|
|
struct tc_action_ops *a_o, int *init_res,
|
|
|
|
bool rtnl_held,
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
struct netlink_ext_ack *extack)
|
|
|
|
{
|
|
|
|
struct nla_bitfield32 flags = { 0, 0 };
|
|
|
|
u8 hw_stats = TCA_ACT_HW_STATS_ANY;
|
|
|
|
struct nlattr *tb[TCA_ACT_MAX + 1];
|
|
|
|
struct tc_cookie *cookie = NULL;
|
|
|
|
struct tc_action *a;
|
|
|
|
int err;
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* backward compatibility for policer */
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
if (name == NULL) {
|
|
|
|
err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
|
|
|
|
tcf_action_policy, extack);
|
|
|
|
if (err < 0)
|
|
|
|
return ERR_PTR(err);
|
|
|
|
if (tb[TCA_ACT_COOKIE]) {
|
|
|
|
cookie = nla_memdup_cookie(tb);
|
|
|
|
if (!cookie) {
|
|
|
|
NL_SET_ERR_MSG(extack, "No memory to generate TC cookie");
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto err_out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
hw_stats = tcf_action_hw_stats_get(tb[TCA_ACT_HW_STATS]);
|
|
|
|
if (tb[TCA_ACT_FLAGS])
|
|
|
|
flags = nla_get_bitfield32(tb[TCA_ACT_FLAGS]);
|
|
|
|
|
2018-02-15 18:54:56 +03:00
|
|
|
err = a_o->init(net, tb[TCA_ACT_OPTIONS], est, &a, ovr, bind,
|
2019-10-30 17:09:05 +03:00
|
|
|
rtnl_held, tp, flags.value, extack);
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
} else {
|
2018-07-05 17:24:25 +03:00
|
|
|
err = a_o->init(net, nla, est, &a, ovr, bind, rtnl_held,
|
2019-10-30 17:09:05 +03:00
|
|
|
tp, flags.value, extack);
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
}
|
2008-01-24 07:33:13 +03:00
|
|
|
if (err < 0)
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
goto err_out;
|
2021-04-07 18:36:03 +03:00
|
|
|
*init_res = err;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-07-05 17:24:23 +03:00
|
|
|
if (!name && tb[TCA_ACT_COOKIE])
|
|
|
|
tcf_set_action_cookie(&a->act_cookie, cookie);
|
2017-01-24 15:02:41 +03:00
|
|
|
|
2020-03-07 14:40:20 +03:00
|
|
|
if (!name)
|
2020-03-20 02:26:23 +03:00
|
|
|
a->hw_stats = hw_stats;
|
2020-03-07 14:40:20 +03:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* module count goes up only when brand new policy is created
|
2011-01-19 22:26:56 +03:00
|
|
|
* if it exists and is only bound to in a_o->init() then
|
|
|
|
* ACT_P_CREATED is not returned (a zero is).
|
|
|
|
*/
|
2008-01-24 07:33:13 +03:00
|
|
|
if (err != ACT_P_CREATED)
|
2005-04-17 02:20:36 +04:00
|
|
|
module_put(a_o->owner);
|
|
|
|
|
|
|
|
return a;
|
|
|
|
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
err_out:
|
2017-04-20 15:08:26 +03:00
|
|
|
if (cookie) {
|
|
|
|
kfree(cookie->data);
|
|
|
|
kfree(cookie);
|
|
|
|
}
|
2008-01-24 07:33:13 +03:00
|
|
|
return ERR_PTR(err);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
/* Returns numbers of initialized actions or negative error. */
|
|
|
|
|
2017-05-17 12:08:02 +03:00
|
|
|
int tcf_action_init(struct net *net, struct tcf_proto *tp, struct nlattr *nla,
|
|
|
|
struct nlattr *est, char *name, int ovr, int bind,
|
2021-04-07 18:36:03 +03:00
|
|
|
struct tc_action *actions[], int init_res[], size_t *attr_size,
|
2018-07-05 17:24:25 +03:00
|
|
|
bool rtnl_held, struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
struct tc_action_ops *ops[TCA_ACT_MAX_PRIO] = {};
|
2011-01-19 22:26:56 +03:00
|
|
|
struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
|
2013-12-16 08:15:05 +04:00
|
|
|
struct tc_action *act;
|
2018-03-09 00:59:19 +03:00
|
|
|
size_t sz = 0;
|
2008-01-24 07:33:32 +03:00
|
|
|
int err;
|
2005-04-17 02:20:36 +04:00
|
|
|
int i;
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 15:07:28 +03:00
|
|
|
err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX_PRIO, nla, NULL,
|
|
|
|
extack);
|
2008-01-24 07:33:32 +03:00
|
|
|
if (err < 0)
|
2013-12-16 08:15:05 +04:00
|
|
|
return err;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
|
|
|
|
struct tc_action_ops *a_o;
|
|
|
|
|
|
|
|
a_o = tc_action_load_ops(name, tb[i], rtnl_held, extack);
|
|
|
|
if (IS_ERR(a_o)) {
|
|
|
|
err = PTR_ERR(a_o);
|
|
|
|
goto err_mod;
|
|
|
|
}
|
|
|
|
ops[i - 1] = a_o;
|
|
|
|
}
|
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
|
2018-02-15 18:54:54 +03:00
|
|
|
act = tcf_action_init_1(net, tp, tb[i], est, name, ovr, bind,
|
2021-04-07 18:36:03 +03:00
|
|
|
ops[i - 1], &init_res[i - 1], rtnl_held,
|
|
|
|
extack);
|
2013-12-16 08:15:05 +04:00
|
|
|
if (IS_ERR(act)) {
|
|
|
|
err = PTR_ERR(act);
|
2005-04-17 02:20:36 +04:00
|
|
|
goto err;
|
2013-12-16 08:15:05 +04:00
|
|
|
}
|
2018-03-09 00:59:19 +03:00
|
|
|
sz += tcf_action_fill_size(act);
|
2018-07-05 17:24:33 +03:00
|
|
|
/* Start from index 0 */
|
|
|
|
actions[i - 1] = act;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2016-09-20 02:02:51 +03:00
|
|
|
|
2020-09-23 06:56:24 +03:00
|
|
|
/* We have to commit them all together, because if any error happened in
|
|
|
|
* between, we could not handle the failure gracefully.
|
|
|
|
*/
|
|
|
|
tcf_idr_insert_many(actions);
|
|
|
|
|
2018-03-09 00:59:19 +03:00
|
|
|
*attr_size = tcf_action_full_attrs_size(sz);
|
2018-07-05 17:24:33 +03:00
|
|
|
return i - 1;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
err:
|
2013-12-16 08:15:05 +04:00
|
|
|
tcf_action_destroy(actions, bind);
|
net_sched: fix RTNL deadlock again caused by request_module()
tcf_action_init_1() loads tc action modules automatically with
request_module() after parsing the tc action names, and it drops RTNL
lock and re-holds it before and after request_module(). This causes a
lot of troubles, as discovered by syzbot, because we can be in the
middle of batch initializations when we create an array of tc actions.
One of the problem is deadlock:
CPU 0 CPU 1
rtnl_lock();
for (...) {
tcf_action_init_1();
-> rtnl_unlock();
-> request_module();
rtnl_lock();
for (...) {
tcf_action_init_1();
-> tcf_idr_check_alloc();
// Insert one action into idr,
// but it is not committed until
// tcf_idr_insert_many(), then drop
// the RTNL lock in the _next_
// iteration
-> rtnl_unlock();
-> rtnl_lock();
-> a_o->init();
-> tcf_idr_check_alloc();
// Now waiting for the same index
// to be committed
-> request_module();
-> rtnl_lock()
// Now waiting for RTNL lock
}
rtnl_unlock();
}
rtnl_unlock();
This is not easy to solve, we can move the request_module() before
this loop and pre-load all the modules we need for this netlink
message and then do the rest initializations. So the loop breaks down
to two now:
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
struct tc_action_ops *a_o;
a_o = tc_action_load_ops(name, tb[i]...);
ops[i - 1] = a_o;
}
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
act = tcf_action_init_1(ops[i - 1]...);
}
Although this looks serious, it only has been reported by syzbot, so it
seems hard to trigger this by humans. And given the size of this patch,
I'd suggest to make it to net-next and not to backport to stable.
This patch has been tested by syzbot and tested with tdc.py by me.
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
Reported-and-tested-by: syzbot+82752bc5331601cf4899@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+b3b63b6bff456bd95294@syzkaller.appspotmail.com
Reported-by: syzbot+ba67b12b1ca729912834@syzkaller.appspotmail.com
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20210117005657.14810-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-17 03:56:57 +03:00
|
|
|
err_mod:
|
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO; i++) {
|
|
|
|
if (ops[i])
|
|
|
|
module_put(ops[i]->owner);
|
|
|
|
}
|
2013-12-16 08:15:05 +04:00
|
|
|
return err;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2020-06-19 09:01:07 +03:00
|
|
|
void tcf_action_update_stats(struct tc_action *a, u64 bytes, u64 packets,
|
|
|
|
u64 drops, bool hw)
|
2019-10-30 17:09:00 +03:00
|
|
|
{
|
2019-10-30 17:09:04 +03:00
|
|
|
if (a->cpu_bstats) {
|
|
|
|
_bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets);
|
2019-10-30 17:09:00 +03:00
|
|
|
|
2020-06-19 09:01:07 +03:00
|
|
|
this_cpu_ptr(a->cpu_qstats)->drops += drops;
|
2019-10-30 17:09:04 +03:00
|
|
|
|
|
|
|
if (hw)
|
|
|
|
_bstats_cpu_update(this_cpu_ptr(a->cpu_bstats_hw),
|
|
|
|
bytes, packets);
|
|
|
|
return;
|
|
|
|
}
|
2019-10-30 17:09:00 +03:00
|
|
|
|
2019-10-30 17:09:04 +03:00
|
|
|
_bstats_update(&a->tcfa_bstats, bytes, packets);
|
2020-06-19 09:01:07 +03:00
|
|
|
a->tcfa_qstats.drops += drops;
|
2019-10-30 17:09:00 +03:00
|
|
|
if (hw)
|
2019-10-30 17:09:04 +03:00
|
|
|
_bstats_update(&a->tcfa_bstats_hw, bytes, packets);
|
2019-10-30 17:09:00 +03:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(tcf_action_update_stats);
|
|
|
|
|
2016-07-26 02:09:42 +03:00
|
|
|
int tcf_action_copy_stats(struct sk_buff *skb, struct tc_action *p,
|
2005-04-17 02:20:36 +04:00
|
|
|
int compat_mode)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
struct gnet_dump d;
|
2007-02-09 17:25:16 +03:00
|
|
|
|
2014-01-10 04:14:05 +04:00
|
|
|
if (p == NULL)
|
2005-04-17 02:20:36 +04:00
|
|
|
goto errout;
|
|
|
|
|
|
|
|
/* compat_mode being true specifies a call that is supposed
|
2009-09-29 05:43:57 +04:00
|
|
|
* to add additional backward compatibility statistic TLVs.
|
2005-04-17 02:20:36 +04:00
|
|
|
*/
|
|
|
|
if (compat_mode) {
|
2016-07-26 02:09:42 +03:00
|
|
|
if (p->type == TCA_OLD_COMPAT)
|
2005-04-17 02:20:36 +04:00
|
|
|
err = gnet_stats_start_copy_compat(skb, 0,
|
2016-04-26 11:06:18 +03:00
|
|
|
TCA_STATS,
|
|
|
|
TCA_XSTATS,
|
2016-07-26 02:09:42 +03:00
|
|
|
&p->tcfa_lock, &d,
|
2016-04-26 11:06:18 +03:00
|
|
|
TCA_PAD);
|
2005-04-17 02:20:36 +04:00
|
|
|
else
|
|
|
|
return 0;
|
|
|
|
} else
|
|
|
|
err = gnet_stats_start_copy(skb, TCA_ACT_STATS,
|
2016-07-26 02:09:42 +03:00
|
|
|
&p->tcfa_lock, &d, TCA_ACT_PAD);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
if (err < 0)
|
|
|
|
goto errout;
|
|
|
|
|
2016-07-26 02:09:42 +03:00
|
|
|
if (gnet_stats_copy_basic(NULL, &d, p->cpu_bstats, &p->tcfa_bstats) < 0 ||
|
2018-09-21 14:14:02 +03:00
|
|
|
gnet_stats_copy_basic_hw(NULL, &d, p->cpu_bstats_hw,
|
|
|
|
&p->tcfa_bstats_hw) < 0 ||
|
2016-12-04 20:48:16 +03:00
|
|
|
gnet_stats_copy_rate_est(&d, &p->tcfa_rate_est) < 0 ||
|
2015-07-06 15:18:04 +03:00
|
|
|
gnet_stats_copy_queue(&d, p->cpu_qstats,
|
2016-07-26 02:09:42 +03:00
|
|
|
&p->tcfa_qstats,
|
|
|
|
p->tcfa_qstats.qlen) < 0)
|
2005-04-17 02:20:36 +04:00
|
|
|
goto errout;
|
|
|
|
|
|
|
|
if (gnet_stats_finish_copy(&d) < 0)
|
|
|
|
goto errout;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
errout:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
static int tca_get_fill(struct sk_buff *skb, struct tc_action *actions[],
|
2016-06-05 17:41:32 +03:00
|
|
|
u32 portid, u32 seq, u16 flags, int event, int bind,
|
|
|
|
int ref)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct tcamsg *t;
|
|
|
|
struct nlmsghdr *nlh;
|
2007-04-20 07:29:13 +04:00
|
|
|
unsigned char *b = skb_tail_pointer(skb);
|
2008-01-24 07:34:11 +03:00
|
|
|
struct nlattr *nest;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2012-09-08 00:12:54 +04:00
|
|
|
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*t), flags);
|
2012-06-27 08:39:32 +04:00
|
|
|
if (!nlh)
|
|
|
|
goto out_nlmsg_trim;
|
|
|
|
t = nlmsg_data(nlh);
|
2005-04-17 02:20:36 +04:00
|
|
|
t->tca_family = AF_UNSPEC;
|
2005-06-28 23:55:30 +04:00
|
|
|
t->tca__pad1 = 0;
|
|
|
|
t->tca__pad2 = 0;
|
2007-02-09 17:25:16 +03:00
|
|
|
|
2019-04-26 12:13:06 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, TCA_ACT_TAB);
|
2018-02-15 18:54:53 +03:00
|
|
|
if (!nest)
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_nlmsg_trim;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2020-05-15 14:40:12 +03:00
|
|
|
if (tcf_action_dump(skb, actions, bind, ref, false) < 0)
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_nlmsg_trim;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_end(skb, nest);
|
2007-02-09 17:25:16 +03:00
|
|
|
|
2007-04-20 07:29:13 +04:00
|
|
|
nlh->nlmsg_len = skb_tail_pointer(skb) - b;
|
2005-04-17 02:20:36 +04:00
|
|
|
return skb->len;
|
|
|
|
|
2012-06-27 08:39:32 +04:00
|
|
|
out_nlmsg_trim:
|
2007-03-26 10:06:12 +04:00
|
|
|
nlmsg_trim(skb, b);
|
2005-04-17 02:20:36 +04:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2017-07-13 20:12:18 +03:00
|
|
|
tcf_get_notify(struct net *net, u32 portid, struct nlmsghdr *n,
|
2018-07-05 17:24:33 +03:00
|
|
|
struct tc_action *actions[], int event,
|
2018-02-15 18:54:55 +03:00
|
|
|
struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
|
|
|
skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
|
|
|
|
if (!skb)
|
|
|
|
return -ENOBUFS;
|
2016-06-05 17:41:32 +03:00
|
|
|
if (tca_get_fill(skb, actions, portid, n->nlmsg_seq, 0, event,
|
2018-07-05 17:24:26 +03:00
|
|
|
0, 1) <= 0) {
|
2018-02-15 18:54:55 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Failed to fill netlink attributes while adding TC action");
|
2005-04-17 02:20:36 +04:00
|
|
|
kfree_skb(skb);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2006-08-15 11:30:25 +04:00
|
|
|
|
2012-09-08 00:12:54 +04:00
|
|
|
return rtnl_unicast(skb, net, portid);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2016-02-23 02:57:53 +03:00
|
|
|
static struct tc_action *tcf_action_get_1(struct net *net, struct nlattr *nla,
|
2018-02-15 18:54:55 +03:00
|
|
|
struct nlmsghdr *n, u32 portid,
|
|
|
|
struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2011-01-19 22:26:56 +03:00
|
|
|
struct nlattr *tb[TCA_ACT_MAX + 1];
|
2016-07-26 02:09:41 +03:00
|
|
|
const struct tc_action_ops *ops;
|
2005-04-17 02:20:36 +04:00
|
|
|
struct tc_action *a;
|
|
|
|
int index;
|
2008-01-24 07:33:13 +03:00
|
|
|
int err;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2019-09-19 04:44:43 +03:00
|
|
|
err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
|
|
|
|
tcf_action_policy, extack);
|
2008-01-24 07:33:32 +03:00
|
|
|
if (err < 0)
|
2008-01-24 07:33:13 +03:00
|
|
|
goto err_out;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-01-24 07:33:32 +03:00
|
|
|
err = -EINVAL;
|
2008-01-23 09:11:50 +03:00
|
|
|
if (tb[TCA_ACT_INDEX] == NULL ||
|
2018-02-15 18:54:55 +03:00
|
|
|
nla_len(tb[TCA_ACT_INDEX]) < sizeof(index)) {
|
|
|
|
NL_SET_ERR_MSG(extack, "Invalid TC action index value");
|
2008-01-24 07:33:13 +03:00
|
|
|
goto err_out;
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2008-01-24 07:35:03 +03:00
|
|
|
index = nla_get_u32(tb[TCA_ACT_INDEX]);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-01-24 07:33:13 +03:00
|
|
|
err = -EINVAL;
|
2016-07-26 02:09:41 +03:00
|
|
|
ops = tc_lookup_action(tb[TCA_ACT_KIND]);
|
2018-02-15 18:54:55 +03:00
|
|
|
if (!ops) { /* could happen in batch of actions */
|
2018-08-29 20:15:35 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Specified TC action kind not found");
|
2016-07-26 02:09:41 +03:00
|
|
|
goto err_out;
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2008-01-24 07:33:13 +03:00
|
|
|
err = -ENOENT;
|
2018-08-29 20:15:35 +03:00
|
|
|
if (ops->lookup(net, &a, index) == 0) {
|
|
|
|
NL_SET_ERR_MSG(extack, "TC action with specified index not found");
|
2005-04-17 02:20:36 +04:00
|
|
|
goto err_mod;
|
2018-08-29 20:15:35 +03:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2016-07-26 02:09:41 +03:00
|
|
|
module_put(ops->owner);
|
2005-04-17 02:20:36 +04:00
|
|
|
return a;
|
2008-01-24 07:33:13 +03:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
err_mod:
|
2016-07-26 02:09:41 +03:00
|
|
|
module_put(ops->owner);
|
2008-01-24 07:33:13 +03:00
|
|
|
err_out:
|
|
|
|
return ERR_PTR(err);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2010-03-19 18:40:13 +03:00
|
|
|
static int tca_action_flush(struct net *net, struct nlattr *nla,
|
2018-02-15 18:54:55 +03:00
|
|
|
struct nlmsghdr *n, u32 portid,
|
|
|
|
struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
unsigned char *b;
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
struct tcamsg *t;
|
|
|
|
struct netlink_callback dcb;
|
2008-01-24 07:34:11 +03:00
|
|
|
struct nlattr *nest;
|
2011-01-19 22:26:56 +03:00
|
|
|
struct nlattr *tb[TCA_ACT_MAX + 1];
|
2016-07-26 02:09:41 +03:00
|
|
|
const struct tc_action_ops *ops;
|
2008-01-23 09:11:50 +03:00
|
|
|
struct nlattr *kind;
|
2008-08-13 13:41:45 +04:00
|
|
|
int err = -ENOMEM;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
|
2018-02-15 18:54:55 +03:00
|
|
|
if (!skb)
|
2008-08-13 13:41:45 +04:00
|
|
|
return err;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2007-04-20 07:29:13 +04:00
|
|
|
b = skb_tail_pointer(skb);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2019-09-19 04:44:43 +03:00
|
|
|
err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
|
|
|
|
tcf_action_policy, extack);
|
2008-01-24 07:33:32 +03:00
|
|
|
if (err < 0)
|
2005-04-17 02:20:36 +04:00
|
|
|
goto err_out;
|
|
|
|
|
2008-01-24 07:33:32 +03:00
|
|
|
err = -EINVAL;
|
2008-01-23 09:11:50 +03:00
|
|
|
kind = tb[TCA_ACT_KIND];
|
2016-07-26 02:09:41 +03:00
|
|
|
ops = tc_lookup_action(kind);
|
2018-02-15 18:54:55 +03:00
|
|
|
if (!ops) { /*some idjot trying to flush unknown action */
|
|
|
|
NL_SET_ERR_MSG(extack, "Cannot flush unknown TC action");
|
2005-04-17 02:20:36 +04:00
|
|
|
goto err_out;
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2016-06-05 17:41:32 +03:00
|
|
|
nlh = nlmsg_put(skb, portid, n->nlmsg_seq, RTM_DELACTION,
|
|
|
|
sizeof(*t), 0);
|
2018-02-15 18:54:55 +03:00
|
|
|
if (!nlh) {
|
|
|
|
NL_SET_ERR_MSG(extack, "Failed to create TC action flush notification");
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_module_put;
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2012-06-27 08:39:32 +04:00
|
|
|
t = nlmsg_data(nlh);
|
2005-04-17 02:20:36 +04:00
|
|
|
t->tca_family = AF_UNSPEC;
|
2005-06-28 23:55:30 +04:00
|
|
|
t->tca__pad1 = 0;
|
|
|
|
t->tca__pad2 = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2019-04-26 12:13:06 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, TCA_ACT_TAB);
|
2018-02-15 18:54:55 +03:00
|
|
|
if (!nest) {
|
|
|
|
NL_SET_ERR_MSG(extack, "Failed to add new netlink message");
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_module_put;
|
2018-02-15 18:54:55 +03:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-02-15 18:54:58 +03:00
|
|
|
err = ops->walk(net, skb, &dcb, RTM_DELACTION, ops, extack);
|
2018-02-15 17:50:57 +03:00
|
|
|
if (err <= 0) {
|
|
|
|
nla_nest_cancel(skb, nest);
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_module_put;
|
2018-02-15 17:50:57 +03:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_end(skb, nest);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2007-04-20 07:29:13 +04:00
|
|
|
nlh->nlmsg_len = skb_tail_pointer(skb) - b;
|
2005-04-17 02:20:36 +04:00
|
|
|
nlh->nlmsg_flags |= NLM_F_ROOT;
|
2016-07-26 02:09:41 +03:00
|
|
|
module_put(ops->owner);
|
2012-09-08 00:12:54 +04:00
|
|
|
err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
|
2011-01-19 22:26:56 +03:00
|
|
|
n->nlmsg_flags & NLM_F_ECHO);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (err > 0)
|
|
|
|
return 0;
|
2018-02-15 18:54:55 +03:00
|
|
|
if (err < 0)
|
|
|
|
NL_SET_ERR_MSG(extack, "Failed to send TC action flush notification");
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
return err;
|
|
|
|
|
2012-06-27 08:39:32 +04:00
|
|
|
out_module_put:
|
2016-07-26 02:09:41 +03:00
|
|
|
module_put(ops->owner);
|
2005-04-17 02:20:36 +04:00
|
|
|
err_out:
|
|
|
|
kfree_skb(skb);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2018-08-19 22:22:07 +03:00
|
|
|
static int tcf_action_delete(struct net *net, struct tc_action *actions[])
|
2018-07-05 17:24:29 +03:00
|
|
|
{
|
2018-08-19 22:22:06 +03:00
|
|
|
int i;
|
2018-07-05 17:24:29 +03:00
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) {
|
|
|
|
struct tc_action *a = actions[i];
|
2018-07-05 17:24:29 +03:00
|
|
|
const struct tc_action_ops *ops = a->ops;
|
|
|
|
/* Actions can be deleted concurrently so we must save their
|
|
|
|
* type and id to search again after reference is released.
|
|
|
|
*/
|
2018-08-19 22:22:06 +03:00
|
|
|
struct tcf_idrinfo *idrinfo = a->idrinfo;
|
|
|
|
u32 act_index = a->tcfa_index;
|
2018-07-05 17:24:29 +03:00
|
|
|
|
2018-09-03 10:04:55 +03:00
|
|
|
actions[i] = NULL;
|
2018-07-05 17:24:29 +03:00
|
|
|
if (tcf_action_put(a)) {
|
|
|
|
/* last reference, action was deleted concurrently */
|
|
|
|
module_put(ops->owner);
|
|
|
|
} else {
|
2018-08-19 22:22:06 +03:00
|
|
|
int ret;
|
|
|
|
|
2018-07-05 17:24:29 +03:00
|
|
|
/* now do the delete */
|
2018-08-19 22:22:06 +03:00
|
|
|
ret = tcf_idr_delete_index(idrinfo, act_index);
|
2018-08-19 22:22:05 +03:00
|
|
|
if (ret < 0)
|
2018-07-05 17:24:29 +03:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-01-10 04:14:00 +04:00
|
|
|
static int
|
2018-07-05 17:24:33 +03:00
|
|
|
tcf_del_notify(struct net *net, struct nlmsghdr *n, struct tc_action *actions[],
|
2018-08-19 22:22:05 +03:00
|
|
|
u32 portid, size_t attr_size, struct netlink_ext_ack *extack)
|
2014-01-10 04:14:00 +04:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
2018-03-09 00:59:17 +03:00
|
|
|
skb = alloc_skb(attr_size <= NLMSG_GOODSIZE ? NLMSG_GOODSIZE : attr_size,
|
|
|
|
GFP_KERNEL);
|
2014-01-10 04:14:00 +04:00
|
|
|
if (!skb)
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
if (tca_get_fill(skb, actions, portid, n->nlmsg_seq, 0, RTM_DELACTION,
|
2018-07-05 17:24:26 +03:00
|
|
|
0, 2) <= 0) {
|
2018-02-15 18:54:55 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Failed to fill netlink TC action attributes");
|
2014-01-10 04:14:00 +04:00
|
|
|
kfree_skb(skb);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* now do the delete */
|
2018-08-19 22:22:07 +03:00
|
|
|
ret = tcf_action_delete(net, actions);
|
2014-02-12 05:07:34 +04:00
|
|
|
if (ret < 0) {
|
2018-02-15 18:54:55 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Failed to delete TC action");
|
2014-02-12 05:07:34 +04:00
|
|
|
kfree_skb(skb);
|
|
|
|
return ret;
|
|
|
|
}
|
2014-01-10 04:14:00 +04:00
|
|
|
|
|
|
|
ret = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
|
|
|
|
n->nlmsg_flags & NLM_F_ECHO);
|
|
|
|
if (ret > 0)
|
|
|
|
return 0;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
static int
|
2010-03-19 18:40:13 +03:00
|
|
|
tca_action_gd(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
|
2018-02-15 18:54:55 +03:00
|
|
|
u32 portid, int event, struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2008-01-24 07:33:32 +03:00
|
|
|
int i, ret;
|
2011-01-19 22:26:56 +03:00
|
|
|
struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
|
2013-12-16 08:15:05 +04:00
|
|
|
struct tc_action *act;
|
2018-03-09 00:59:17 +03:00
|
|
|
size_t attr_size = 0;
|
2018-08-19 22:22:05 +03:00
|
|
|
struct tc_action *actions[TCA_ACT_MAX_PRIO] = {};
|
2005-04-17 02:20:36 +04:00
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 15:07:28 +03:00
|
|
|
ret = nla_parse_nested_deprecated(tb, TCA_ACT_MAX_PRIO, nla, NULL,
|
|
|
|
extack);
|
2008-01-24 07:33:32 +03:00
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2011-01-19 22:26:56 +03:00
|
|
|
if (event == RTM_DELACTION && n->nlmsg_flags & NLM_F_ROOT) {
|
2018-02-15 18:54:53 +03:00
|
|
|
if (tb[1])
|
2018-02-15 18:54:55 +03:00
|
|
|
return tca_action_flush(net, tb[1], n, portid, extack);
|
2018-02-15 18:54:53 +03:00
|
|
|
|
2018-02-15 18:54:55 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Invalid netlink attributes while flushing TC action");
|
2018-02-15 18:54:53 +03:00
|
|
|
return -EINVAL;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
|
2018-02-15 18:54:55 +03:00
|
|
|
act = tcf_action_get_1(net, tb[i], n, portid, extack);
|
2008-01-24 07:33:13 +03:00
|
|
|
if (IS_ERR(act)) {
|
|
|
|
ret = PTR_ERR(act);
|
2005-04-17 02:20:36 +04:00
|
|
|
goto err;
|
2008-01-24 07:33:13 +03:00
|
|
|
}
|
2018-03-09 00:59:19 +03:00
|
|
|
attr_size += tcf_action_fill_size(act);
|
2018-07-05 17:24:33 +03:00
|
|
|
actions[i - 1] = act;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2018-03-09 00:59:19 +03:00
|
|
|
|
|
|
|
attr_size = tcf_action_full_attrs_size(attr_size);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
if (event == RTM_GETACTION)
|
2018-07-05 17:24:33 +03:00
|
|
|
ret = tcf_get_notify(net, portid, n, actions, event, extack);
|
2005-04-17 02:20:36 +04:00
|
|
|
else { /* delete */
|
2018-08-19 22:22:05 +03:00
|
|
|
ret = tcf_del_notify(net, n, actions, portid, attr_size, extack);
|
2014-01-10 04:14:00 +04:00
|
|
|
if (ret)
|
2005-04-17 02:20:36 +04:00
|
|
|
goto err;
|
2018-08-19 22:22:05 +03:00
|
|
|
return 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
err:
|
2018-08-19 22:22:05 +03:00
|
|
|
tcf_action_put_many(actions);
|
2005-04-17 02:20:36 +04:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2014-01-10 04:14:00 +04:00
|
|
|
static int
|
2018-07-05 17:24:33 +03:00
|
|
|
tcf_add_notify(struct net *net, struct nlmsghdr *n, struct tc_action *actions[],
|
2018-03-09 00:59:17 +03:00
|
|
|
u32 portid, size_t attr_size, struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
int err = 0;
|
|
|
|
|
2018-03-09 00:59:17 +03:00
|
|
|
skb = alloc_skb(attr_size <= NLMSG_GOODSIZE ? NLMSG_GOODSIZE : attr_size,
|
|
|
|
GFP_KERNEL);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (!skb)
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
2014-01-10 04:14:00 +04:00
|
|
|
if (tca_get_fill(skb, actions, portid, n->nlmsg_seq, n->nlmsg_flags,
|
|
|
|
RTM_NEWACTION, 0, 0) <= 0) {
|
2018-03-03 04:52:01 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Failed to fill netlink attributes while adding TC action");
|
2014-01-10 04:14:00 +04:00
|
|
|
kfree_skb(skb);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2007-02-09 17:25:16 +03:00
|
|
|
|
2014-01-10 04:14:00 +04:00
|
|
|
err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
|
|
|
|
n->nlmsg_flags & NLM_F_ECHO);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (err > 0)
|
|
|
|
err = 0;
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2016-09-18 15:45:33 +03:00
|
|
|
static int tcf_action_add(struct net *net, struct nlattr *nla,
|
2018-02-15 18:54:54 +03:00
|
|
|
struct nlmsghdr *n, u32 portid, int ovr,
|
|
|
|
struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2018-03-09 00:59:17 +03:00
|
|
|
size_t attr_size = 0;
|
2021-04-07 18:36:03 +03:00
|
|
|
int loop, ret, i;
|
2018-07-05 17:24:33 +03:00
|
|
|
struct tc_action *actions[TCA_ACT_MAX_PRIO] = {};
|
2021-04-07 18:36:03 +03:00
|
|
|
int init_res[TCA_ACT_MAX_PRIO] = {};
|
2005-04-17 02:20:36 +04:00
|
|
|
|
net: avoid potential infinite loop in tc_ctl_action()
tc_ctl_action() has the ability to loop forever if tcf_action_add()
returns -EAGAIN.
This special case has been done in case a module needed to be loaded,
but it turns out that tcf_add_notify() could also return -EAGAIN
if the socket sk_rcvbuf limit is hit.
We need to separate the two cases, and only loop for the module
loading case.
While we are at it, add a limit of 10 attempts since unbounded
loops are always scary.
syzbot repro was something like :
socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3
write(3, ..., 38) = 38
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...)
NMI backtrace for cpu 0
CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
watchdog+0x9d0/0xef0 kernel/hung_task.c:289
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline]
RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453
Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6
RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046
RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914
RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1
R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f
R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003
FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
_raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159
__wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122
__wake_up+0xe/0x10 kernel/sched/wait.c:142
netlink_unlock_table net/netlink/af_netlink.c:466 [inline]
netlink_unlock_table net/netlink/af_netlink.c:463 [inline]
netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514
netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534
rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714
tcf_add_notify net/sched/act_api.c:1343 [inline]
tcf_action_add+0x243/0x370 net/sched/act_api.c:1362
tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386
netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:657
___sys_sendmsg+0x803/0x920 net/socket.c:2311
__sys_sendmsg+0x105/0x1d0 net/socket.c:2356
__do_sys_sendmsg net/socket.c:2365 [inline]
__se_sys_sendmsg net/socket.c:2363 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440939
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-10-14 21:22:30 +03:00
|
|
|
for (loop = 0; loop < 10; loop++) {
|
|
|
|
ret = tcf_action_init(net, NULL, nla, NULL, NULL, ovr, 0,
|
2021-04-07 18:36:03 +03:00
|
|
|
actions, init_res, &attr_size, true, extack);
|
net: avoid potential infinite loop in tc_ctl_action()
tc_ctl_action() has the ability to loop forever if tcf_action_add()
returns -EAGAIN.
This special case has been done in case a module needed to be loaded,
but it turns out that tcf_add_notify() could also return -EAGAIN
if the socket sk_rcvbuf limit is hit.
We need to separate the two cases, and only loop for the module
loading case.
While we are at it, add a limit of 10 attempts since unbounded
loops are always scary.
syzbot repro was something like :
socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3
write(3, ..., 38) = 38
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0
sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...)
NMI backtrace for cpu 0
CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101
nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
watchdog+0x9d0/0xef0 kernel/hung_task.c:289
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline]
RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453
Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6
RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046
RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914
RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1
R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f
R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003
FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
_raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159
__wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122
__wake_up+0xe/0x10 kernel/sched/wait.c:142
netlink_unlock_table net/netlink/af_netlink.c:466 [inline]
netlink_unlock_table net/netlink/af_netlink.c:463 [inline]
netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514
netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534
rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714
tcf_add_notify net/sched/act_api.c:1343 [inline]
tcf_action_add+0x243/0x370 net/sched/act_api.c:1362
tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386
netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:657
___sys_sendmsg+0x803/0x920 net/socket.c:2311
__sys_sendmsg+0x105/0x1d0 net/socket.c:2356
__do_sys_sendmsg net/socket.c:2365 [inline]
__se_sys_sendmsg net/socket.c:2363 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363
do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440939
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-10-14 21:22:30 +03:00
|
|
|
if (ret != -EAGAIN)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2018-07-05 17:24:33 +03:00
|
|
|
if (ret < 0)
|
2016-08-14 08:34:56 +03:00
|
|
|
return ret;
|
2018-07-05 17:24:33 +03:00
|
|
|
ret = tcf_add_notify(net, n, actions, portid, attr_size, extack);
|
2021-04-07 18:36:03 +03:00
|
|
|
|
|
|
|
/* only put existing actions */
|
|
|
|
for (i = 0; i < TCA_ACT_MAX_PRIO; i++)
|
|
|
|
if (init_res[i] == ACT_P_CREATED)
|
|
|
|
actions[i] = NULL;
|
|
|
|
tcf_action_put_many(actions);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-07-05 17:24:31 +03:00
|
|
|
return ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2017-07-30 20:24:51 +03:00
|
|
|
static const struct nla_policy tcaa_policy[TCA_ROOT_MAX + 1] = {
|
2020-11-24 19:40:54 +03:00
|
|
|
[TCA_ROOT_FLAGS] = NLA_POLICY_BITFIELD32(TCA_ACT_FLAG_LARGE_DUMP_ON |
|
|
|
|
TCA_ACT_FLAG_TERSE_DUMP),
|
2017-07-30 20:24:52 +03:00
|
|
|
[TCA_ROOT_TIME_DELTA] = { .type = NLA_U32 },
|
2017-07-30 20:24:51 +03:00
|
|
|
};
|
|
|
|
|
2017-04-16 19:48:24 +03:00
|
|
|
static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n,
|
|
|
|
struct netlink_ext_ack *extack)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2008-03-25 20:26:21 +03:00
|
|
|
struct net *net = sock_net(skb->sk);
|
2017-07-30 20:24:51 +03:00
|
|
|
struct nlattr *tca[TCA_ROOT_MAX + 1];
|
2020-06-19 22:24:13 +03:00
|
|
|
u32 portid = NETLINK_CB(skb).portid;
|
2005-04-17 02:20:36 +04:00
|
|
|
int ret = 0, ovr = 0;
|
|
|
|
|
2016-06-05 17:41:32 +03:00
|
|
|
if ((n->nlmsg_type != RTM_GETACTION) &&
|
|
|
|
!netlink_capable(skb, CAP_NET_ADMIN))
|
2012-11-16 07:03:00 +04:00
|
|
|
return -EPERM;
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 15:07:28 +03:00
|
|
|
ret = nlmsg_parse_deprecated(n, sizeof(struct tcamsg), tca,
|
|
|
|
TCA_ROOT_MAX, NULL, extack);
|
2008-01-23 09:11:50 +03:00
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
if (tca[TCA_ACT_TAB] == NULL) {
|
2018-02-15 18:54:55 +03:00
|
|
|
NL_SET_ERR_MSG(extack, "Netlink action attributes missing");
|
2005-04-17 02:20:36 +04:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
2011-01-19 22:26:56 +03:00
|
|
|
/* n->nlmsg_flags & NLM_F_CREATE */
|
2005-04-17 02:20:36 +04:00
|
|
|
switch (n->nlmsg_type) {
|
|
|
|
case RTM_NEWACTION:
|
|
|
|
/* we are going to assume all other flags
|
2011-03-31 05:57:33 +04:00
|
|
|
* imply create only if it doesn't exist
|
2005-04-17 02:20:36 +04:00
|
|
|
* Note that CREATE | EXCL implies that
|
|
|
|
* but since we want avoid ambiguity (eg when flags
|
|
|
|
* is zero) then just set this
|
|
|
|
*/
|
2011-01-19 22:26:56 +03:00
|
|
|
if (n->nlmsg_flags & NLM_F_REPLACE)
|
2005-04-17 02:20:36 +04:00
|
|
|
ovr = 1;
|
2018-02-15 18:54:54 +03:00
|
|
|
ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, portid, ovr,
|
|
|
|
extack);
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
case RTM_DELACTION:
|
2010-03-19 18:40:13 +03:00
|
|
|
ret = tca_action_gd(net, tca[TCA_ACT_TAB], n,
|
2018-02-15 18:54:55 +03:00
|
|
|
portid, RTM_DELACTION, extack);
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
case RTM_GETACTION:
|
2010-03-19 18:40:13 +03:00
|
|
|
ret = tca_action_gd(net, tca[TCA_ACT_TAB], n,
|
2018-02-15 18:54:55 +03:00
|
|
|
portid, RTM_GETACTION, extack);
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
BUG();
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2017-07-30 20:24:51 +03:00
|
|
|
static struct nlattr *find_dump_kind(struct nlattr **nla)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2011-01-19 22:26:56 +03:00
|
|
|
struct nlattr *tb1, *tb2[TCA_ACT_MAX + 1];
|
2008-01-23 09:11:50 +03:00
|
|
|
struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
|
|
|
|
struct nlattr *kind;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-01-23 09:11:50 +03:00
|
|
|
tb1 = nla[TCA_ACT_TAB];
|
2005-04-17 02:20:36 +04:00
|
|
|
if (tb1 == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 15:07:28 +03:00
|
|
|
if (nla_parse_deprecated(tb, TCA_ACT_MAX_PRIO, nla_data(tb1), NLMSG_ALIGN(nla_len(tb1)), NULL, NULL) < 0)
|
2005-04-17 02:20:36 +04:00
|
|
|
return NULL;
|
|
|
|
|
2008-01-24 07:32:42 +03:00
|
|
|
if (tb[1] == NULL)
|
|
|
|
return NULL;
|
2019-09-19 04:44:43 +03:00
|
|
|
if (nla_parse_nested_deprecated(tb2, TCA_ACT_MAX, tb[1], tcf_action_policy, NULL) < 0)
|
2005-04-17 02:20:36 +04:00
|
|
|
return NULL;
|
2008-01-23 09:11:50 +03:00
|
|
|
kind = tb2[TCA_ACT_KIND];
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2006-07-06 07:45:06 +04:00
|
|
|
return kind;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2016-09-18 15:45:33 +03:00
|
|
|
static int tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2016-02-23 02:57:53 +03:00
|
|
|
struct net *net = sock_net(skb->sk);
|
2005-04-17 02:20:36 +04:00
|
|
|
struct nlmsghdr *nlh;
|
2007-04-20 07:29:13 +04:00
|
|
|
unsigned char *b = skb_tail_pointer(skb);
|
2008-01-24 07:34:11 +03:00
|
|
|
struct nlattr *nest;
|
2005-04-17 02:20:36 +04:00
|
|
|
struct tc_action_ops *a_o;
|
|
|
|
int ret = 0;
|
2012-06-27 08:39:32 +04:00
|
|
|
struct tcamsg *t = (struct tcamsg *) nlmsg_data(cb->nlh);
|
2017-07-30 20:24:51 +03:00
|
|
|
struct nlattr *tb[TCA_ROOT_MAX + 1];
|
|
|
|
struct nlattr *count_attr = NULL;
|
2017-07-30 20:24:52 +03:00
|
|
|
unsigned long jiffy_since = 0;
|
2017-07-30 20:24:51 +03:00
|
|
|
struct nlattr *kind = NULL;
|
|
|
|
struct nla_bitfield32 bf;
|
2017-07-30 20:24:52 +03:00
|
|
|
u32 msecs_since = 0;
|
2017-07-30 20:24:51 +03:00
|
|
|
u32 act_count = 0;
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 15:07:28 +03:00
|
|
|
ret = nlmsg_parse_deprecated(cb->nlh, sizeof(struct tcamsg), tb,
|
|
|
|
TCA_ROOT_MAX, tcaa_policy, cb->extack);
|
2017-07-30 20:24:51 +03:00
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2017-07-30 20:24:51 +03:00
|
|
|
kind = find_dump_kind(tb);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (kind == NULL) {
|
2010-05-12 10:37:05 +04:00
|
|
|
pr_info("tc_dump_action: action bad kind\n");
|
2005-04-17 02:20:36 +04:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-07-06 07:45:06 +04:00
|
|
|
a_o = tc_lookup_action(kind);
|
2011-01-19 22:26:56 +03:00
|
|
|
if (a_o == NULL)
|
2005-04-17 02:20:36 +04:00
|
|
|
return 0;
|
|
|
|
|
2017-07-30 20:24:51 +03:00
|
|
|
cb->args[2] = 0;
|
|
|
|
if (tb[TCA_ROOT_FLAGS]) {
|
|
|
|
bf = nla_get_bitfield32(tb[TCA_ROOT_FLAGS]);
|
|
|
|
cb->args[2] = bf.value;
|
|
|
|
}
|
|
|
|
|
2017-07-30 20:24:52 +03:00
|
|
|
if (tb[TCA_ROOT_TIME_DELTA]) {
|
|
|
|
msecs_since = nla_get_u32(tb[TCA_ROOT_TIME_DELTA]);
|
|
|
|
}
|
|
|
|
|
2012-09-08 00:12:54 +04:00
|
|
|
nlh = nlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
|
2012-06-27 08:39:32 +04:00
|
|
|
cb->nlh->nlmsg_type, sizeof(*t), 0);
|
|
|
|
if (!nlh)
|
|
|
|
goto out_module_put;
|
2017-07-30 20:24:51 +03:00
|
|
|
|
2017-07-30 20:24:52 +03:00
|
|
|
if (msecs_since)
|
|
|
|
jiffy_since = jiffies - msecs_to_jiffies(msecs_since);
|
|
|
|
|
2012-06-27 08:39:32 +04:00
|
|
|
t = nlmsg_data(nlh);
|
2005-04-17 02:20:36 +04:00
|
|
|
t->tca_family = AF_UNSPEC;
|
2005-06-28 23:55:30 +04:00
|
|
|
t->tca__pad1 = 0;
|
|
|
|
t->tca__pad2 = 0;
|
2017-07-30 20:24:52 +03:00
|
|
|
cb->args[3] = jiffy_since;
|
2017-07-30 20:24:51 +03:00
|
|
|
count_attr = nla_reserve(skb, TCA_ROOT_COUNT, sizeof(u32));
|
|
|
|
if (!count_attr)
|
|
|
|
goto out_module_put;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2019-04-26 12:13:06 +03:00
|
|
|
nest = nla_nest_start_noflag(skb, TCA_ACT_TAB);
|
2008-01-24 07:34:11 +03:00
|
|
|
if (nest == NULL)
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_module_put;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-02-15 18:54:58 +03:00
|
|
|
ret = a_o->walk(net, skb, cb, RTM_GETACTION, a_o, NULL);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (ret < 0)
|
2012-06-27 08:39:32 +04:00
|
|
|
goto out_module_put;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
if (ret > 0) {
|
2008-01-24 07:34:11 +03:00
|
|
|
nla_nest_end(skb, nest);
|
2005-04-17 02:20:36 +04:00
|
|
|
ret = skb->len;
|
2017-07-30 20:24:51 +03:00
|
|
|
act_count = cb->args[1];
|
|
|
|
memcpy(nla_data(count_attr), &act_count, sizeof(u32));
|
|
|
|
cb->args[1] = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
} else
|
2016-06-14 01:08:42 +03:00
|
|
|
nlmsg_trim(skb, b);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2007-04-20 07:29:13 +04:00
|
|
|
nlh->nlmsg_len = skb_tail_pointer(skb) - b;
|
2012-09-08 00:12:54 +04:00
|
|
|
if (NETLINK_CB(cb->skb).portid && ret)
|
2005-04-17 02:20:36 +04:00
|
|
|
nlh->nlmsg_flags |= NLM_F_MULTI;
|
|
|
|
module_put(a_o->owner);
|
|
|
|
return skb->len;
|
|
|
|
|
2012-06-27 08:39:32 +04:00
|
|
|
out_module_put:
|
2005-04-17 02:20:36 +04:00
|
|
|
module_put(a_o->owner);
|
2007-03-26 10:06:12 +04:00
|
|
|
nlmsg_trim(skb, b);
|
2005-04-17 02:20:36 +04:00
|
|
|
return skb->len;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __init tc_action_init(void)
|
|
|
|
{
|
2017-08-09 21:41:48 +03:00
|
|
|
rtnl_register(PF_UNSPEC, RTM_NEWACTION, tc_ctl_action, NULL, 0);
|
|
|
|
rtnl_register(PF_UNSPEC, RTM_DELACTION, tc_ctl_action, NULL, 0);
|
2011-06-10 05:27:09 +04:00
|
|
|
rtnl_register(PF_UNSPEC, RTM_GETACTION, tc_ctl_action, tc_dump_action,
|
2017-08-09 21:41:48 +03:00
|
|
|
0);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
subsys_initcall(tc_action_init);
|