 28e6b67f0b
			
		
	
	
	28e6b67f0b
	
	
	
		
			
			Since commit55334a5db5("net_sched: act: refuse to remove bound action outside"), we end up with a wrong reference count for a tc action. Test case 1: FOO="1,6 0 0 4294967295," BAR="1,6 0 0 4294967294," tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 \ action bpf bytecode "$FOO" tc actions show action bpf action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe index 1 ref 1 bind 1 tc actions replace action bpf bytecode "$BAR" index 1 tc actions show action bpf action order 0: bpf bytecode '1,6 0 0 4294967294' default-action pipe index 1 ref 2 bind 1 tc actions replace action bpf bytecode "$FOO" index 1 tc actions show action bpf action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe index 1 ref 3 bind 1 Test case 2: FOO="1,6 0 0 4294967295," tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action ok tc actions show action gact action order 0: gact action pass random type none pass val 0 index 1 ref 1 bind 1 tc actions add action drop index 1 RTNETLINK answers: File exists [...] tc actions show action gact action order 0: gact action pass random type none pass val 0 index 1 ref 2 bind 1 tc actions add action drop index 1 RTNETLINK answers: File exists [...] tc actions show action gact action order 0: gact action pass random type none pass val 0 index 1 ref 3 bind 1 What happens is that in tcf_hash_check(), we check tcf_common for a given index and increase tcfc_refcnt and conditionally tcfc_bindcnt when we've found an existing action. Now there are the following cases: 1) We do a late binding of an action. In that case, we leave the tcfc_refcnt/tcfc_bindcnt increased and are done with the ->init() handler. This is correctly handeled. 2) We replace the given action, or we try to add one without replacing and find out that the action at a specific index already exists (thus, we go out with error in that case). In case of 2), we have to undo the reference count increase from tcf_hash_check() in the tcf_hash_check() function. Currently, we fail to do so because of the 'tcfc_bindcnt > 0' check which bails out early with an -EPERM error. Now, while commit55334a5db5prevents 'tc actions del action ...' on an already classifier-bound action to drop the reference count (which could then become negative, wrap around etc), this restriction only accounts for invocations outside a specific action's ->init() handler. One possible solution would be to add a flag thus we possibly trigger the -EPERM ony in situations where it is indeed relevant. After the patch, above test cases have correct reference count again. Fixes:55334a5db5("net_sched: act: refuse to remove bound action outside") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net>
		
			
				
	
	
		
			132 lines
		
	
	
	
		
			3.9 KiB
			
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			132 lines
		
	
	
	
		
			3.9 KiB
			
		
	
	
	
		
			C
		
	
	
	
	
	
| #ifndef __NET_ACT_API_H
 | |
| #define __NET_ACT_API_H
 | |
| 
 | |
| /*
 | |
|  * Public police action API for classifiers/qdiscs
 | |
|  */
 | |
| 
 | |
| #include <net/sch_generic.h>
 | |
| #include <net/pkt_sched.h>
 | |
| 
 | |
| struct tcf_common {
 | |
| 	struct hlist_node		tcfc_head;
 | |
| 	u32				tcfc_index;
 | |
| 	int				tcfc_refcnt;
 | |
| 	int				tcfc_bindcnt;
 | |
| 	u32				tcfc_capab;
 | |
| 	int				tcfc_action;
 | |
| 	struct tcf_t			tcfc_tm;
 | |
| 	struct gnet_stats_basic_packed	tcfc_bstats;
 | |
| 	struct gnet_stats_queue		tcfc_qstats;
 | |
| 	struct gnet_stats_rate_est64	tcfc_rate_est;
 | |
| 	spinlock_t			tcfc_lock;
 | |
| 	struct rcu_head			tcfc_rcu;
 | |
| };
 | |
| #define tcf_head	common.tcfc_head
 | |
| #define tcf_index	common.tcfc_index
 | |
| #define tcf_refcnt	common.tcfc_refcnt
 | |
| #define tcf_bindcnt	common.tcfc_bindcnt
 | |
| #define tcf_capab	common.tcfc_capab
 | |
| #define tcf_action	common.tcfc_action
 | |
| #define tcf_tm		common.tcfc_tm
 | |
| #define tcf_bstats	common.tcfc_bstats
 | |
| #define tcf_qstats	common.tcfc_qstats
 | |
| #define tcf_rate_est	common.tcfc_rate_est
 | |
| #define tcf_lock	common.tcfc_lock
 | |
| #define tcf_rcu		common.tcfc_rcu
 | |
| 
 | |
| struct tcf_hashinfo {
 | |
| 	struct hlist_head	*htab;
 | |
| 	unsigned int		hmask;
 | |
| 	spinlock_t		lock;
 | |
| 	u32			index;
 | |
| };
 | |
| 
 | |
| static inline unsigned int tcf_hash(u32 index, unsigned int hmask)
 | |
| {
 | |
| 	return index & hmask;
 | |
| }
 | |
| 
 | |
| static inline int tcf_hashinfo_init(struct tcf_hashinfo *hf, unsigned int mask)
 | |
| {
 | |
| 	int i;
 | |
| 
 | |
| 	spin_lock_init(&hf->lock);
 | |
| 	hf->index = 0;
 | |
| 	hf->hmask = mask;
 | |
| 	hf->htab = kzalloc((mask + 1) * sizeof(struct hlist_head),
 | |
| 			   GFP_KERNEL);
 | |
| 	if (!hf->htab)
 | |
| 		return -ENOMEM;
 | |
| 	for (i = 0; i < mask + 1; i++)
 | |
| 		INIT_HLIST_HEAD(&hf->htab[i]);
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| static inline void tcf_hashinfo_destroy(struct tcf_hashinfo *hf)
 | |
| {
 | |
| 	kfree(hf->htab);
 | |
| }
 | |
| 
 | |
| #ifdef CONFIG_NET_CLS_ACT
 | |
| 
 | |
| #define ACT_P_CREATED 1
 | |
| #define ACT_P_DELETED 1
 | |
| 
 | |
| struct tc_action {
 | |
| 	void			*priv;
 | |
| 	const struct tc_action_ops	*ops;
 | |
| 	__u32			type; /* for backward compat(TCA_OLD_COMPAT) */
 | |
| 	__u32			order;
 | |
| 	struct list_head	list;
 | |
| };
 | |
| 
 | |
| struct tc_action_ops {
 | |
| 	struct list_head head;
 | |
| 	struct tcf_hashinfo *hinfo;
 | |
| 	char    kind[IFNAMSIZ];
 | |
| 	__u32   type; /* TBD to match kind */
 | |
| 	struct module		*owner;
 | |
| 	int     (*act)(struct sk_buff *, const struct tc_action *, struct tcf_result *);
 | |
| 	int     (*dump)(struct sk_buff *, struct tc_action *, int, int);
 | |
| 	void	(*cleanup)(struct tc_action *, int bind);
 | |
| 	int     (*lookup)(struct tc_action *, u32);
 | |
| 	int     (*init)(struct net *net, struct nlattr *nla,
 | |
| 			struct nlattr *est, struct tc_action *act, int ovr,
 | |
| 			int bind);
 | |
| 	int     (*walk)(struct sk_buff *, struct netlink_callback *, int, struct tc_action *);
 | |
| };
 | |
| 
 | |
| int tcf_hash_search(struct tc_action *a, u32 index);
 | |
| void tcf_hash_destroy(struct tc_action *a);
 | |
| u32 tcf_hash_new_index(struct tcf_hashinfo *hinfo);
 | |
| int tcf_hash_check(u32 index, struct tc_action *a, int bind);
 | |
| int tcf_hash_create(u32 index, struct nlattr *est, struct tc_action *a,
 | |
| 		    int size, int bind);
 | |
| void tcf_hash_cleanup(struct tc_action *a, struct nlattr *est);
 | |
| void tcf_hash_insert(struct tc_action *a);
 | |
| 
 | |
| int __tcf_hash_release(struct tc_action *a, bool bind, bool strict);
 | |
| 
 | |
| static inline int tcf_hash_release(struct tc_action *a, bool bind)
 | |
| {
 | |
| 	return __tcf_hash_release(a, bind, false);
 | |
| }
 | |
| 
 | |
| int tcf_register_action(struct tc_action_ops *a, unsigned int mask);
 | |
| int tcf_unregister_action(struct tc_action_ops *a);
 | |
| int tcf_action_destroy(struct list_head *actions, int bind);
 | |
| int tcf_action_exec(struct sk_buff *skb, const struct list_head *actions,
 | |
| 		    struct tcf_result *res);
 | |
| int tcf_action_init(struct net *net, struct nlattr *nla,
 | |
| 				  struct nlattr *est, char *n, int ovr,
 | |
| 				  int bind, struct list_head *);
 | |
| struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 | |
| 				    struct nlattr *est, char *n, int ovr,
 | |
| 				    int bind);
 | |
| int tcf_action_dump(struct sk_buff *skb, struct list_head *, int, int);
 | |
| int tcf_action_dump_old(struct sk_buff *skb, struct tc_action *a, int, int);
 | |
| int tcf_action_dump_1(struct sk_buff *skb, struct tc_action *a, int, int);
 | |
| int tcf_action_copy_stats(struct sk_buff *, struct tc_action *, int);
 | |
| #endif /* CONFIG_NET_CLS_ACT */
 | |
| #endif
 |