Merge branch 'net-sched-two-fixes-for-cls_u32'

Eric Dumazet says: ==================== net/sched: two fixes for cls_u32 One syzbot report brought my attention to cls_u32. This series addresses the syzbot report, and an additional issue discovered in code review. ==================== Link: https://lore.kernel.org/r/20220413173542.533060-1-eric.dumazet@gmail.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org>

Merge branch 'net-sched-two-fixes-for-cls_u32'
Eric Dumazet says: ==================== net/sched: two fixes for cls_u32 One syzbot report brought my attention to cls_u32. This series addresses the syzbot report, and an additional issue discovered in code review. ==================== Link: https://lore.kernel.org/r/20220413173542.533060-1-eric.dumazet@gmail.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org>
0b9dcf37 · Jakub Kicinski · f3226eed · ec5b0f60 · 0b9dcf37
显示空白变更内容
内联并排

Showing with 14 addition and 10 deletion

net/sched/cls_u32.c net/sched/cls_u32.c +14 -10

未找到文件。
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -386,14 +386,19 @@ static int u32_init(struct tcf_proto *tp)
 	return 0;
 }
-static int u32_destroy_key(struct tc_u_knode *n, bool free_pf)
+static void __u32_destroy_key(struct tc_u_knode *n)
 {
 	struct tc_u_hnode *ht = rtnl_dereference(n->ht_down);
 	tcf_exts_destroy(&n->exts);
-	tcf_exts_put_net(&n->exts);
 	if (ht && --ht->refcnt == 0)
 		kfree(ht);
+	kfree(n);
+}
+static void u32_destroy_key(struct tc_u_knode *n, bool free_pf)
+{
+	tcf_exts_put_net(&n->exts);
 #ifdef CONFIG_CLS_U32_PERF
 	if (free_pf)
 		free_percpu(n->pf);
@@ -402,8 +407,7 @@ static int u32_destroy_key(struct tc_u_knode *n, bool free_pf)
 	if (free_pf)
 		free_percpu(n->pcpu_success);
 #endif
-	kfree(n);
+	__u32_destroy_key(n);
-	return 0;
 }
 /* u32_delete_key_rcu should be called when free'ing a copied
@@ -811,10 +815,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
 	new->flags = n->flags;
 	RCU_INIT_POINTER(new->ht_down, ht);
-	/* bump reference count as long as we hold pointer to structure */
-	if (ht)
-		ht->refcnt++;
 #ifdef CONFIG_CLS_U32_PERF
 	/* Statistics may be incremented by readers during update
 	 * so we must keep them in tact. When the node is later destroyed
@@ -836,6 +836,10 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
 		return NULL;
 	}
+	/* bump reference count as long as we hold pointer to structure */
+	if (ht)
+		ht->refcnt++;
 	return new;
 }
@@ -900,13 +904,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb,
 				    extack);
 		if (err) {
-			u32_destroy_key(new, false);
+			__u32_destroy_key(new);
 			return err;
 		}
 		err = u32_replace_hw_knode(tp, new, flags, extack);
 		if (err) {
-			u32_destroy_key(new, false);
+			__u32_destroy_key(new);
 			return err;
 		}