• J
    net: sched: do not use tcf_proto 'tp' argument from call_rcu · 18cdb37e
    John Fastabend 提交于
    Using the tcf_proto pointer 'tp' from inside the classifiers callback
    is not valid because it may have been cleaned up by another call_rcu
    occuring on another CPU.
    
    'tp' is currently being used by tcf_unbind_filter() in this patch we
    move instances of tcf_unbind_filter outside of the call_rcu() context.
    This is safe to do because any running schedulers will either read the
    valid class field or it will be zeroed.
    
    And all schedulers today when the class is 0 do a lookup using the
    same call used by the tcf_exts_bind(). So even if we have a running
    classifier hit the null class pointer it will do a lookup and get
    to the same result. This is particularly fragile at the moment because
    the only way to verify this is to audit the schedulers call sites.
    Reported-by: NCong Wang <xiyou.wangconf@gmail.com>
    Signed-off-by: NJohn Fastabend <john.r.fastabend@intel.com>
    Acked-by: NCong Wang <cwang@twopensource.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    18cdb37e
cls_bpf.c 8.4 KB