linux/net/sched
Vlad Buslov 125f1c7f26 net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
The referenced change added custom cleanup code to act_ct to delete any
callbacks registered on the parent block when deleting the
tcf_ct_flow_table instance. However, the underlying issue is that the
drivers don't obtain the reference to the tcf_ct_flow_table instance when
registering callbacks which means that not only driver callbacks may still
be on the table when deleting it but also that the driver can still have
pointers to its internal nf_flowtable and can use it concurrently which
results either warning in netfilter[0] or use-after-free.

Fix the issue by taking a reference to the underlying struct
tcf_ct_flow_table instance when registering the callback and release the
reference when unregistering. Expose new API required for such reference
counting by adding two new callbacks to nf_flowtable_type and implementing
them for act_ct flowtable_ct type. This fixes the issue by extending the
lifetime of nf_flowtable until all users have unregistered.

[0]:
[106170.938634] ------------[ cut here ]------------
[106170.939111] WARNING: CPU: 21 PID: 3688 at include/net/netfilter/nf_flow_table.h:262 mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.940108] Modules linked in: act_ct nf_flow_table act_mirred act_skbedit act_tunnel_key vxlan cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa bonding openvswitch nsh rpcrdma rdma_ucm
ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_regis
try overlay mlx5_core
[106170.943496] CPU: 21 PID: 3688 Comm: kworker/u48:0 Not tainted 6.6.0-rc7_for_upstream_min_debug_2023_11_01_13_02 #1
[106170.944361] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[106170.945292] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core]
[106170.945846] RIP: 0010:mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.946413] Code: 89 ef 48 83 05 71 a4 14 00 01 e8 f4 06 04 e1 48 83 05 6c a4 14 00 01 48 83 c4 28 5b 5d 41 5c 41 5d c3 48 83 05 d1 8b 14 00 01 <0f> 0b 48 83 05 d7 8b 14 00 01 e9 96 fe ff ff 48 83 05 a2 90 14 00
[106170.947924] RSP: 0018:ffff88813ff0fcb8 EFLAGS: 00010202
[106170.948397] RAX: 0000000000000000 RBX: ffff88811eabac40 RCX: ffff88811eabad48
[106170.949040] RDX: ffff88811eab8000 RSI: ffffffffa02cd560 RDI: 0000000000000000
[106170.949679] RBP: ffff88811eab8000 R08: 0000000000000001 R09: ffffffffa0229700
[106170.950317] R10: ffff888103538fc0 R11: 0000000000000001 R12: ffff88811eabad58
[106170.950969] R13: ffff888110c01c00 R14: ffff888106b40000 R15: 0000000000000000
[106170.951616] FS:  0000000000000000(0000) GS:ffff88885fd40000(0000) knlGS:0000000000000000
[106170.952329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[106170.952834] CR2: 00007f1cefd28cb0 CR3: 000000012181b006 CR4: 0000000000370ea0
[106170.953482] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[106170.954121] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[106170.954766] Call Trace:
[106170.955057]  <TASK>
[106170.955315]  ? __warn+0x79/0x120
[106170.955648]  ? mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.956172]  ? report_bug+0x17c/0x190
[106170.956537]  ? handle_bug+0x3c/0x60
[106170.956891]  ? exc_invalid_op+0x14/0x70
[106170.957264]  ? asm_exc_invalid_op+0x16/0x20
[106170.957666]  ? mlx5_del_flow_rules+0x10/0x310 [mlx5_core]
[106170.958172]  ? mlx5_tc_ct_block_flow_offload_add+0x1240/0x1240 [mlx5_core]
[106170.958788]  ? mlx5_tc_ct_del_ft_cb+0x267/0x2b0 [mlx5_core]
[106170.959339]  ? mlx5_tc_ct_del_ft_cb+0xc6/0x2b0 [mlx5_core]
[106170.959854]  ? mapping_remove+0x154/0x1d0 [mlx5_core]
[106170.960342]  ? mlx5e_tc_action_miss_mapping_put+0x4f/0x80 [mlx5_core]
[106170.960927]  mlx5_tc_ct_delete_flow+0x76/0xc0 [mlx5_core]
[106170.961441]  mlx5_free_flow_attr_actions+0x13b/0x220 [mlx5_core]
[106170.962001]  mlx5e_tc_del_fdb_flow+0x22c/0x3b0 [mlx5_core]
[106170.962524]  mlx5e_tc_del_flow+0x95/0x3c0 [mlx5_core]
[106170.963034]  mlx5e_flow_put+0x73/0xe0 [mlx5_core]
[106170.963506]  mlx5e_put_flow_list+0x38/0x70 [mlx5_core]
[106170.964002]  mlx5e_rep_update_flows+0xec/0x290 [mlx5_core]
[106170.964525]  mlx5e_rep_neigh_update+0x1da/0x310 [mlx5_core]
[106170.965056]  process_one_work+0x13a/0x2c0
[106170.965443]  worker_thread+0x2e5/0x3f0
[106170.965808]  ? rescuer_thread+0x410/0x410
[106170.966192]  kthread+0xc6/0xf0
[106170.966515]  ? kthread_complete_and_exit+0x20/0x20
[106170.966970]  ret_from_fork+0x2d/0x50
[106170.967332]  ? kthread_complete_and_exit+0x20/0x20
[106170.967774]  ret_from_fork_asm+0x11/0x20
[106170.970466]  </TASK>
[106170.970726] ---[ end trace 0000000000000000 ]---

Fixes: 77ac5e40c4 ("net/sched: act_ct: remove and free nf_table callbacks")
Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
Reviewed-by: Paul Blakey <paulb@nvidia.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2023-12-11 09:59:58 +00:00
..
act_api.c net, sched: Fix SKB_NOT_DROPPED_YET splat under debug config 2023-11-06 08:56:25 +00:00
act_bpf.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_connmark.c net/sched: act_connmark: handle errno on tcf_idr_check_alloc 2023-03-01 08:19:09 +00:00
act_csum.c net: skbuff: hide csum_not_inet when CONFIG_IP_SCTP not set 2023-04-19 13:04:30 +01:00
act_ct.c net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table 2023-12-11 09:59:58 +00:00
act_ctinfo.c net/sched: act_ctinfo: use percpu stats 2023-02-13 20:09:01 -08:00
act_gact.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
act_gate.c net: sched: Fill in MODULE_DESCRIPTION for act_gate 2023-11-01 21:49:08 -07:00
act_ife.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_ipt.c net/sched: act_ipt: zero skb->cb before calling target 2023-06-29 12:10:37 +02:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net/sched: act_mirred: Add carrier check 2023-05-01 07:26:10 +01:00
act_mpls.c net/sched: remove two skb_mac_header() uses 2023-03-22 22:43:23 -07:00
act_nat.c net/sched: act_nat: transition to percpu stats and rcu 2023-02-16 10:39:28 +01:00
act_pedit.c net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX 2023-07-04 10:31:38 +02:00
act_police.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
act_sample.c net/sched: act_sample: fix action bind logic 2023-02-26 18:27:45 +00:00
act_simple.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_skbedit.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_skbmod.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_tunnel_key.c net/sched: act_tunnel_key: add support for "don't fragment" 2023-03-30 23:24:24 -07:00
act_vlan.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_api.c net, sched: Fix SKB_NOT_DROPPED_YET splat under debug config 2023-11-06 08:56:25 +00:00
cls_basic.c net: sched: Fill in missing MODULE_DESCRIPTION for classifiers 2023-11-01 21:49:09 -07:00
cls_bpf.c net: sched: cls_bpf: Undo tcf_bind_filter in case of an error 2023-07-17 07:33:39 +01:00
cls_cgroup.c net: sched: Fill in missing MODULE_DESCRIPTION for classifiers 2023-11-01 21:49:09 -07:00
cls_flow.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
cls_flower.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-03 14:34:37 -07:00
cls_fw.c net: sched: Fill in missing MODULE_DESCRIPTION for classifiers 2023-11-01 21:49:09 -07:00
cls_matchall.c net: sched: cls_matchall: Undo tcf_bind_filter in case of failure after mall_set_parms 2023-07-17 07:33:38 +01:00
cls_route.c net: sched: Fill in missing MODULE_DESCRIPTION for classifiers 2023-11-01 21:49:09 -07:00
cls_u32.c net: sched: Fill in missing MODULE_DESCRIPTION for classifiers 2023-11-01 21:49:09 -07:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c net_sched: reject TCF_EM_SIMPLE case for complex ematch module 2022-12-19 09:43:18 +00:00
Kconfig bpf: Add fd-based tcx multi-prog infra with link support 2023-07-19 10:07:27 -07:00
Makefile net/sched: Retire rsvp classifier 2023-02-16 09:27:07 +01:00
sch_api.c net/sched: fix a qdisc modification with ambiguous command request 2023-08-23 09:44:48 +01:00
sch_blackhole.c
sch_cake.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
sch_cbs.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_choke.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_codel.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_drr.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_etf.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_ets.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_fifo.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_fq_codel.c Revert "net: sched: fq_codel: remove redundant resource cleanup in fq_codel_init()" 2022-10-19 13:47:09 +01:00
sch_fq_pie.c netlink: make range pointers in policies const 2023-10-26 16:24:09 -07:00
sch_fq.c net_sched: sch_fq: better validate TCA_FQ_WEIGHTS and TCA_FQ_PRIOMAP 2023-11-08 18:30:21 -08:00
sch_frag.c net: dst: remove unnecessary input parameter in dst_alloc and dst_init 2023-09-12 11:42:25 +02:00
sch_generic.c net_sched: export pfifo_fast prio2band[] 2023-10-05 13:27:31 +02:00
sch_gred.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_hfsc.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_hhf.c net: sched: remove redundant NULL check in change hook function 2022-09-01 08:06:45 +02:00
sch_htb.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_ingress.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_mq.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_mqprio_lib.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_mqprio_lib.h net/sched: mqprio: allow per-TC user input of FP adminStatus 2023-04-13 22:22:10 -07:00
sch_mqprio.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_multiq.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_netem.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_pie.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_plug.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_prio.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_qfq.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_red.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_sfb.c Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
sch_sfq.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_skbprio.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_taprio.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_tbf.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sch_teql.c net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00