2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* net/sched/cls_tcindex.c Packet classifier for skb->tc_index
|
|
|
|
*
|
|
|
|
* Written 1998,1999 by Werner Almesberger, EPFL ICA
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/errno.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <net/act_api.h>
|
2007-03-26 06:06:12 +00:00
|
|
|
#include <net/netlink.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <net/pkt_cls.h>
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Passing parameters to the root seems to be done more awkwardly than really
|
|
|
|
* necessary. At least, u32 doesn't seem to use such dirty hacks. To be
|
|
|
|
* verified. FIXME.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define PERFECT_HASH_THRESHOLD 64 /* use perfect hash if not bigger */
|
|
|
|
#define DEFAULT_HASH_SIZE 64 /* optimized for diffserv */
|
|
|
|
|
|
|
|
|
|
|
|
struct tcindex_filter_result {
|
|
|
|
struct tcf_exts exts;
|
|
|
|
struct tcf_result res;
|
2015-08-26 03:06:33 +00:00
|
|
|
struct rcu_head rcu;
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct tcindex_filter {
|
|
|
|
u16 key;
|
|
|
|
struct tcindex_filter_result result;
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_filter __rcu *next;
|
|
|
|
struct rcu_head rcu;
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
struct tcindex_data {
|
|
|
|
struct tcindex_filter_result *perfect; /* perfect hash; NULL if none */
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_filter __rcu **h; /* imperfect hash; */
|
|
|
|
struct tcf_proto *tp;
|
2005-04-16 22:20:36 +00:00
|
|
|
u16 mask; /* AND key with mask */
|
2014-09-13 03:08:20 +00:00
|
|
|
u32 shift; /* shift ANDed key to the right */
|
|
|
|
u32 hash; /* hash table size; 0 if undefined */
|
|
|
|
u32 alloc_hash; /* allocated size */
|
|
|
|
u32 fall_through; /* 0: only classify if explicit match */
|
|
|
|
struct rcu_head rcu;
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2016-09-18 12:45:33 +00:00
|
|
|
static inline int tcindex_filter_is_set(struct tcindex_filter_result *r)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
return tcf_exts_is_predicative(&r->exts) || r->res.classid;
|
|
|
|
}
|
|
|
|
|
2016-09-18 12:45:33 +00:00
|
|
|
static struct tcindex_filter_result *tcindex_lookup(struct tcindex_data *p,
|
|
|
|
u16 key)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-09-13 03:08:20 +00:00
|
|
|
if (p->perfect) {
|
|
|
|
struct tcindex_filter_result *f = p->perfect + key;
|
|
|
|
|
|
|
|
return tcindex_filter_is_set(f) ? f : NULL;
|
|
|
|
} else if (p->h) {
|
|
|
|
struct tcindex_filter __rcu **fp;
|
|
|
|
struct tcindex_filter *f;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
fp = &p->h[key % p->hash];
|
|
|
|
for (f = rcu_dereference_bh_rtnl(*fp);
|
|
|
|
f;
|
|
|
|
fp = &f->next, f = rcu_dereference_bh_rtnl(*fp))
|
2005-04-16 22:20:36 +00:00
|
|
|
if (f->key == key)
|
|
|
|
return &f->result;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-07-05 23:25:42 +00:00
|
|
|
static int tcindex_classify(struct sk_buff *skb, const struct tcf_proto *tp,
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcf_result *res)
|
|
|
|
{
|
2014-09-15 21:06:48 +00:00
|
|
|
struct tcindex_data *p = rcu_dereference_bh(tp->root);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter_result *f;
|
|
|
|
int key = (skb->tc_index & p->mask) >> p->shift;
|
|
|
|
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("tcindex_classify(skb %p,tp %p,res %p),p %p\n",
|
|
|
|
skb, tp, res, p);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
f = tcindex_lookup(p, key);
|
|
|
|
if (!f) {
|
|
|
|
if (!p->fall_through)
|
|
|
|
return -1;
|
|
|
|
res->classid = TC_H_MAKE(TC_H_MAJ(tp->q->handle), key);
|
|
|
|
res->class = 0;
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("alg 0x%x\n", res->classid);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
*res = f->res;
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("map 0x%x\n", res->classid);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return tcf_exts_exec(skb, &f->exts, res);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned long tcindex_get(struct tcf_proto *tp, u32 handle)
|
|
|
|
{
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_data *p = rtnl_dereference(tp->root);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter_result *r;
|
|
|
|
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("tcindex_get(tp %p,handle 0x%08x)\n", tp, handle);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (p->perfect && handle >= p->alloc_hash)
|
|
|
|
return 0;
|
|
|
|
r = tcindex_lookup(p, handle);
|
|
|
|
return r && tcindex_filter_is_set(r) ? (unsigned long) r : 0UL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int tcindex_init(struct tcf_proto *tp)
|
|
|
|
{
|
|
|
|
struct tcindex_data *p;
|
|
|
|
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("tcindex_init(tp %p)\n", tp);
|
|
|
|
p = kzalloc(sizeof(struct tcindex_data), GFP_KERNEL);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!p)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
p->mask = 0xffff;
|
|
|
|
p->hash = DEFAULT_HASH_SIZE;
|
|
|
|
p->fall_through = 1;
|
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
rcu_assign_pointer(tp->root, p);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-08-26 03:06:33 +00:00
|
|
|
static void tcindex_destroy_rexts(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct tcindex_filter_result *r;
|
|
|
|
|
|
|
|
r = container_of(head, struct tcindex_filter_result, rcu);
|
|
|
|
tcf_exts_destroy(&r->exts);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void tcindex_destroy_fexts(struct rcu_head *head)
|
|
|
|
{
|
2016-09-18 12:45:33 +00:00
|
|
|
struct tcindex_filter *f = container_of(head, struct tcindex_filter,
|
|
|
|
rcu);
|
2015-08-26 03:06:33 +00:00
|
|
|
|
|
|
|
tcf_exts_destroy(&f->result.exts);
|
|
|
|
kfree(f);
|
|
|
|
}
|
|
|
|
|
2017-04-19 21:21:21 +00:00
|
|
|
static int tcindex_delete(struct tcf_proto *tp, unsigned long arg, bool *last)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_data *p = rtnl_dereference(tp->root);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter_result *r = (struct tcindex_filter_result *) arg;
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_filter __rcu **walk;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter *f = NULL;
|
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
pr_debug("tcindex_delete(tp %p,arg 0x%lx),p %p\n", tp, arg, p);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (p->perfect) {
|
|
|
|
if (!r->res.class)
|
|
|
|
return -ENOENT;
|
|
|
|
} else {
|
|
|
|
int i;
|
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
for (i = 0; i < p->hash; i++) {
|
|
|
|
walk = p->h + i;
|
|
|
|
for (f = rtnl_dereference(*walk); f;
|
|
|
|
walk = &f->next, f = rtnl_dereference(*walk)) {
|
|
|
|
if (&f->result == r)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto found;
|
2014-09-13 03:08:20 +00:00
|
|
|
}
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
found:
|
2014-09-13 03:08:20 +00:00
|
|
|
rcu_assign_pointer(*walk, rtnl_dereference(f->next));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
tcf_unbind_filter(tp, &r->res);
|
2015-08-26 03:06:33 +00:00
|
|
|
/* all classifiers are required to call tcf_exts_destroy() after rcu
|
|
|
|
* grace period, since converted-to-rcu actions are relying on that
|
|
|
|
* in cleanup() callback
|
|
|
|
*/
|
2014-09-13 03:08:20 +00:00
|
|
|
if (f)
|
2015-08-26 03:06:33 +00:00
|
|
|
call_rcu(&f->rcu, tcindex_destroy_fexts);
|
|
|
|
else
|
|
|
|
call_rcu(&r->rcu, tcindex_destroy_rexts);
|
2017-04-19 21:21:21 +00:00
|
|
|
|
|
|
|
*last = false;
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
static int tcindex_destroy_element(struct tcf_proto *tp,
|
|
|
|
unsigned long arg,
|
|
|
|
struct tcf_walker *walker)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-04-19 21:21:21 +00:00
|
|
|
bool last;
|
|
|
|
|
|
|
|
return tcindex_delete(tp, arg, &last);
|
2014-09-13 03:08:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void __tcindex_destroy(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct tcindex_data *p = container_of(head, struct tcindex_data, rcu);
|
|
|
|
|
|
|
|
kfree(p->perfect);
|
|
|
|
kfree(p->h);
|
|
|
|
kfree(p);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
valid_perfect_hash(struct tcindex_data *p)
|
|
|
|
{
|
|
|
|
return p->hash > (p->mask >> p->shift);
|
|
|
|
}
|
|
|
|
|
2008-01-24 04:36:12 +00:00
|
|
|
static const struct nla_policy tcindex_policy[TCA_TCINDEX_MAX + 1] = {
|
|
|
|
[TCA_TCINDEX_HASH] = { .type = NLA_U32 },
|
|
|
|
[TCA_TCINDEX_MASK] = { .type = NLA_U16 },
|
|
|
|
[TCA_TCINDEX_SHIFT] = { .type = NLA_U32 },
|
|
|
|
[TCA_TCINDEX_FALL_THROUGH] = { .type = NLA_U32 },
|
|
|
|
[TCA_TCINDEX_CLASSID] = { .type = NLA_U32 },
|
|
|
|
};
|
|
|
|
|
2016-08-19 19:36:54 +00:00
|
|
|
static int tcindex_filter_result_init(struct tcindex_filter_result *r)
|
net_sched: fix an oops in tcindex filter
Kelly reported the following crash:
IP: [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
PGD 3009067 PUD 300c067 PMD 11ff30067 PTE 800000011634b060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 1 PID: 639 Comm: dhclient Not tainted 3.15.0-rc4+ #342
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8801169ecd00 ti: ffff8800d21b8000 task.ti: ffff8800d21b8000
RIP: 0010:[<ffffffff817a993d>] [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
RSP: 0018:ffff8800d21b9b90 EFLAGS: 00010283
RAX: 00000000ffffffff RBX: ffff88011634b8e8 RCX: ffff8800cf7133d8
RDX: ffff88011634b900 RSI: ffff8800cf7133e0 RDI: ffff8800d210f840
RBP: ffff8800d21b9bb0 R08: ffffffff8287bf60 R09: 0000000000000001
R10: ffff8800d2b22b24 R11: 0000000000000001 R12: ffff8800d210f840
R13: ffff8800d21b9c50 R14: ffff8800cf7133e0 R15: ffff8800cad433d8
FS: 00007f49723e1840(0000) GS:ffff88011a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88011634b8f0 CR3: 00000000ce469000 CR4: 00000000000006e0
Stack:
ffff8800d2170188 ffff8800d210f840 ffff8800d2171b90 0000000000000000
ffff8800d21b9be8 ffffffff817c55bb ffff8800d21b9c50 ffff8800d2171b90
ffff8800d210f840 ffff8800d21b0300 ffff8800d21b9c50 ffff8800d21b9c18
Call Trace:
[<ffffffff817c55bb>] tcindex_classify+0x88/0x9b
[<ffffffff817a7f7d>] tc_classify_compat+0x3e/0x7b
[<ffffffff817a7fdf>] tc_classify+0x25/0x9f
[<ffffffff817b0e68>] htb_enqueue+0x55/0x27a
[<ffffffff817b6c2e>] dsmark_enqueue+0x165/0x1a4
[<ffffffff81775642>] __dev_queue_xmit+0x35e/0x536
[<ffffffff8177582a>] dev_queue_xmit+0x10/0x12
[<ffffffff818f8ecd>] packet_sendmsg+0xb26/0xb9a
[<ffffffff810b1507>] ? __lock_acquire+0x3ae/0xdf3
[<ffffffff8175cf08>] __sock_sendmsg_nosec+0x25/0x27
[<ffffffff8175d916>] sock_aio_write+0xd0/0xe7
[<ffffffff8117d6b8>] do_sync_write+0x59/0x78
[<ffffffff8117d84d>] vfs_write+0xb5/0x10a
[<ffffffff8117d96a>] SyS_write+0x49/0x7f
[<ffffffff8198e212>] system_call_fastpath+0x16/0x1b
This is because we memcpy struct tcindex_filter_result which contains
struct tcf_exts, obviously struct list_head can not be simply copied.
This is a regression introduced by commit 33be627159913b094bb578
(net_sched: act: use standard struct list_head).
It's not very easy to fix it as the code is a mess:
if (old_r)
memcpy(&cr, r, sizeof(cr));
else {
memset(&cr, 0, sizeof(cr));
tcf_exts_init(&cr.exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
}
...
tcf_exts_change(tp, &cr.exts, &e);
...
memcpy(r, &cr, sizeof(cr));
the above code should equal to:
tcindex_filter_result_init(&cr);
if (old_r)
cr.res = r->res;
...
if (old_r)
tcf_exts_change(tp, &r->exts, &e);
else
tcf_exts_change(tp, &cr.exts, &e);
...
r->res = cr.res;
after this change, since there is no need to copy struct tcf_exts.
And it also fixes other places zero'ing struct's contains struct tcf_exts.
Fixes: commit 33be627159913b0 (net_sched: act: use standard struct list_head)
Reported-by: Kelly Anderson <kelly@xilka.com>
Tested-by: Kelly Anderson <kelly@xilka.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-19 19:15:49 +00:00
|
|
|
{
|
|
|
|
memset(r, 0, sizeof(*r));
|
2016-08-19 19:36:54 +00:00
|
|
|
return tcf_exts_init(&r->exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
|
net_sched: fix an oops in tcindex filter
Kelly reported the following crash:
IP: [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
PGD 3009067 PUD 300c067 PMD 11ff30067 PTE 800000011634b060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 1 PID: 639 Comm: dhclient Not tainted 3.15.0-rc4+ #342
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8801169ecd00 ti: ffff8800d21b8000 task.ti: ffff8800d21b8000
RIP: 0010:[<ffffffff817a993d>] [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
RSP: 0018:ffff8800d21b9b90 EFLAGS: 00010283
RAX: 00000000ffffffff RBX: ffff88011634b8e8 RCX: ffff8800cf7133d8
RDX: ffff88011634b900 RSI: ffff8800cf7133e0 RDI: ffff8800d210f840
RBP: ffff8800d21b9bb0 R08: ffffffff8287bf60 R09: 0000000000000001
R10: ffff8800d2b22b24 R11: 0000000000000001 R12: ffff8800d210f840
R13: ffff8800d21b9c50 R14: ffff8800cf7133e0 R15: ffff8800cad433d8
FS: 00007f49723e1840(0000) GS:ffff88011a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88011634b8f0 CR3: 00000000ce469000 CR4: 00000000000006e0
Stack:
ffff8800d2170188 ffff8800d210f840 ffff8800d2171b90 0000000000000000
ffff8800d21b9be8 ffffffff817c55bb ffff8800d21b9c50 ffff8800d2171b90
ffff8800d210f840 ffff8800d21b0300 ffff8800d21b9c50 ffff8800d21b9c18
Call Trace:
[<ffffffff817c55bb>] tcindex_classify+0x88/0x9b
[<ffffffff817a7f7d>] tc_classify_compat+0x3e/0x7b
[<ffffffff817a7fdf>] tc_classify+0x25/0x9f
[<ffffffff817b0e68>] htb_enqueue+0x55/0x27a
[<ffffffff817b6c2e>] dsmark_enqueue+0x165/0x1a4
[<ffffffff81775642>] __dev_queue_xmit+0x35e/0x536
[<ffffffff8177582a>] dev_queue_xmit+0x10/0x12
[<ffffffff818f8ecd>] packet_sendmsg+0xb26/0xb9a
[<ffffffff810b1507>] ? __lock_acquire+0x3ae/0xdf3
[<ffffffff8175cf08>] __sock_sendmsg_nosec+0x25/0x27
[<ffffffff8175d916>] sock_aio_write+0xd0/0xe7
[<ffffffff8117d6b8>] do_sync_write+0x59/0x78
[<ffffffff8117d84d>] vfs_write+0xb5/0x10a
[<ffffffff8117d96a>] SyS_write+0x49/0x7f
[<ffffffff8198e212>] system_call_fastpath+0x16/0x1b
This is because we memcpy struct tcindex_filter_result which contains
struct tcf_exts, obviously struct list_head can not be simply copied.
This is a regression introduced by commit 33be627159913b094bb578
(net_sched: act: use standard struct list_head).
It's not very easy to fix it as the code is a mess:
if (old_r)
memcpy(&cr, r, sizeof(cr));
else {
memset(&cr, 0, sizeof(cr));
tcf_exts_init(&cr.exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
}
...
tcf_exts_change(tp, &cr.exts, &e);
...
memcpy(r, &cr, sizeof(cr));
the above code should equal to:
tcindex_filter_result_init(&cr);
if (old_r)
cr.res = r->res;
...
if (old_r)
tcf_exts_change(tp, &r->exts, &e);
else
tcf_exts_change(tp, &cr.exts, &e);
...
r->res = cr.res;
after this change, since there is no need to copy struct tcf_exts.
And it also fixes other places zero'ing struct's contains struct tcf_exts.
Fixes: commit 33be627159913b0 (net_sched: act: use standard struct list_head)
Reported-by: Kelly Anderson <kelly@xilka.com>
Tested-by: Kelly Anderson <kelly@xilka.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-19 19:15:49 +00:00
|
|
|
}
|
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
static void __tcindex_partial_destroy(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct tcindex_data *p = container_of(head, struct tcindex_data, rcu);
|
|
|
|
|
|
|
|
kfree(p->perfect);
|
|
|
|
kfree(p);
|
|
|
|
}
|
|
|
|
|
2016-08-19 19:36:54 +00:00
|
|
|
static void tcindex_free_perfect_hash(struct tcindex_data *cp)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < cp->hash; i++)
|
|
|
|
tcf_exts_destroy(&cp->perfect[i].exts);
|
|
|
|
kfree(cp->perfect);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int tcindex_alloc_perfect_hash(struct tcindex_data *cp)
|
|
|
|
{
|
|
|
|
int i, err = 0;
|
|
|
|
|
|
|
|
cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result),
|
|
|
|
GFP_KERNEL);
|
|
|
|
if (!cp->perfect)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
for (i = 0; i < cp->hash; i++) {
|
|
|
|
err = tcf_exts_init(&cp->perfect[i].exts,
|
|
|
|
TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
|
|
|
|
if (err < 0)
|
|
|
|
goto errout;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
errout:
|
|
|
|
tcindex_free_perfect_hash(cp);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static int
|
2013-01-14 05:15:39 +00:00
|
|
|
tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
|
|
|
|
u32 handle, struct tcindex_data *p,
|
|
|
|
struct tcindex_filter_result *r, struct nlattr **tb,
|
2014-04-25 20:54:06 +00:00
|
|
|
struct nlattr *est, bool ovr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct tcindex_filter_result new_filter_result, *old_r = r;
|
|
|
|
struct tcindex_filter_result cr;
|
2016-08-19 19:36:54 +00:00
|
|
|
struct tcindex_data *cp = NULL, *oldp;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter *f = NULL; /* make gcc behave */
|
2016-08-19 19:36:54 +00:00
|
|
|
int err, balloc = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcf_exts e;
|
|
|
|
|
2016-08-19 19:36:54 +00:00
|
|
|
err = tcf_exts_init(&e, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err < 0)
|
|
|
|
return err;
|
2016-08-19 19:36:54 +00:00
|
|
|
err = tcf_exts_validate(net, tp, tb, est, &e, ovr);
|
|
|
|
if (err < 0)
|
|
|
|
goto errout;
|
2007-02-09 14:25:16 +00:00
|
|
|
|
2014-09-25 19:06:04 +00:00
|
|
|
err = -ENOMEM;
|
2014-09-13 03:08:20 +00:00
|
|
|
/* tcindex_data attributes must look atomic to classifier/lookup so
|
|
|
|
* allocate new tcindex data and RCU assign it onto root. Keeping
|
|
|
|
* perfect hash and hash pointers from old data.
|
|
|
|
*/
|
2014-09-15 21:06:46 +00:00
|
|
|
cp = kzalloc(sizeof(*cp), GFP_KERNEL);
|
2014-09-25 19:06:04 +00:00
|
|
|
if (!cp)
|
2014-09-15 23:43:42 +00:00
|
|
|
goto errout;
|
2014-09-13 03:08:20 +00:00
|
|
|
|
|
|
|
cp->mask = p->mask;
|
|
|
|
cp->shift = p->shift;
|
|
|
|
cp->hash = p->hash;
|
|
|
|
cp->alloc_hash = p->alloc_hash;
|
|
|
|
cp->fall_through = p->fall_through;
|
|
|
|
cp->tp = tp;
|
|
|
|
|
|
|
|
if (p->perfect) {
|
2014-09-30 23:07:23 +00:00
|
|
|
int i;
|
|
|
|
|
2016-08-19 19:36:54 +00:00
|
|
|
if (tcindex_alloc_perfect_hash(cp) < 0)
|
2014-09-13 03:08:20 +00:00
|
|
|
goto errout;
|
2014-09-30 23:07:23 +00:00
|
|
|
for (i = 0; i < cp->hash; i++)
|
2016-08-19 19:36:54 +00:00
|
|
|
cp->perfect[i].res = p->perfect[i].res;
|
2014-09-15 23:43:42 +00:00
|
|
|
balloc = 1;
|
2014-09-13 03:08:20 +00:00
|
|
|
}
|
|
|
|
cp->h = p->h;
|
|
|
|
|
2016-08-19 19:36:54 +00:00
|
|
|
err = tcindex_filter_result_init(&new_filter_result);
|
|
|
|
if (err < 0)
|
|
|
|
goto errout1;
|
|
|
|
err = tcindex_filter_result_init(&cr);
|
|
|
|
if (err < 0)
|
|
|
|
goto errout1;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (old_r)
|
net_sched: fix an oops in tcindex filter
Kelly reported the following crash:
IP: [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
PGD 3009067 PUD 300c067 PMD 11ff30067 PTE 800000011634b060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 1 PID: 639 Comm: dhclient Not tainted 3.15.0-rc4+ #342
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8801169ecd00 ti: ffff8800d21b8000 task.ti: ffff8800d21b8000
RIP: 0010:[<ffffffff817a993d>] [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
RSP: 0018:ffff8800d21b9b90 EFLAGS: 00010283
RAX: 00000000ffffffff RBX: ffff88011634b8e8 RCX: ffff8800cf7133d8
RDX: ffff88011634b900 RSI: ffff8800cf7133e0 RDI: ffff8800d210f840
RBP: ffff8800d21b9bb0 R08: ffffffff8287bf60 R09: 0000000000000001
R10: ffff8800d2b22b24 R11: 0000000000000001 R12: ffff8800d210f840
R13: ffff8800d21b9c50 R14: ffff8800cf7133e0 R15: ffff8800cad433d8
FS: 00007f49723e1840(0000) GS:ffff88011a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88011634b8f0 CR3: 00000000ce469000 CR4: 00000000000006e0
Stack:
ffff8800d2170188 ffff8800d210f840 ffff8800d2171b90 0000000000000000
ffff8800d21b9be8 ffffffff817c55bb ffff8800d21b9c50 ffff8800d2171b90
ffff8800d210f840 ffff8800d21b0300 ffff8800d21b9c50 ffff8800d21b9c18
Call Trace:
[<ffffffff817c55bb>] tcindex_classify+0x88/0x9b
[<ffffffff817a7f7d>] tc_classify_compat+0x3e/0x7b
[<ffffffff817a7fdf>] tc_classify+0x25/0x9f
[<ffffffff817b0e68>] htb_enqueue+0x55/0x27a
[<ffffffff817b6c2e>] dsmark_enqueue+0x165/0x1a4
[<ffffffff81775642>] __dev_queue_xmit+0x35e/0x536
[<ffffffff8177582a>] dev_queue_xmit+0x10/0x12
[<ffffffff818f8ecd>] packet_sendmsg+0xb26/0xb9a
[<ffffffff810b1507>] ? __lock_acquire+0x3ae/0xdf3
[<ffffffff8175cf08>] __sock_sendmsg_nosec+0x25/0x27
[<ffffffff8175d916>] sock_aio_write+0xd0/0xe7
[<ffffffff8117d6b8>] do_sync_write+0x59/0x78
[<ffffffff8117d84d>] vfs_write+0xb5/0x10a
[<ffffffff8117d96a>] SyS_write+0x49/0x7f
[<ffffffff8198e212>] system_call_fastpath+0x16/0x1b
This is because we memcpy struct tcindex_filter_result which contains
struct tcf_exts, obviously struct list_head can not be simply copied.
This is a regression introduced by commit 33be627159913b094bb578
(net_sched: act: use standard struct list_head).
It's not very easy to fix it as the code is a mess:
if (old_r)
memcpy(&cr, r, sizeof(cr));
else {
memset(&cr, 0, sizeof(cr));
tcf_exts_init(&cr.exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
}
...
tcf_exts_change(tp, &cr.exts, &e);
...
memcpy(r, &cr, sizeof(cr));
the above code should equal to:
tcindex_filter_result_init(&cr);
if (old_r)
cr.res = r->res;
...
if (old_r)
tcf_exts_change(tp, &r->exts, &e);
else
tcf_exts_change(tp, &cr.exts, &e);
...
r->res = cr.res;
after this change, since there is no need to copy struct tcf_exts.
And it also fixes other places zero'ing struct's contains struct tcf_exts.
Fixes: commit 33be627159913b0 (net_sched: act: use standard struct list_head)
Reported-by: Kelly Anderson <kelly@xilka.com>
Tested-by: Kelly Anderson <kelly@xilka.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-19 19:15:49 +00:00
|
|
|
cr.res = r->res;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-24 04:36:12 +00:00
|
|
|
if (tb[TCA_TCINDEX_HASH])
|
2014-09-13 03:08:20 +00:00
|
|
|
cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-24 04:36:12 +00:00
|
|
|
if (tb[TCA_TCINDEX_MASK])
|
2014-09-13 03:08:20 +00:00
|
|
|
cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-24 04:36:12 +00:00
|
|
|
if (tb[TCA_TCINDEX_SHIFT])
|
2014-09-13 03:08:20 +00:00
|
|
|
cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
err = -EBUSY;
|
2014-09-13 03:08:20 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Hash already allocated, make sure that we still meet the
|
|
|
|
* requirements for the allocated hash.
|
|
|
|
*/
|
2014-09-13 03:08:20 +00:00
|
|
|
if (cp->perfect) {
|
|
|
|
if (!valid_perfect_hash(cp) ||
|
|
|
|
cp->hash > cp->alloc_hash)
|
2014-09-15 23:43:42 +00:00
|
|
|
goto errout_alloc;
|
2014-09-13 03:08:20 +00:00
|
|
|
} else if (cp->h && cp->hash != cp->alloc_hash) {
|
2014-09-15 23:43:42 +00:00
|
|
|
goto errout_alloc;
|
2014-09-13 03:08:20 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
err = -EINVAL;
|
2008-01-24 04:36:12 +00:00
|
|
|
if (tb[TCA_TCINDEX_FALL_THROUGH])
|
2014-09-13 03:08:20 +00:00
|
|
|
cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
if (!cp->hash) {
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Hash not specified, use perfect hash if the upper limit
|
|
|
|
* of the hashing index is below the threshold.
|
|
|
|
*/
|
2014-09-13 03:08:20 +00:00
|
|
|
if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
|
|
|
|
cp->hash = (cp->mask >> cp->shift) + 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
else
|
2014-09-13 03:08:20 +00:00
|
|
|
cp->hash = DEFAULT_HASH_SIZE;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2014-09-25 19:06:05 +00:00
|
|
|
if (!cp->perfect && !cp->h)
|
2014-09-13 03:08:20 +00:00
|
|
|
cp->alloc_hash = cp->hash;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* Note: this could be as restrictive as if (handle & ~(mask >> shift))
|
|
|
|
* but then, we'd fail handles that may become valid after some future
|
|
|
|
* mask change. While this is extremely unlikely to ever matter,
|
|
|
|
* the check below is safer (and also more backwards-compatible).
|
|
|
|
*/
|
2014-09-13 03:08:20 +00:00
|
|
|
if (cp->perfect || valid_perfect_hash(cp))
|
|
|
|
if (handle >= cp->alloc_hash)
|
2014-09-15 23:43:42 +00:00
|
|
|
goto errout_alloc;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
|
|
|
err = -ENOMEM;
|
2014-09-13 03:08:20 +00:00
|
|
|
if (!cp->perfect && !cp->h) {
|
|
|
|
if (valid_perfect_hash(cp)) {
|
2016-08-19 19:36:54 +00:00
|
|
|
if (tcindex_alloc_perfect_hash(cp) < 0)
|
2014-09-15 23:43:42 +00:00
|
|
|
goto errout_alloc;
|
2005-04-16 22:20:36 +00:00
|
|
|
balloc = 1;
|
|
|
|
} else {
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_filter __rcu **hash;
|
|
|
|
|
|
|
|
hash = kcalloc(cp->hash,
|
|
|
|
sizeof(struct tcindex_filter *),
|
|
|
|
GFP_KERNEL);
|
|
|
|
|
|
|
|
if (!hash)
|
2014-09-15 23:43:42 +00:00
|
|
|
goto errout_alloc;
|
2014-09-13 03:08:20 +00:00
|
|
|
|
|
|
|
cp->h = hash;
|
2005-04-16 22:20:36 +00:00
|
|
|
balloc = 2;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
if (cp->perfect)
|
|
|
|
r = cp->perfect + handle;
|
2005-04-16 22:20:36 +00:00
|
|
|
else
|
2014-09-13 03:08:20 +00:00
|
|
|
r = tcindex_lookup(cp, handle) ? : &new_filter_result;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (r == &new_filter_result) {
|
2006-07-21 21:51:30 +00:00
|
|
|
f = kzalloc(sizeof(*f), GFP_KERNEL);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!f)
|
|
|
|
goto errout_alloc;
|
2014-09-30 23:07:23 +00:00
|
|
|
f->key = handle;
|
|
|
|
f->next = NULL;
|
2016-08-19 19:36:54 +00:00
|
|
|
err = tcindex_filter_result_init(&f->result);
|
|
|
|
if (err < 0) {
|
|
|
|
kfree(f);
|
|
|
|
goto errout_alloc;
|
|
|
|
}
|
2007-02-09 14:25:16 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-23 06:11:33 +00:00
|
|
|
if (tb[TCA_TCINDEX_CLASSID]) {
|
2008-01-24 04:35:03 +00:00
|
|
|
cr.res.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]);
|
2005-04-16 22:20:36 +00:00
|
|
|
tcf_bind_filter(tp, &cr.res, base);
|
2007-02-09 14:25:16 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
net_sched: fix an oops in tcindex filter
Kelly reported the following crash:
IP: [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
PGD 3009067 PUD 300c067 PMD 11ff30067 PTE 800000011634b060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 1 PID: 639 Comm: dhclient Not tainted 3.15.0-rc4+ #342
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8801169ecd00 ti: ffff8800d21b8000 task.ti: ffff8800d21b8000
RIP: 0010:[<ffffffff817a993d>] [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
RSP: 0018:ffff8800d21b9b90 EFLAGS: 00010283
RAX: 00000000ffffffff RBX: ffff88011634b8e8 RCX: ffff8800cf7133d8
RDX: ffff88011634b900 RSI: ffff8800cf7133e0 RDI: ffff8800d210f840
RBP: ffff8800d21b9bb0 R08: ffffffff8287bf60 R09: 0000000000000001
R10: ffff8800d2b22b24 R11: 0000000000000001 R12: ffff8800d210f840
R13: ffff8800d21b9c50 R14: ffff8800cf7133e0 R15: ffff8800cad433d8
FS: 00007f49723e1840(0000) GS:ffff88011a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88011634b8f0 CR3: 00000000ce469000 CR4: 00000000000006e0
Stack:
ffff8800d2170188 ffff8800d210f840 ffff8800d2171b90 0000000000000000
ffff8800d21b9be8 ffffffff817c55bb ffff8800d21b9c50 ffff8800d2171b90
ffff8800d210f840 ffff8800d21b0300 ffff8800d21b9c50 ffff8800d21b9c18
Call Trace:
[<ffffffff817c55bb>] tcindex_classify+0x88/0x9b
[<ffffffff817a7f7d>] tc_classify_compat+0x3e/0x7b
[<ffffffff817a7fdf>] tc_classify+0x25/0x9f
[<ffffffff817b0e68>] htb_enqueue+0x55/0x27a
[<ffffffff817b6c2e>] dsmark_enqueue+0x165/0x1a4
[<ffffffff81775642>] __dev_queue_xmit+0x35e/0x536
[<ffffffff8177582a>] dev_queue_xmit+0x10/0x12
[<ffffffff818f8ecd>] packet_sendmsg+0xb26/0xb9a
[<ffffffff810b1507>] ? __lock_acquire+0x3ae/0xdf3
[<ffffffff8175cf08>] __sock_sendmsg_nosec+0x25/0x27
[<ffffffff8175d916>] sock_aio_write+0xd0/0xe7
[<ffffffff8117d6b8>] do_sync_write+0x59/0x78
[<ffffffff8117d84d>] vfs_write+0xb5/0x10a
[<ffffffff8117d96a>] SyS_write+0x49/0x7f
[<ffffffff8198e212>] system_call_fastpath+0x16/0x1b
This is because we memcpy struct tcindex_filter_result which contains
struct tcf_exts, obviously struct list_head can not be simply copied.
This is a regression introduced by commit 33be627159913b094bb578
(net_sched: act: use standard struct list_head).
It's not very easy to fix it as the code is a mess:
if (old_r)
memcpy(&cr, r, sizeof(cr));
else {
memset(&cr, 0, sizeof(cr));
tcf_exts_init(&cr.exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
}
...
tcf_exts_change(tp, &cr.exts, &e);
...
memcpy(r, &cr, sizeof(cr));
the above code should equal to:
tcindex_filter_result_init(&cr);
if (old_r)
cr.res = r->res;
...
if (old_r)
tcf_exts_change(tp, &r->exts, &e);
else
tcf_exts_change(tp, &cr.exts, &e);
...
r->res = cr.res;
after this change, since there is no need to copy struct tcf_exts.
And it also fixes other places zero'ing struct's contains struct tcf_exts.
Fixes: commit 33be627159913b0 (net_sched: act: use standard struct list_head)
Reported-by: Kelly Anderson <kelly@xilka.com>
Tested-by: Kelly Anderson <kelly@xilka.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-19 19:15:49 +00:00
|
|
|
if (old_r)
|
|
|
|
tcf_exts_change(tp, &r->exts, &e);
|
|
|
|
else
|
|
|
|
tcf_exts_change(tp, &cr.exts, &e);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2016-08-19 19:36:54 +00:00
|
|
|
if (old_r && old_r != r) {
|
|
|
|
err = tcindex_filter_result_init(old_r);
|
|
|
|
if (err < 0) {
|
|
|
|
kfree(f);
|
|
|
|
goto errout_alloc;
|
|
|
|
}
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
oldp = p;
|
net_sched: fix an oops in tcindex filter
Kelly reported the following crash:
IP: [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
PGD 3009067 PUD 300c067 PMD 11ff30067 PTE 800000011634b060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
CPU: 1 PID: 639 Comm: dhclient Not tainted 3.15.0-rc4+ #342
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8801169ecd00 ti: ffff8800d21b8000 task.ti: ffff8800d21b8000
RIP: 0010:[<ffffffff817a993d>] [<ffffffff817a993d>] tcf_action_exec+0x46/0x90
RSP: 0018:ffff8800d21b9b90 EFLAGS: 00010283
RAX: 00000000ffffffff RBX: ffff88011634b8e8 RCX: ffff8800cf7133d8
RDX: ffff88011634b900 RSI: ffff8800cf7133e0 RDI: ffff8800d210f840
RBP: ffff8800d21b9bb0 R08: ffffffff8287bf60 R09: 0000000000000001
R10: ffff8800d2b22b24 R11: 0000000000000001 R12: ffff8800d210f840
R13: ffff8800d21b9c50 R14: ffff8800cf7133e0 R15: ffff8800cad433d8
FS: 00007f49723e1840(0000) GS:ffff88011a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88011634b8f0 CR3: 00000000ce469000 CR4: 00000000000006e0
Stack:
ffff8800d2170188 ffff8800d210f840 ffff8800d2171b90 0000000000000000
ffff8800d21b9be8 ffffffff817c55bb ffff8800d21b9c50 ffff8800d2171b90
ffff8800d210f840 ffff8800d21b0300 ffff8800d21b9c50 ffff8800d21b9c18
Call Trace:
[<ffffffff817c55bb>] tcindex_classify+0x88/0x9b
[<ffffffff817a7f7d>] tc_classify_compat+0x3e/0x7b
[<ffffffff817a7fdf>] tc_classify+0x25/0x9f
[<ffffffff817b0e68>] htb_enqueue+0x55/0x27a
[<ffffffff817b6c2e>] dsmark_enqueue+0x165/0x1a4
[<ffffffff81775642>] __dev_queue_xmit+0x35e/0x536
[<ffffffff8177582a>] dev_queue_xmit+0x10/0x12
[<ffffffff818f8ecd>] packet_sendmsg+0xb26/0xb9a
[<ffffffff810b1507>] ? __lock_acquire+0x3ae/0xdf3
[<ffffffff8175cf08>] __sock_sendmsg_nosec+0x25/0x27
[<ffffffff8175d916>] sock_aio_write+0xd0/0xe7
[<ffffffff8117d6b8>] do_sync_write+0x59/0x78
[<ffffffff8117d84d>] vfs_write+0xb5/0x10a
[<ffffffff8117d96a>] SyS_write+0x49/0x7f
[<ffffffff8198e212>] system_call_fastpath+0x16/0x1b
This is because we memcpy struct tcindex_filter_result which contains
struct tcf_exts, obviously struct list_head can not be simply copied.
This is a regression introduced by commit 33be627159913b094bb578
(net_sched: act: use standard struct list_head).
It's not very easy to fix it as the code is a mess:
if (old_r)
memcpy(&cr, r, sizeof(cr));
else {
memset(&cr, 0, sizeof(cr));
tcf_exts_init(&cr.exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
}
...
tcf_exts_change(tp, &cr.exts, &e);
...
memcpy(r, &cr, sizeof(cr));
the above code should equal to:
tcindex_filter_result_init(&cr);
if (old_r)
cr.res = r->res;
...
if (old_r)
tcf_exts_change(tp, &r->exts, &e);
else
tcf_exts_change(tp, &cr.exts, &e);
...
r->res = cr.res;
after this change, since there is no need to copy struct tcf_exts.
And it also fixes other places zero'ing struct's contains struct tcf_exts.
Fixes: commit 33be627159913b0 (net_sched: act: use standard struct list_head)
Reported-by: Kelly Anderson <kelly@xilka.com>
Tested-by: Kelly Anderson <kelly@xilka.com>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-19 19:15:49 +00:00
|
|
|
r->res = cr.res;
|
2014-09-13 03:08:20 +00:00
|
|
|
rcu_assign_pointer(tp->root, cp);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (r == &new_filter_result) {
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_filter *nfp;
|
|
|
|
struct tcindex_filter __rcu **fp;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-09-30 23:07:23 +00:00
|
|
|
tcf_exts_change(tp, &f->result.exts, &r->exts);
|
2014-09-13 03:08:20 +00:00
|
|
|
|
2014-09-15 23:43:43 +00:00
|
|
|
fp = cp->h + (handle % cp->hash);
|
2014-09-13 03:08:20 +00:00
|
|
|
for (nfp = rtnl_dereference(*fp);
|
|
|
|
nfp;
|
|
|
|
fp = &nfp->next, nfp = rtnl_dereference(*fp))
|
|
|
|
; /* nothing */
|
|
|
|
|
|
|
|
rcu_assign_pointer(*fp, f);
|
2007-02-09 14:25:16 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-09-13 03:08:20 +00:00
|
|
|
if (oldp)
|
|
|
|
call_rcu(&oldp->rcu, __tcindex_partial_destroy);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
errout_alloc:
|
|
|
|
if (balloc == 1)
|
2016-08-19 19:36:54 +00:00
|
|
|
tcindex_free_perfect_hash(cp);
|
2005-04-16 22:20:36 +00:00
|
|
|
else if (balloc == 2)
|
2014-09-13 03:08:20 +00:00
|
|
|
kfree(cp->h);
|
2016-08-19 19:36:54 +00:00
|
|
|
errout1:
|
|
|
|
tcf_exts_destroy(&cr.exts);
|
|
|
|
tcf_exts_destroy(&new_filter_result.exts);
|
2005-04-16 22:20:36 +00:00
|
|
|
errout:
|
2014-09-13 03:08:20 +00:00
|
|
|
kfree(cp);
|
2014-09-25 17:26:37 +00:00
|
|
|
tcf_exts_destroy(&e);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2013-01-14 05:15:39 +00:00
|
|
|
tcindex_change(struct net *net, struct sk_buff *in_skb,
|
2012-05-25 19:42:45 +00:00
|
|
|
struct tcf_proto *tp, unsigned long base, u32 handle,
|
2014-04-25 20:54:06 +00:00
|
|
|
struct nlattr **tca, unsigned long *arg, bool ovr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-01-23 06:11:33 +00:00
|
|
|
struct nlattr *opt = tca[TCA_OPTIONS];
|
|
|
|
struct nlattr *tb[TCA_TCINDEX_MAX + 1];
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_data *p = rtnl_dereference(tp->root);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter_result *r = (struct tcindex_filter_result *) *arg;
|
2008-01-24 04:33:32 +00:00
|
|
|
int err;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("tcindex_change(tp %p,handle 0x%08x,tca %p,arg %p),opt %p,"
|
2005-04-16 22:20:36 +00:00
|
|
|
"p %p,r %p,*arg 0x%lx\n",
|
|
|
|
tp, handle, tca, arg, opt, p, r, arg ? *arg : 0L);
|
|
|
|
|
|
|
|
if (!opt)
|
|
|
|
return 0;
|
|
|
|
|
2017-04-12 12:34:07 +00:00
|
|
|
err = nla_parse_nested(tb, TCA_TCINDEX_MAX, opt, tcindex_policy, NULL);
|
2008-01-24 04:33:32 +00:00
|
|
|
if (err < 0)
|
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-01-14 05:15:39 +00:00
|
|
|
return tcindex_set_parms(net, tp, base, handle, p, r, tb,
|
2014-04-25 20:54:06 +00:00
|
|
|
tca[TCA_RATE], ovr);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void tcindex_walk(struct tcf_proto *tp, struct tcf_walker *walker)
|
|
|
|
{
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_data *p = rtnl_dereference(tp->root);
|
2008-01-21 10:26:41 +00:00
|
|
|
struct tcindex_filter *f, *next;
|
2005-04-16 22:20:36 +00:00
|
|
|
int i;
|
|
|
|
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("tcindex_walk(tp %p,walker %p),p %p\n", tp, walker, p);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (p->perfect) {
|
|
|
|
for (i = 0; i < p->hash; i++) {
|
|
|
|
if (!p->perfect[i].res.class)
|
|
|
|
continue;
|
|
|
|
if (walker->count >= walker->skip) {
|
|
|
|
if (walker->fn(tp,
|
|
|
|
(unsigned long) (p->perfect+i), walker)
|
|
|
|
< 0) {
|
|
|
|
walker->stop = 1;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
walker->count++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!p->h)
|
|
|
|
return;
|
|
|
|
for (i = 0; i < p->hash; i++) {
|
2014-09-13 03:08:20 +00:00
|
|
|
for (f = rtnl_dereference(p->h[i]); f; f = next) {
|
|
|
|
next = rtnl_dereference(f->next);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (walker->count >= walker->skip) {
|
2008-01-21 10:26:41 +00:00
|
|
|
if (walker->fn(tp, (unsigned long) &f->result,
|
2005-04-16 22:20:36 +00:00
|
|
|
walker) < 0) {
|
|
|
|
walker->stop = 1;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
walker->count++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-04-19 21:21:21 +00:00
|
|
|
static void tcindex_destroy(struct tcf_proto *tp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_data *p = rtnl_dereference(tp->root);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcf_walker walker;
|
|
|
|
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("tcindex_destroy(tp %p),p %p\n", tp, p);
|
2005-04-16 22:20:36 +00:00
|
|
|
walker.count = 0;
|
|
|
|
walker.skip = 0;
|
2014-07-24 20:20:41 +00:00
|
|
|
walker.fn = tcindex_destroy_element;
|
2008-01-21 10:26:41 +00:00
|
|
|
tcindex_walk(tp, &walker);
|
2014-09-13 03:08:20 +00:00
|
|
|
|
|
|
|
call_rcu(&p->rcu, __tcindex_destroy);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-01-10 00:14:01 +00:00
|
|
|
static int tcindex_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
|
2016-09-18 12:45:33 +00:00
|
|
|
struct sk_buff *skb, struct tcmsg *t)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_data *p = rtnl_dereference(tp->root);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct tcindex_filter_result *r = (struct tcindex_filter_result *) fh;
|
2008-01-24 04:34:11 +00:00
|
|
|
struct nlattr *nest;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-12-09 21:23:29 +00:00
|
|
|
pr_debug("tcindex_dump(tp %p,fh 0x%lx,skb %p,t %p),p %p,r %p\n",
|
|
|
|
tp, fh, skb, t, p, r);
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("p->perfect %p p->h %p\n", p->perfect, p->h);
|
2008-01-24 04:34:11 +00:00
|
|
|
|
|
|
|
nest = nla_nest_start(skb, TCA_OPTIONS);
|
|
|
|
if (nest == NULL)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!fh) {
|
|
|
|
t->tcm_handle = ~0; /* whatever ... */
|
2012-03-29 09:11:39 +00:00
|
|
|
if (nla_put_u32(skb, TCA_TCINDEX_HASH, p->hash) ||
|
|
|
|
nla_put_u16(skb, TCA_TCINDEX_MASK, p->mask) ||
|
|
|
|
nla_put_u32(skb, TCA_TCINDEX_SHIFT, p->shift) ||
|
|
|
|
nla_put_u32(skb, TCA_TCINDEX_FALL_THROUGH, p->fall_through))
|
|
|
|
goto nla_put_failure;
|
2008-01-24 04:34:11 +00:00
|
|
|
nla_nest_end(skb, nest);
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
|
|
|
if (p->perfect) {
|
2014-09-13 03:08:20 +00:00
|
|
|
t->tcm_handle = r - p->perfect;
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
|
|
|
struct tcindex_filter *f;
|
2014-09-13 03:08:20 +00:00
|
|
|
struct tcindex_filter __rcu **fp;
|
2005-04-16 22:20:36 +00:00
|
|
|
int i;
|
|
|
|
|
|
|
|
t->tcm_handle = 0;
|
|
|
|
for (i = 0; !t->tcm_handle && i < p->hash; i++) {
|
2014-09-13 03:08:20 +00:00
|
|
|
fp = &p->h[i];
|
|
|
|
for (f = rtnl_dereference(*fp);
|
|
|
|
!t->tcm_handle && f;
|
|
|
|
fp = &f->next, f = rtnl_dereference(*fp)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
if (&f->result == r)
|
|
|
|
t->tcm_handle = f->key;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2008-01-21 10:26:41 +00:00
|
|
|
pr_debug("handle = %d\n", t->tcm_handle);
|
2012-03-29 09:11:39 +00:00
|
|
|
if (r->res.class &&
|
|
|
|
nla_put_u32(skb, TCA_TCINDEX_CLASSID, r->res.classid))
|
|
|
|
goto nla_put_failure;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-12-16 04:15:07 +00:00
|
|
|
if (tcf_exts_dump(skb, &r->exts) < 0)
|
2008-01-23 06:11:33 +00:00
|
|
|
goto nla_put_failure;
|
2008-01-24 04:34:11 +00:00
|
|
|
nla_nest_end(skb, nest);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-12-16 04:15:07 +00:00
|
|
|
if (tcf_exts_dump_stats(skb, &r->exts) < 0)
|
2008-01-23 06:11:33 +00:00
|
|
|
goto nla_put_failure;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2007-02-09 14:25:16 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return skb->len;
|
|
|
|
|
2008-01-23 06:11:33 +00:00
|
|
|
nla_put_failure:
|
2014-12-09 21:23:29 +00:00
|
|
|
nla_nest_cancel(skb, nest);
|
2005-04-16 22:20:36 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2008-01-23 06:10:42 +00:00
|
|
|
static struct tcf_proto_ops cls_tcindex_ops __read_mostly = {
|
2005-04-16 22:20:36 +00:00
|
|
|
.kind = "tcindex",
|
|
|
|
.classify = tcindex_classify,
|
|
|
|
.init = tcindex_init,
|
|
|
|
.destroy = tcindex_destroy,
|
|
|
|
.get = tcindex_get,
|
|
|
|
.change = tcindex_change,
|
|
|
|
.delete = tcindex_delete,
|
|
|
|
.walk = tcindex_walk,
|
|
|
|
.dump = tcindex_dump,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int __init init_tcindex(void)
|
|
|
|
{
|
|
|
|
return register_tcf_proto_ops(&cls_tcindex_ops);
|
|
|
|
}
|
|
|
|
|
2007-02-09 14:25:16 +00:00
|
|
|
static void __exit exit_tcindex(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
unregister_tcf_proto_ops(&cls_tcindex_ops);
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(init_tcindex)
|
|
|
|
module_exit(exit_tcindex)
|
|
|
|
MODULE_LICENSE("GPL");
|