Commit 0b9dcf37 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'net-sched-two-fixes-for-cls_u32'

Eric Dumazet says:

====================
net/sched: two fixes for cls_u32

One syzbot report brought my attention to cls_u32.

This series addresses the syzbot report, and an additional
issue discovered in code review.
====================

Link: https://lore.kernel.org/r/20220413173542.533060-1-eric.dumazet@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents f3226eed ec5b0f60
......@@ -386,14 +386,19 @@ static int u32_init(struct tcf_proto *tp)
return 0;
}
static int u32_destroy_key(struct tc_u_knode *n, bool free_pf)
static void __u32_destroy_key(struct tc_u_knode *n)
{
struct tc_u_hnode *ht = rtnl_dereference(n->ht_down);
tcf_exts_destroy(&n->exts);
tcf_exts_put_net(&n->exts);
if (ht && --ht->refcnt == 0)
kfree(ht);
kfree(n);
}
static void u32_destroy_key(struct tc_u_knode *n, bool free_pf)
{
tcf_exts_put_net(&n->exts);
#ifdef CONFIG_CLS_U32_PERF
if (free_pf)
free_percpu(n->pf);
......@@ -402,8 +407,7 @@ static int u32_destroy_key(struct tc_u_knode *n, bool free_pf)
if (free_pf)
free_percpu(n->pcpu_success);
#endif
kfree(n);
return 0;
__u32_destroy_key(n);
}
/* u32_delete_key_rcu should be called when free'ing a copied
......@@ -811,10 +815,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
new->flags = n->flags;
RCU_INIT_POINTER(new->ht_down, ht);
/* bump reference count as long as we hold pointer to structure */
if (ht)
ht->refcnt++;
#ifdef CONFIG_CLS_U32_PERF
/* Statistics may be incremented by readers during update
* so we must keep them in tact. When the node is later destroyed
......@@ -836,6 +836,10 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp,
return NULL;
}
/* bump reference count as long as we hold pointer to structure */
if (ht)
ht->refcnt++;
return new;
}
......@@ -900,13 +904,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb,
extack);
if (err) {
u32_destroy_key(new, false);
__u32_destroy_key(new);
return err;
}
err = u32_replace_hw_knode(tp, new, flags, extack);
if (err) {
u32_destroy_key(new, false);
__u32_destroy_key(new);
return err;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment