matchall race (was: Re: [PATCH net-next] net/sched: cls_flower: verify root pointer before dereferncing it)

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Daniel Borkmann <daniel@iogearbox•net>
To: Cong Wang <xiyou.wangcong@gmail•com>
Cc: David Miller <davem@davemloft•net>, Jiri Pirko <jiri@resnulli•us>,
	Roi Dayan <roid@mellanox•com>,
	Linux Kernel Network Developers <netdev@vger•kernel.org>,
	Jiri Pirko <jiri@mellanox•com>,
	Or Gerlitz <ogerlitz@mellanox•com>,
	Cong Wang <cwang@twopensource•com>,
	John Fastabend <john.fastabend@gmail•com>,
	Alexei Starovoitov <alexei.starovoitov@gmail•com>
Subject: matchall race (was: Re: [PATCH net-next] net/sched: cls_flower: verify root pointer before dereferncing it)
Date: Fri, 25 Nov 2016 10:43:39 +0100	[thread overview]
Message-ID: <583807CB.4000503@iogearbox.net> (raw)
In-Reply-To: <CAM_iQpU=t-APBrPuW1K1FdRW8J9UydkbD9Y4h1eD_SU3yK=wvw@mail.gmail.com>

[ Making this a different thread, since unrelated to the other one. ]

On 11/25/2016 07:23 AM, Cong Wang wrote:
> On Thu, Nov 24, 2016 at 4:17 PM, Daniel Borkmann <daniel@iogearbox•net> wrote:
[...]
>>
>> (Btw, matchall is still broken besides this fix. mall_delete() sets the
>>   RCU_INIT_POINTER(head->filter, NULL), so that a mall_delete() plus
>>   mall_destroy() combo doesn't free head->filter twice, but doing that is
>>   racy with mall_classify() where head->filter is dereferenced unchecked.
>>   Requires additional fix.)
>
> This seems due to matchall only has one filter per tp. But you don't need
> to worry since readers never read a freed pointer, right?

The race would be that CPU0 is in tc_ctl_tfilter() with RTM_DELTFILTER and
tcm_handle = 1 request. matchall has only single handle and id of it is 1
(or a prior user-specified one). So in tc_ctl_tfilter() ->get() will find it,
returns pointer as fh. Then we call ->delete(). mall_delete() sets head->filter
to NULL with RCU_INIT_POINTER() (head->filter is not even an RCU pointer btw),
real filter destruction comes via call_rcu(). If we got here, that tp is still
visible and not unlinked from tp chain. So in CPU1 tc_classify() executes
mall_classify(), we fetch the head (tp->root) and the corresponding head->filter
from there, and dereference it next. Probably best would have been to just
return -EOPNOTSUPP for ->delete() like in cls_cgroup case. It probably makes
sense to just defer real destruction to mall_destroy() instead of mall_delete()
if one wants to avoid extra !f test in mall_classify().

     prev parent reply	other threads:[~2016-11-25  9:43 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-22 14:25 [PATCH net-next] net/sched: cls_flower: verify root pointer before dereferncing it Roi Dayan
2016-11-22 14:48 ` Jiri Pirko
2016-11-22 15:37   ` David Miller
2016-11-22 16:13     ` Jiri Pirko
2016-11-22 16:04   ` Daniel Borkmann
2016-11-22 16:11     ` Jiri Pirko
2016-11-22 19:28       ` Cong Wang
2016-11-22 20:41         ` Daniel Borkmann
2016-11-22 23:36           ` John Fastabend
2016-11-23  5:24             ` Cong Wang
2016-11-23 11:29               ` Daniel Borkmann
2016-11-23 19:29                 ` Cong Wang
2016-11-24 20:25         ` David Miller
2016-11-25  0:17           ` Daniel Borkmann
2016-11-25  6:23             ` Cong Wang
2016-11-25  9:43               ` Daniel Borkmann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=583807CB.4000503@iogearbox.net \
    --to=daniel@iogearbox$(echo .)net \
    --cc=alexei.starovoitov@gmail$(echo .)com \
    --cc=cwang@twopensource$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=jiri@mellanox$(echo .)com \
    --cc=jiri@resnulli$(echo .)us \
    --cc=john.fastabend@gmail$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=ogerlitz@mellanox$(echo .)com \
    --cc=roid@mellanox$(echo .)com \
    --cc=xiyou.wangcong@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox