Guard NULL params in accessors/dump/timer paths to avoid crashes during teardown or failed initialization. Other actions already guard params before RCU cleanup (act_pedit, commit 52cf89f78c01bf; act_vlan, commits 4c5b9d9642c859 and 1edf8abe04090c), so act_gate should tolerate NULL in reader paths too. Fixes: a51c328df310 ("net: qos: introduce a gate control flow action") Signed-off-by: Paul Moses Cc: stable@vger.kernel.org --- include/net/tc_act/tc_gate.h | 30 ++++++++++++++++++++---------- net/sched/act_gate.c | 13 ++++++++++++- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/include/net/tc_act/tc_gate.h b/include/net/tc_act/tc_gate.h index 9587d9e9fa38f..8c3309b0dd779 100644 --- a/include/net/tc_act/tc_gate.h +++ b/include/net/tc_act/tc_gate.h @@ -54,12 +54,13 @@ struct tcf_gate { static inline s32 tcf_gate_prio(const struct tc_action *a) { - s32 tcfg_prio; + s32 tcfg_prio = 0; struct tcf_gate_params *p; rcu_read_lock(); p = rcu_dereference(to_gate(a)->param); - tcfg_prio = p->tcfg_priority; + if (p) + tcfg_prio = p->tcfg_priority; rcu_read_unlock(); return tcfg_prio; @@ -67,12 +68,13 @@ static inline s32 tcf_gate_prio(const struct tc_action *a) static inline u64 tcf_gate_basetime(const struct tc_action *a) { - u64 tcfg_basetime; + u64 tcfg_basetime = 0; struct tcf_gate_params *p; rcu_read_lock(); p = rcu_dereference(to_gate(a)->param); - tcfg_basetime = p->tcfg_basetime; + if (p) + tcfg_basetime = p->tcfg_basetime; rcu_read_unlock(); return tcfg_basetime; @@ -80,12 +82,13 @@ static inline u64 tcf_gate_basetime(const struct tc_action *a) static inline u64 tcf_gate_cycletime(const struct tc_action *a) { - u64 tcfg_cycletime; + u64 tcfg_cycletime = 0; struct tcf_gate_params *p; rcu_read_lock(); p = rcu_dereference(to_gate(a)->param); - tcfg_cycletime = p->tcfg_cycletime; + if (p) + tcfg_cycletime = p->tcfg_cycletime; rcu_read_unlock(); return tcfg_cycletime; @@ -93,12 +96,13 @@ static inline u64 tcf_gate_cycletime(const struct tc_action *a) static inline u64 tcf_gate_cycletimeext(const struct tc_action *a) { - u64 tcfg_cycletimeext; + u64 tcfg_cycletimeext = 0; struct tcf_gate_params *p; rcu_read_lock(); p = rcu_dereference(to_gate(a)->param); - tcfg_cycletimeext = p->tcfg_cycletime_ext; + if (p) + tcfg_cycletimeext = p->tcfg_cycletime_ext; rcu_read_unlock(); return tcfg_cycletimeext; @@ -106,12 +110,13 @@ static inline u64 tcf_gate_cycletimeext(const struct tc_action *a) static inline u32 tcf_gate_num_entries(const struct tc_action *a) { - u32 num_entries; + u32 num_entries = 0; struct tcf_gate_params *p; rcu_read_lock(); p = rcu_dereference(to_gate(a)->param); - num_entries = p->num_entries; + if (p) + num_entries = p->num_entries; rcu_read_unlock(); return num_entries; @@ -128,6 +133,11 @@ static inline struct action_gate_entry rcu_read_lock(); p = rcu_dereference(to_gate(a)->param); + if (!p) { + rcu_read_unlock(); + return NULL; + } + num_entries = p->num_entries; list_for_each_entry(entry, &p->entries, list) diff --git a/net/sched/act_gate.c b/net/sched/act_gate.c index e4134b9a4a314..65b53cbf37e67 100644 --- a/net/sched/act_gate.c +++ b/net/sched/act_gate.c @@ -82,7 +82,11 @@ static enum hrtimer_restart gate_timer_func(struct hrtimer *timer) p = rcu_dereference_protected(gact->param, lockdep_is_held(&gact->tcf_lock)); + if (!p) + goto out_unlock; next = gact->next_entry; + if (!next) + goto out_unlock; /* cycle start, clear pending bit, clear total octets */ gact->current_gate_status = next->gate_state ? GATE_ACT_GATE_OPEN : 0; @@ -119,6 +123,11 @@ static enum hrtimer_restart gate_timer_func(struct hrtimer *timer) spin_unlock(&gact->tcf_lock); return HRTIMER_RESTART; + +out_unlock: + spin_unlock(&gact->tcf_lock); + + return HRTIMER_NORESTART; } TC_INDIRECT_SCOPE int tcf_gate_act(struct sk_buff *skb, @@ -584,8 +593,8 @@ static void tcf_gate_cleanup(struct tc_action *a) struct tcf_gate *gact = to_gate(a); struct tcf_gate_params *p; - p = rcu_replace_pointer(gact->param, NULL, lockdep_rtnl_is_held()); hrtimer_cancel(&gact->hitimer); + p = rcu_replace_pointer(gact->param, NULL, lockdep_rtnl_is_held()); if (p) call_rcu(&p->rcu, tcf_gate_params_free_rcu); } @@ -643,6 +652,8 @@ static int tcf_gate_dump(struct sk_buff *skb, struct tc_action *a, rcu_read_lock(); p = rcu_dereference(gact->param); + if (!p) + goto nla_put_failure_rcu; if (nla_put_u64_64bit(skb, TCA_GATE_BASE_TIME, p->tcfg_basetime, TCA_GATE_PAD)) -- 2.52.GIT