net_sched: introduce tclass_del_notify()
authorWANG Cong <xiyou.wangcong@gmail.com>
Thu, 24 Aug 2017 23:51:28 +0000 (16:51 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sat, 26 Aug 2017 00:19:10 +0000 (17:19 -0700)
Like for TC actions, ->delete() is a special case,
we have to prepare and fill the notification before delete
otherwise would get use-after-free after we remove the
reference count.

Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_api.c

index 330ffaea9974efefddec65f3653f9fae128d156b..3ef4eb5787391629829c46207f01560b642e344c 100644 (file)
@@ -1618,6 +1618,38 @@ static int tclass_notify(struct net *net, struct sk_buff *oskb,
                              n->nlmsg_flags & NLM_F_ECHO);
 }
 
+static int tclass_del_notify(struct net *net,
+                            const struct Qdisc_class_ops *cops,
+                            struct sk_buff *oskb, struct nlmsghdr *n,
+                            struct Qdisc *q, unsigned long cl)
+{
+       u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
+       struct sk_buff *skb;
+       int err = 0;
+
+       if (!cops->delete)
+               return -EOPNOTSUPP;
+
+       skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
+       if (!skb)
+               return -ENOBUFS;
+
+       if (tc_fill_tclass(skb, q, cl, portid, n->nlmsg_seq, 0,
+                          RTM_DELTCLASS) < 0) {
+               kfree_skb(skb);
+               return -EINVAL;
+       }
+
+       err = cops->delete(q, cl);
+       if (err) {
+               kfree_skb(skb);
+               return err;
+       }
+
+       return rtnetlink_send(skb, net, portid, RTNLGRP_TC,
+                             n->nlmsg_flags & NLM_F_ECHO);
+}
+
 static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n,
                         struct netlink_ext_ack *extack)
 {
@@ -1722,12 +1754,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n,
                                goto out;
                        break;
                case RTM_DELTCLASS:
-                       err = -EOPNOTSUPP;
-                       if (cops->delete)
-                               err = cops->delete(q, cl);
-                       if (err == 0)
-                               tclass_notify(net, skb, n, q, cl,
-                                             RTM_DELTCLASS);
+                       err = tclass_del_notify(net, cops, skb, n, q, cl);
                        goto out;
                case RTM_GETTCLASS:
                        err = tclass_notify(net, skb, n, q, cl, RTM_NEWTCLASS);