Home Explore Help
Register Sign In
libreCMC
/
libreCMC
17
18
Fork 12
Files Issues 59 Pull Requests 3 Wiki
Tree: 9003a2e19e
Branches Tags
libreCMC
/
target
/
linux
/
generic
/
backport-4.14
/
342-v4.16-netfilter-nf_tables-fix-flowtable-free.patch

342-v4.16-netfilter-nf_tables-fix-flowtable-free.patch 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. From: Pablo Neira Ayuso <pablo@netfilter.org>
    2. 

  2. Date: Mon, 5 Feb 2018 21:44:50 +0100
    3. 

  3. Subject: [PATCH] netfilter: nf_tables: fix flowtable free
    4. 

  4. 

  5. Every flow_offload entry is added into the table twice. Because of this,
    6. 

  6. rhashtable_free_and_destroy can't be used, since it would call kfree for
    7. 

  7. each flow_offload object twice.
    8. 

  8. 

  9. This patch adds a call to nf_flow_table_iterate_cleanup() to schedule
    10. 

  10. removal of entries, then there is an explicitly invocation of the
    11. 

  11. garbage collector to clean up resources.
    12. 

  12. 

  13. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    14. 

  14. ---
    15. 

  15. 

  16. --- a/include/net/netfilter/nf_flow_table.h
    17. 

  17. +++ b/include/net/netfilter/nf_flow_table.h
    18. 

  18. @@ -14,6 +14,7 @@ struct nf_flowtable_type {
    19. 

  19.  	struct list_head		list;
    20. 

  20.  	int				family;
    21. 

  21.  	void				(*gc)(struct work_struct *work);
    22. 

  22. +	void				(*free)(struct nf_flowtable *ft);
    23. 

  23.  	const struct rhashtable_params	*params;
    24. 

  24.  	nf_hookfn			*hook;
    25. 

  25.  	struct module			*owner;
    26. 

  26. @@ -98,6 +99,7 @@ int nf_flow_table_iterate(struct nf_flow
    27. 

  27.  
    28. 

  28.  void nf_flow_table_cleanup(struct net *net, struct net_device *dev);
    29. 

  29.  
    30. 

  30. +void nf_flow_table_free(struct nf_flowtable *flow_table);
    31. 

  31.  void nf_flow_offload_work_gc(struct work_struct *work);
    32. 

  32.  extern const struct rhashtable_params nf_flow_offload_rhash_params;
    33. 

  33.  
    34. 

  34. --- a/net/ipv4/netfilter/nf_flow_table_ipv4.c
    35. 

  35. +++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c
    36. 

  36. @@ -260,6 +260,7 @@ static struct nf_flowtable_type flowtabl
    37. 

  37.  	.family		= NFPROTO_IPV4,
    38. 

  38.  	.params		= &nf_flow_offload_rhash_params,
    39. 

  39.  	.gc		= nf_flow_offload_work_gc,
    40. 

  40. +	.free		= nf_flow_table_free,
    41. 

  41.  	.hook		= nf_flow_offload_ip_hook,
    42. 

  42.  	.owner		= THIS_MODULE,
    43. 

  43.  };
    44. 

  44. --- a/net/ipv6/netfilter/nf_flow_table_ipv6.c
    45. 

  45. +++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c
    46. 

  46. @@ -254,6 +254,7 @@ static struct nf_flowtable_type flowtabl
    47. 

  47.  	.family		= NFPROTO_IPV6,
    48. 

  48.  	.params		= &nf_flow_offload_rhash_params,
    49. 

  49.  	.gc		= nf_flow_offload_work_gc,
    50. 

  50. +	.free		= nf_flow_table_free,
    51. 

  51.  	.hook		= nf_flow_offload_ipv6_hook,
    52. 

  52.  	.owner		= THIS_MODULE,
    53. 

  53.  };
    54. 

  54. --- a/net/netfilter/nf_flow_table.c
    55. 

  55. +++ b/net/netfilter/nf_flow_table.c
    56. 

  56. @@ -232,19 +232,16 @@ static inline bool nf_flow_is_dying(cons
    57. 

  57.  	return flow->flags & FLOW_OFFLOAD_DYING;
    58. 

  58.  }
    59. 

  59.  
    60. 

  60. -void nf_flow_offload_work_gc(struct work_struct *work)
    61. 

  61. +static int nf_flow_offload_gc_step(struct nf_flowtable *flow_table)
    62. 

  62.  {
    63. 

  63.  	struct flow_offload_tuple_rhash *tuplehash;
    64. 

  64. -	struct nf_flowtable *flow_table;
    65. 

  65.  	struct rhashtable_iter hti;
    66. 

  66.  	struct flow_offload *flow;
    67. 

  67.  	int err;
    68. 

  68.  
    69. 

  69. -	flow_table = container_of(work, struct nf_flowtable, gc_work.work);
    70. 

  70. -
    71. 

  71.  	err = rhashtable_walk_init(&flow_table->rhashtable, &hti, GFP_KERNEL);
    72. 

  72.  	if (err)
    73. 

  73. -		goto schedule;
    74. 

  74. +		return 0;
    75. 

  75.  
    76. 

  76.  	rhashtable_walk_start(&hti);
    77. 

  77.  
    78. 

  78. @@ -270,7 +267,16 @@ void nf_flow_offload_work_gc(struct work
    79. 

  79.  out:
    80. 

  80.  	rhashtable_walk_stop(&hti);
    81. 

  81.  	rhashtable_walk_exit(&hti);
    82. 

  82. -schedule:
    83. 

  83. +
    84. 

  84. +	return 1;
    85. 

  85. +}
    86. 

  86. +
    87. 

  87. +void nf_flow_offload_work_gc(struct work_struct *work)
    88. 

  88. +{
    89. 

  89. +	struct nf_flowtable *flow_table;
    90. 

  90. +
    91. 

  91. +	flow_table = container_of(work, struct nf_flowtable, gc_work.work);
    92. 

  92. +	nf_flow_offload_gc_step(flow_table);
    93. 

  93.  	queue_delayed_work(system_power_efficient_wq, &flow_table->gc_work, HZ);
    94. 

  94.  }
    95. 

  95.  EXPORT_SYMBOL_GPL(nf_flow_offload_work_gc);
    96. 

  96. @@ -449,5 +455,12 @@ void nf_flow_table_cleanup(struct net *n
    97. 

  97.  }
    98. 

  98.  EXPORT_SYMBOL_GPL(nf_flow_table_cleanup);
    99. 

  99.  
    100. 

  100. +void nf_flow_table_free(struct nf_flowtable *flow_table)
    101. 

  101. +{
    102. 

  102. +	nf_flow_table_iterate(flow_table, nf_flow_table_do_cleanup, NULL);
    103. 

  103. +	WARN_ON(!nf_flow_offload_gc_step(flow_table));
    104. 

  104. +}
    105. 

  105. +EXPORT_SYMBOL_GPL(nf_flow_table_free);
    106. 

  106. +
    107. 

  107.  MODULE_LICENSE("GPL");
    108. 

  108.  MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
    109. 

  109. --- a/net/netfilter/nf_flow_table_inet.c
    110. 

  110. +++ b/net/netfilter/nf_flow_table_inet.c
    111. 

  111. @@ -24,6 +24,7 @@ static struct nf_flowtable_type flowtabl
    112. 

  112.  	.family		= NFPROTO_INET,
    113. 

  113.  	.params		= &nf_flow_offload_rhash_params,
    114. 

  114.  	.gc		= nf_flow_offload_work_gc,
    115. 

  115. +	.free		= nf_flow_table_free,
    116. 

  116.  	.hook		= nf_flow_offload_inet_hook,
    117. 

  117.  	.owner		= THIS_MODULE,
    118. 

  118.  };
    119. 

  119. --- a/net/netfilter/nf_tables_api.c
    120. 

  120. +++ b/net/netfilter/nf_tables_api.c
    121. 

  121. @@ -5299,17 +5299,12 @@ err:
    122. 

  122.  	nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
    123. 

  123.  }
    124. 

  124.  
    125. 

  125. -static void nft_flowtable_destroy(void *ptr, void *arg)
    126. 

  126. -{
    127. 

  127. -	kfree(ptr);
    128. 

  128. -}
    129. 

  129. -
    130. 

  130.  static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
    131. 

  131.  {
    132. 

  132.  	cancel_delayed_work_sync(&flowtable->data.gc_work);
    133. 

  133.  	kfree(flowtable->name);
    134. 

  134. -	rhashtable_free_and_destroy(&flowtable->data.rhashtable,
    135. 

  135. -				    nft_flowtable_destroy, NULL);
    136. 

  136. +	flowtable->data.type->free(&flowtable->data);
    137. 

  137. +	rhashtable_destroy(&flowtable->data.rhashtable);
    138. 

  138.  	module_put(flowtable->data.type->owner);
    139. 

  139.  }
    140. 

  140.  
    141.