Skip to content

Commit 8ced425

Browse files
strssndktndavem330
strssndktn
authored and
davem330
committed
tun: use socket locks for sk_{attach,detatch}_filter
This reverts commit 5a5abb1 ("tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter") and replaces it to use lock_sock around sk_{attach,detach}_filter. The checks inside filter.c are updated with lockdep_sock_is_held to check for proper socket locks. It keeps the code cleaner by ensuring that only one lock governs the socket filter instead of two independent locks. Cc: Daniel Borkmann <[email protected]> Signed-off-by: Hannes Frederic Sowa <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 1e1d04e commit 8ced425

File tree

3 files changed

+22
-31
lines changed

3 files changed

+22
-31
lines changed

drivers/net/tun.c

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -622,8 +622,9 @@ static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filte
622622

623623
/* Re-attach the filter to persist device */
624624
if (!skip_filter && (tun->filter_attached == true)) {
625-
err = __sk_attach_filter(&tun->fprog, tfile->socket.sk,
626-
lockdep_rtnl_is_held());
625+
lock_sock(tfile->socket.sk);
626+
err = sk_attach_filter(&tun->fprog, tfile->socket.sk);
627+
release_sock(tfile->socket.sk);
627628
if (!err)
628629
goto out;
629630
}
@@ -1824,7 +1825,9 @@ static void tun_detach_filter(struct tun_struct *tun, int n)
18241825

18251826
for (i = 0; i < n; i++) {
18261827
tfile = rtnl_dereference(tun->tfiles[i]);
1827-
__sk_detach_filter(tfile->socket.sk, lockdep_rtnl_is_held());
1828+
lock_sock(tfile->socket.sk);
1829+
sk_detach_filter(tfile->socket.sk);
1830+
release_sock(tfile->socket.sk);
18281831
}
18291832

18301833
tun->filter_attached = false;
@@ -1837,8 +1840,9 @@ static int tun_attach_filter(struct tun_struct *tun)
18371840

18381841
for (i = 0; i < tun->numqueues; i++) {
18391842
tfile = rtnl_dereference(tun->tfiles[i]);
1840-
ret = __sk_attach_filter(&tun->fprog, tfile->socket.sk,
1841-
lockdep_rtnl_is_held());
1843+
lock_sock(tfile->socket.sk);
1844+
ret = sk_attach_filter(&tun->fprog, tfile->socket.sk);
1845+
release_sock(tfile->socket.sk);
18421846
if (ret) {
18431847
tun_detach_filter(tun, i);
18441848
return ret;

include/linux/filter.h

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -465,14 +465,10 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog,
465465
void bpf_prog_destroy(struct bpf_prog *fp);
466466

467467
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
468-
int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk,
469-
bool locked);
470468
int sk_attach_bpf(u32 ufd, struct sock *sk);
471469
int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk);
472470
int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk);
473471
int sk_detach_filter(struct sock *sk);
474-
int __sk_detach_filter(struct sock *sk, bool locked);
475-
476472
int sk_get_filter(struct sock *sk, struct sock_filter __user *filter,
477473
unsigned int len);
478474

net/core/filter.c

Lines changed: 13 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1149,8 +1149,7 @@ void bpf_prog_destroy(struct bpf_prog *fp)
11491149
}
11501150
EXPORT_SYMBOL_GPL(bpf_prog_destroy);
11511151

1152-
static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk,
1153-
bool locked)
1152+
static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk)
11541153
{
11551154
struct sk_filter *fp, *old_fp;
11561155

@@ -1166,8 +1165,10 @@ static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk,
11661165
return -ENOMEM;
11671166
}
11681167

1169-
old_fp = rcu_dereference_protected(sk->sk_filter, locked);
1168+
old_fp = rcu_dereference_protected(sk->sk_filter,
1169+
lockdep_sock_is_held(sk));
11701170
rcu_assign_pointer(sk->sk_filter, fp);
1171+
11711172
if (old_fp)
11721173
sk_filter_uncharge(sk, old_fp);
11731174

@@ -1246,29 +1247,23 @@ struct bpf_prog *__get_filter(struct sock_fprog *fprog, struct sock *sk)
12461247
* occurs or there is insufficient memory for the filter a negative
12471248
* errno code is returned. On success the return is zero.
12481249
*/
1249-
int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk,
1250-
bool locked)
1250+
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
12511251
{
12521252
struct bpf_prog *prog = __get_filter(fprog, sk);
12531253
int err;
12541254

12551255
if (IS_ERR(prog))
12561256
return PTR_ERR(prog);
12571257

1258-
err = __sk_attach_prog(prog, sk, locked);
1258+
err = __sk_attach_prog(prog, sk);
12591259
if (err < 0) {
12601260
__bpf_prog_release(prog);
12611261
return err;
12621262
}
12631263

12641264
return 0;
12651265
}
1266-
EXPORT_SYMBOL_GPL(__sk_attach_filter);
1267-
1268-
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
1269-
{
1270-
return __sk_attach_filter(fprog, sk, sock_owned_by_user(sk));
1271-
}
1266+
EXPORT_SYMBOL_GPL(sk_attach_filter);
12721267

12731268
int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk)
12741269
{
@@ -1314,7 +1309,7 @@ int sk_attach_bpf(u32 ufd, struct sock *sk)
13141309
if (IS_ERR(prog))
13151310
return PTR_ERR(prog);
13161311

1317-
err = __sk_attach_prog(prog, sk, sock_owned_by_user(sk));
1312+
err = __sk_attach_prog(prog, sk);
13181313
if (err < 0) {
13191314
bpf_prog_put(prog);
13201315
return err;
@@ -2255,15 +2250,16 @@ static int __init register_sk_filter_ops(void)
22552250
}
22562251
late_initcall(register_sk_filter_ops);
22572252

2258-
int __sk_detach_filter(struct sock *sk, bool locked)
2253+
int sk_detach_filter(struct sock *sk)
22592254
{
22602255
int ret = -ENOENT;
22612256
struct sk_filter *filter;
22622257

22632258
if (sock_flag(sk, SOCK_FILTER_LOCKED))
22642259
return -EPERM;
22652260

2266-
filter = rcu_dereference_protected(sk->sk_filter, locked);
2261+
filter = rcu_dereference_protected(sk->sk_filter,
2262+
lockdep_sock_is_held(sk));
22672263
if (filter) {
22682264
RCU_INIT_POINTER(sk->sk_filter, NULL);
22692265
sk_filter_uncharge(sk, filter);
@@ -2272,12 +2268,7 @@ int __sk_detach_filter(struct sock *sk, bool locked)
22722268

22732269
return ret;
22742270
}
2275-
EXPORT_SYMBOL_GPL(__sk_detach_filter);
2276-
2277-
int sk_detach_filter(struct sock *sk)
2278-
{
2279-
return __sk_detach_filter(sk, sock_owned_by_user(sk));
2280-
}
2271+
EXPORT_SYMBOL_GPL(sk_detach_filter);
22812272

22822273
int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
22832274
unsigned int len)
@@ -2288,7 +2279,7 @@ int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
22882279

22892280
lock_sock(sk);
22902281
filter = rcu_dereference_protected(sk->sk_filter,
2291-
sock_owned_by_user(sk));
2282+
lockdep_sock_is_held(sk));
22922283
if (!filter)
22932284
goto out;
22942285

0 commit comments

Comments
 (0)