net: Prevent invalid access to skb->prev in __qdisc_drop_all

[mirror_ubuntu-bionic-kernel.git] / net / sched / cls_bpf.c

diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 8d78e7f4ecc33082517aaab5767a30c119f49dc0..d98f4e24f0df565b5ecf2b9edc2145199944b1f2 100644 (file)
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -49,10 +49,7 @@ struct cls_bpf_prog {
        struct sock_filter *bpf_ops;
        const char *bpf_name;
        struct tcf_proto *tp;
-       union {
-               struct work_struct work;
-               struct rcu_head rcu;
-       };
+       struct rcu_work rwork;
 };
 
 static const struct nla_policy bpf_policy[TCA_BPF_MAX + 1] = {
@@ -183,10 +180,17 @@ static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog,
        return 0;
 }
 
+static u32 cls_bpf_flags(u32 flags)
+{
+       return flags & CLS_BPF_SUPPORTED_GEN_FLAGS;
+}
+
 static int cls_bpf_offload(struct tcf_proto *tp, struct cls_bpf_prog *prog,
                           struct cls_bpf_prog *oldprog)
 {
-       if (prog && oldprog && prog->gen_flags != oldprog->gen_flags)
+       if (prog && oldprog &&
+           cls_bpf_flags(prog->gen_flags) !=
+           cls_bpf_flags(oldprog->gen_flags))
                return -EINVAL;
 
        if (prog && tc_skip_hw(prog->gen_flags))
@@ -263,21 +267,14 @@ static void __cls_bpf_delete_prog(struct cls_bpf_prog *prog)
 
 static void cls_bpf_delete_prog_work(struct work_struct *work)
 {
-       struct cls_bpf_prog *prog = container_of(work, struct cls_bpf_prog, work);
-
+       struct cls_bpf_prog *prog = container_of(to_rcu_work(work),
+                                                struct cls_bpf_prog,
+                                                rwork);
        rtnl_lock();
        __cls_bpf_delete_prog(prog);
        rtnl_unlock();
 }
 
-static void cls_bpf_delete_prog_rcu(struct rcu_head *rcu)
-{
-       struct cls_bpf_prog *prog = container_of(rcu, struct cls_bpf_prog, rcu);
-
-       INIT_WORK(&prog->work, cls_bpf_delete_prog_work);
-       tcf_queue_work(&prog->work);
-}
-
 static void __cls_bpf_delete(struct tcf_proto *tp, struct cls_bpf_prog *prog)
 {
        struct cls_bpf_head *head = rtnl_dereference(tp->root);
@@ -287,7 +284,7 @@ static void __cls_bpf_delete(struct tcf_proto *tp, struct cls_bpf_prog *prog)
        list_del_rcu(&prog->link);
        tcf_unbind_filter(tp, &prog->res);
        if (tcf_exts_get_net(&prog->exts))
-               call_rcu(&prog->rcu, cls_bpf_delete_prog_rcu);
+               tcf_queue_work(&prog->rwork, cls_bpf_delete_prog_work);
        else
                __cls_bpf_delete_prog(prog);
 }
@@ -470,7 +467,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
        if (!prog)
                return -ENOBUFS;
 
-       ret = tcf_exts_init(&prog->exts, TCA_BPF_ACT, TCA_BPF_POLICE);
+       ret = tcf_exts_init(&prog->exts, net, TCA_BPF_ACT, TCA_BPF_POLICE);
        if (ret < 0)
                goto errout;
 
@@ -513,7 +510,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
                list_replace_rcu(&oldprog->link, &prog->link);
                tcf_unbind_filter(tp, &oldprog->res);
                tcf_exts_get_net(&oldprog->exts);
-               call_rcu(&oldprog->rcu, cls_bpf_delete_prog_rcu);
+               tcf_queue_work(&oldprog->rwork, cls_bpf_delete_prog_work);
        } else {
                list_add_rcu(&prog->link, &head->plist);
        }