From patchwork Wed Jul 12 23:43:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Xu X-Patchwork-Id: 119432 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp1485568vqm; Wed, 12 Jul 2023 16:46:46 -0700 (PDT) X-Google-Smtp-Source: APBJJlELDS5CDF4QJbciEcfXe46TLPCWhWoMGMd5JhO43b17c1axFJvVwB/b4DijXcaxR1paQx4S X-Received: by 2002:a05:6a20:9707:b0:126:39ce:476b with SMTP id hr7-20020a056a20970700b0012639ce476bmr20005800pzc.12.1689205606528; Wed, 12 Jul 2023 16:46:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689205606; cv=none; d=google.com; s=arc-20160816; b=aZPhOlsJu8xck15wdTg7cYGUt586JwIo0BGI18lGAPv1mskqo4/XW6WE2YHoezuOls gmhlEVZEfb9vClLxUHMw+VSoQuvtMYeUhbUR2rPBPQXjZ3dP7u4kXLEv2x3tfzBTDf+l S+IcnNlzWnOsmWTSzwl1me7lK8FRczqR/dB9Mqe/dJqlfaWNgxX4oFGUQda03eCwIhhA XMZBdTFwbhregpns4utjfJ0W8f+uMvReAzdmsXTJu8LPSN0RKn5LK9ZRTRDcH7q+PQeI G9SWXCHBlSM1/CEOMbNRzQlu8Uon+QAmITBPR1EXTFCzEBt5Cz8yiFikzeeAXbDWqHUa /yYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :feedback-id:dkim-signature:dkim-signature; bh=shKW5OcxDhFb57xmBT1FA7jIb7rdvybkuN5mH5oxQFg=; fh=nrTb6pBTU8eM0r8kirJvwIrrBykTcGbKmfClbFFAgEk=; b=oOqzmVaE0GilmhaldtZEj8tuVvDxG1qfYiIVnEOm7h4jt2ZhdtipQ8SJArpEfNJprQ RuPMfryhLdNWp+sCG5gy4hyp3tV3JPuIPSKnjtESMpmsimMMTNmKn6xtLiM2K4v2r58W 9QWlwDdeb70X4tOILjqLoiNV9O+xEpH/ysaimhe8jypmgt4gDobZ3SIxsKIDHBoGef1c PjJR6dlLSmoMVCDN2412RAYC0Ne/TS2xpZCEPo4UbMn0IDBgNhbZtqdY+JVwjCUTkrI0 D67esHhl6kZo5ocqzRa1BzYM9Cgxc6RQLHwA0np5KAxisjYg6uXVfgFH60gLWEABT7SU 7Z1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm1 header.b=JoYFB9jz; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=p0nLqjnn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s8-20020a637708000000b005579e1fc429si3939222pgc.669.2023.07.12.16.46.32; Wed, 12 Jul 2023 16:46:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm1 header.b=JoYFB9jz; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=p0nLqjnn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233160AbjGLXop (ORCPT + 99 others); Wed, 12 Jul 2023 19:44:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233108AbjGLXoj (ORCPT ); Wed, 12 Jul 2023 19:44:39 -0400 Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C05002118; Wed, 12 Jul 2023 16:44:36 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id C911832000D7; Wed, 12 Jul 2023 19:44:34 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Wed, 12 Jul 2023 19:44:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dxuuu.xyz; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1689205474; x= 1689291874; bh=shKW5OcxDhFb57xmBT1FA7jIb7rdvybkuN5mH5oxQFg=; b=J oYFB9jzdk6CyiSw6dvUCc5wJVhSD6OicSWdM0mCjAflF7+Xilv0T38g/lSyabEuk iqlmJ0N15mo9gI/Wp88zHvTN+llE7mj3pqNv47PqpcQ8gPhFb0UXQg/h7N7De5VZ 9Za3DujA1Yj1Q8PL/Tf00nfWW/LP5ctA8JqDvG0zNMqY40VHfPxyHRUwTDiu8ubV QuUA2qImUp+55hF3y53f4juWMfXYWwp43uQ0mAboxrrbIH14gW2+drTSsnbhAoB5 pOrcqHR4LSWSEAdlwnVxj5RjvY6p0Nb7MTm0/snEhtTZG4dGEZCDq+WWJHqswzaS voz1ldLxI4oGrEo0qNoug== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1689205474; x= 1689291874; bh=shKW5OcxDhFb57xmBT1FA7jIb7rdvybkuN5mH5oxQFg=; b=p 0nLqjnnDxnsUKUNZrQIfqVy4o0AyjqL1WqSttklkxQH4u5tnemyZ7xqUhb4Y7jrc wbn4RMxwnzdsdy8ScC9huCipgRIMpXgne7YrFK73W4mMv6QdgiY4Pp0vDEB5cP3b Yb73xq1J10GtAvK1DCwfYZ1ZbG9bfE6Fk9iSUKD5RXwAUWRmJ5HAhJYGjSR2iSKE 47KOAi6P3ZYL/dMHzmD1WhHPE/XBHK6wOnlmF13SWtX8S87m1MlFxRESOqDKVnrm 5rmQnF7jSymdx2Xb9RHrsSCJv1qqNpBREEB862Jv4pfFn63FfMOtLcDhRZepqmar Gs6RS65ek7I9GgGcM5FDQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrfeefgddvhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecufghrlhcuvffnffculdefhedmnecujfgurhephffvve fufffkofgjfhgggfestdekredtredttdenucfhrhhomhepffgrnhhivghlucgiuhcuoegu gihusegugihuuhhurdighiiiqeenucggtffrrghtthgvrhhnpefgfefggeejhfduieekvd euteffleeifeeuvdfhheejleejjeekgfffgefhtddtteenucevlhhushhtvghrufhiiigv pedunecurfgrrhgrmhepmhgrihhlfhhrohhmpegugihusegugihuuhhurdighiii X-ME-Proxy: Feedback-ID: i6a694271:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 12 Jul 2023 19:44:33 -0400 (EDT) From: Daniel Xu To: fw@strlen.de, davem@davemloft.net, pabeni@redhat.com, pablo@netfilter.org, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, kadlec@netfilter.org, alexei.starovoitov@gmail.com, daniel@iogearbox.net Cc: netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 3/6] netfilter: bpf: Prevent defrag module unload while link active Date: Wed, 12 Jul 2023 17:43:58 -0600 Message-ID: <0e98b06baa07cace9de45ed7c4e488903ada764e.1689203090.git.dxu@dxuuu.xyz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1771260457988258956 X-GMAIL-MSGID: 1771260457988258956 While in practice we could handle the module being unloaded while a netfilter link (that requested defrag) was active, it's a better user experience to prevent the defrag module from going away. It would violate user expectations if fragmented packets started showing up if some other part of the system tried to unload defrag module. Reviewed-by: Florian Westphal Signed-off-by: Daniel Xu --- include/linux/netfilter.h | 3 +++ net/ipv4/netfilter/nf_defrag_ipv4.c | 1 + net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 1 + net/netfilter/nf_bpf_link.c | 25 +++++++++++++++++++++-- 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 77a637b681f2..a160dc1e23bf 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -482,12 +483,14 @@ struct nfnl_ct_hook { extern const struct nfnl_ct_hook __rcu *nfnl_ct_hook; struct nf_defrag_v4_hook { + struct module *owner; int (*enable)(struct net *net); void (*disable)(struct net *net); }; extern const struct nf_defrag_v4_hook __rcu *nf_defrag_v4_hook; struct nf_defrag_v6_hook { + struct module *owner; int (*enable)(struct net *net); void (*disable)(struct net *net); }; diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index 1f3e0e893b7a..fb133bf3131d 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c @@ -115,6 +115,7 @@ static void __net_exit defrag4_net_exit(struct net *net) } static const struct nf_defrag_v4_hook defrag_hook = { + .owner = THIS_MODULE, .enable = nf_defrag_ipv4_enable, .disable = nf_defrag_ipv4_disable, }; diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c index f7c7ee31c472..29d31721c9c0 100644 --- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c +++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c @@ -98,6 +98,7 @@ static void __net_exit defrag6_net_exit(struct net *net) } static const struct nf_defrag_v6_hook defrag_hook = { + .owner = THIS_MODULE, .enable = nf_defrag_ipv6_enable, .disable = nf_defrag_ipv6_disable, }; diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c index 5b72aa246577..77ffbf26ba3d 100644 --- a/net/netfilter/nf_bpf_link.c +++ b/net/netfilter/nf_bpf_link.c @@ -2,6 +2,7 @@ #include #include #include +#include #include #include @@ -53,7 +54,15 @@ static int bpf_nf_enable_defrag(struct bpf_nf_link *link) } } + /* Prevent defrag module from going away while in use */ + if (!try_module_get(v4_hook->owner)) { + err = -ENOENT; + goto out_v4; + } + err = v4_hook->enable(link->net); + if (err) + module_put(v4_hook->owner); out_v4: rcu_read_unlock(); return err; @@ -77,7 +86,15 @@ static int bpf_nf_enable_defrag(struct bpf_nf_link *link) } } + /* Prevent defrag module from going away while in use */ + if (!try_module_get(v6_hook->owner)) { + err = -ENOENT; + goto out_v6; + } + err = v6_hook->enable(link->net); + if (err) + module_put(v6_hook->owner); out_v6: rcu_read_unlock(); return err; @@ -97,8 +114,10 @@ static void bpf_nf_disable_defrag(struct bpf_nf_link *link) case NFPROTO_IPV4: rcu_read_lock(); v4_hook = rcu_dereference(nf_defrag_v4_hook); - if (v4_hook) + if (v4_hook) { v4_hook->disable(link->net); + module_put(v4_hook->owner); + } rcu_read_unlock(); break; @@ -107,8 +126,10 @@ static void bpf_nf_disable_defrag(struct bpf_nf_link *link) case NFPROTO_IPV6: rcu_read_lock(); v6_hook = rcu_dereference(nf_defrag_v6_hook); - if (v6_hook) + if (v6_hook) { v6_hook->disable(link->net); + module_put(v6_hook->owner); + } rcu_read_unlock(); break;