Hi Jamal,

On Sun, Jan 22, 2017 at 03:25:50PM -0500, Jamal Hadi Salim wrote:

...

> diff --git a/net/sched/act_api.c b/net/sched/act_api.c
> index cd08df9..58cf1c5 100644
> --- a/net/sched/act_api.c
> +++ b/net/sched/act_api.c
> @@ -24,6 +24,7 @@
>  #include <net/net_namespace.h>
>  #include <net/sock.h>
>  #include <net/sch_generic.h>
> +#include <net/pkt_cls.h>
>  #include <net/act_api.h>
>  #include <net/netlink.h>
>  
> @@ -33,6 +34,8 @@ static void free_tcf(struct rcu_head *head)
>  
>       free_percpu(p->cpu_bstats);
>       free_percpu(p->cpu_qstats);
> +     kfree(p->act_cookie->data);

Does the above need to be protected by a check for p->act_cookie being non-NULL?

> +     kfree(p->act_cookie);
>       kfree(p);
>  }
>  

...

> @@ -575,6 +584,33 @@ struct tc_action *tcf_action_init_1(struct net *net, 
> struct nlattr *nla,
>       if (err < 0)
>               goto err_mod;
>  
> +     if (tb[TCA_ACT_COOKIE]) {
> +             int cklen = nla_len(tb[TCA_ACT_COOKIE]);
> +
> +             if (cklen > TC_COOKIE_MAX_SIZE) {
> +                     err = -EINVAL;
> +                     tcf_hash_release(a, bind);
> +                     goto err_mod;
> +             }
> +
> +             a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
> +             if (!a->act_cookie) {
> +                     err = -ENOMEM;
> +                     tcf_hash_release(a, bind);
> +                     goto err_mod;
> +             }
> +
> +             a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE],
> +                                              GFP_KERNEL);
> +             if (!a->act_cookie->data) {
> +                     err = -ENOMEM;
> +                     kfree(a->act_cookie);
> +                     tcf_hash_release(a, bind);
> +                     goto err_mod;
> +             }
> +             a->act_cookie->len = cklen;

FWIW, the above looks correct but it also looks like the error handling
could be done less verbosely if the logic was moved to a separate function.

> +     }
> +
>       /* module count goes up only when brand new policy is created
>        * if it exists and is only bound to in a_o->init() then
>        * ACT_P_CREATED is not returned (a zero is).
> -- 
> 1.9.1
> 

Reply via email to