From: Davide Caratti <dcara...@redhat.com> Date: Wed, 20 Mar 2019 14:59:58 +0100
> currently, the kernel checks for bad values of the control action in > tcf_action_init_1(), after a successful call to the action's init() > function. When the control action is 'goto chain', this causes two > undesired behaviors: > > 1. "misconfigured action after replace that causes kernel crash": > if users replace a valid TC action with another one having invalid > control action, all the new configuration data (including the bad > control action) are applied successfully, even if the kernel returned > an error. As a consequence, it's possible to trigger a NULL pointer > dereference in the traffic path of every TC action (1), replacing the > control action with 'goto chain x', when chain <x> doesn't exist. > > 2. "refcount leak that makes kmemleak complain" > when a valid 'goto chain' action is overwritten with another action, > the kernel forgets to decrease refcounts in the chain. > > The above problems can be fixed if we validate the control action in each > action's init() function, the same way as we are already doing for all the > other configuration parameters. > Now that chains can be released after an action is replaced, we need to > care about concurrent access of 'goto_chain' pointer: ensure we access it > through RCU, like we did with most action-specific configuration parameters. > > - Patch 1 removes the wrong checks and provides functions that can be > used to properly validate control actions in individual actions > - Patch 2 to 16 fix individual actions, and add TDC selftest code to > verify the correct behavior (2) > - Patch 17 and 18 fix concurrent access issues on 'goto_chain', that can be > observed after the chain refcount leak is fixed. Series applied, thanks.
