net/sched: act_police: disallow 'goto chain' on fallback control action
authorDavide Caratti <dcaratti@redhat.com>
Sat, 20 Oct 2018 21:33:08 +0000 (23:33 +0200)
committerDavid S. Miller <davem@davemloft.net>
Tue, 23 Oct 2018 02:42:50 +0000 (19:42 -0700)
in the following command:

 # tc action add action police rate <r> burst <b> conform-exceed <c1>/<c2>

'goto chain x' is allowed only for c1: setting it for c2 makes the kernel
crash with NULL pointer dereference, since TC core doesn't initialize the
chain handle.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/act_police.c

index 92649d2667ed1d8091d35ea755c0579ba5dcd587..052855d47354232f1c5d4762763367d638d96574 100644 (file)
@@ -185,8 +185,6 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
                new->peak_present = false;
        }
 
                new->peak_present = false;
        }
 
-       if (tb[TCA_POLICE_RESULT])
-               new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
        new->tcfp_burst = PSCHED_TICKS2NS(parm->burst);
        new->tcfp_toks = new->tcfp_burst;
        if (new->peak_present) {
        new->tcfp_burst = PSCHED_TICKS2NS(parm->burst);
        new->tcfp_toks = new->tcfp_burst;
        if (new->peak_present) {
@@ -198,6 +196,16 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
        if (tb[TCA_POLICE_AVRATE])
                new->tcfp_ewma_rate = nla_get_u32(tb[TCA_POLICE_AVRATE]);
 
        if (tb[TCA_POLICE_AVRATE])
                new->tcfp_ewma_rate = nla_get_u32(tb[TCA_POLICE_AVRATE]);
 
+       if (tb[TCA_POLICE_RESULT]) {
+               new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
+               if (TC_ACT_EXT_CMP(new->tcfp_result, TC_ACT_GOTO_CHAIN)) {
+                       NL_SET_ERR_MSG(extack,
+                                      "goto chain not allowed on fallback");
+                       err = -EINVAL;
+                       goto failure;
+               }
+       }
+
        spin_lock_bh(&police->tcf_lock);
        new->tcfp_t_c = ktime_get_ns();
        police->tcf_action = parm->action;
        spin_lock_bh(&police->tcf_lock);
        new->tcfp_t_c = ktime_get_ns();
        police->tcf_action = parm->action;