Daniel Borkmann 28e6b67f0b net: sched: fix refcount imbalance in actions ... Since commit 55334a5db5 ("net_sched: act: refuse to remove bound action outside"), we end up with a wrong reference count for a tc action. Test case 1: FOO="1,6 0 0 4294967295," BAR="1,6 0 0 4294967294," tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 \ action bpf bytecode "$FOO" tc actions show action bpf action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe index 1 ref 1 bind 1 tc actions replace action bpf bytecode "$BAR" index 1 tc actions show action bpf action order 0: bpf bytecode '1,6 0 0 4294967294' default-action pipe index 1 ref 2 bind 1 tc actions replace action bpf bytecode "$FOO" index 1 tc actions show action bpf action order 0: bpf bytecode '1,6 0 0 4294967295' default-action pipe index 1 ref 3 bind 1 Test case 2: FOO="1,6 0 0 4294967295," tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action ok tc actions show action gact action order 0: gact action pass random type none pass val 0 index 1 ref 1 bind 1 tc actions add action drop index 1 RTNETLINK answers: File exists [...] tc actions show action gact action order 0: gact action pass random type none pass val 0 index 1 ref 2 bind 1 tc actions add action drop index 1 RTNETLINK answers: File exists [...] tc actions show action gact action order 0: gact action pass random type none pass val 0 index 1 ref 3 bind 1 What happens is that in tcf_hash_check(), we check tcf_common for a given index and increase tcfc_refcnt and conditionally tcfc_bindcnt when we've found an existing action. Now there are the following cases: 1) We do a late binding of an action. In that case, we leave the tcfc_refcnt/tcfc_bindcnt increased and are done with the ->init() handler. This is correctly handeled. 2) We replace the given action, or we try to add one without replacing and find out that the action at a specific index already exists (thus, we go out with error in that case). In case of 2), we have to undo the reference count increase from tcf_hash_check() in the tcf_hash_check() function. Currently, we fail to do so because of the 'tcfc_bindcnt > 0' check which bails out early with an -EPERM error. Now, while commit 55334a5db5 prevents 'tc actions del action ...' on an already classifier-bound action to drop the reference count (which could then become negative, wrap around etc), this restriction only accounts for invocations outside a specific action's ->init() handler. One possible solution would be to add a flag thus we possibly trigger the -EPERM ony in situations where it is indeed relevant. After the patch, above test cases have correct reference count again. Fixes: 55334a5db5 ("net_sched: act: refuse to remove bound action outside") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Cong Wang <cwang@twopensource.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2015-07-30 14:20:39 -07:00
..
9p
bluetooth
caif
irda
iucv
netfilter	netfilter: fix netns dependencies with conntrack templates	2015-07-20 14:58:19 +02:00
netns	netfilter: fix netns dependencies with conntrack templates	2015-07-20 14:58:19 +02:00
nfc
phonet
sctp
tc_act
6lowpan.h
act_api.h	net: sched: fix refcount imbalance in actions	2015-07-30 14:20:39 -07:00
addrconf.h
af_ieee802154.h
af_rxrpc.h
af_unix.h
af_vsock.h
ah.h
arp.h
atmclip.h
ax25.h
ax88796.h
bond_3ad.h
bond_alb.h
bond_options.h
bonding.h
busy_poll.h
cfg80211-wext.h
cfg80211.h	cfg80211: use RTNL locked reg_can_beacon for IR-relaxation	2015-07-17 15:02:02 +02:00
cfg802154.h
checksum.h
cipso_ipv4.h
cls_cgroup.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
dn.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h
dsfield.h
dst.h
dst_ops.h
esp.h
ethoc.h
fib_rules.h
firewire.h
flow.h
flow_dissector.h
flowcache.h
fou.h
garp.h
gen_stats.h
genetlink.h
geneve.h
gre.h
gro_cells.h
gue.h
icmp.h
ieee80211_radiotap.h
ieee802154_netdev.h
if_inet6.h
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h
inet_ecn.h
inet_frag.h	inet: frags: remove INET_FRAG_EVICTED and use list_evictor for the test	2015-07-26 21:00:15 -07:00
inet_hashtables.h
inet_sock.h
inet_timewait_sock.h
inetpeer.h
ip.h	ipv6: lock socket in ip6_datagram_connect()	2015-07-15 17:25:51 -07:00
ip6_checksum.h
ip6_fib.h
ip6_route.h
ip6_tunnel.h
ip_fib.h	ipv4: consider TOS in fib_select_default	2015-07-24 22:46:11 -07:00
ip_tunnels.h
ip_vs.h
ipcomp.h
ipconfig.h
ipv6.h
ipx.h
iw_handler.h
lapb.h
lib80211.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
mac80211.h
mac802154.h
mip6.h
mld.h
mpls.h
mrp.h
ndisc.h
neighbour.h
net_namespace.h
net_ratelimit.h
netevent.h
netlabel.h
netlink.h
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h
p8022.h
ping.h
pkt_cls.h
pkt_sched.h
protocol.h
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h
rose.h
route.h
rtnetlink.h
sch_generic.h
scm.h
secure_seq.h
slhc_vj.h
snmp.h
sock.h	tcp: fix recv with flags MSG_WAITALL | MSG_PEEK	2015-07-27 01:06:53 -07:00
Space.h
stp.h
switchdev.h
tcp.h
tcp_memcontrol.h
tcp_states.h
timewait_sock.h
transp_v6.h
tso.h
udp.h
udp_tunnel.h
udplite.h
vsock_addr.h
vxlan.h
wext.h
wimax.h
x25.h
x25device.h
xfrm.h