On Mon, Mar 29, 2021 at 02:35:12PM IST, Vlad Buslov wrote: > it seems that there are two ways actions are overwritten/deleted: > > 1. Directly through action API, which is still serialized by rtnl lock. > > 2. Classifier API, which doesn't use rtnl lock anymore and can execute > concurrently. > > Actions created by path 2 also have their bind count incremented which > prevents them from being deleted by path 1 and cls API can only deleted > them together with classifier that points to them. > > [...] > So, what happens here is actions were 'deleted' concurrently (their > tcfa_refcnt decremented by 1)? tcf_action_put_many() will decrement > refcnt again, it will reach 0, actions get actually deleted and > tcf_exts_validate() returns with non-error code, but exts->actions > pointing to freed memory? Doesn't look like the patches fixes the > described issue, unless I'm missing something. >
Thanks for the review and comments. You are absolutely right. This patch was totally broken. Your feedback however was quite helpful in understanding the code. I sent a v2, please lmk if it's correct (also with a hopefully thorough description of the problem & solution). -- Kartikeya