From: Vlad Buslov <[email protected]>
Date: Tue, 27 Aug 2019 21:49:38 +0300
> Action sample doesn't properly handle psample_group pointer in overwrite
> case. Following issues need to be fixed:
>
> - In tcf_sample_init() function RCU_INIT_POINTER() is used to set
> s->psample_group, even though we neither setting the pointer to NULL, nor
> preventing concurrent readers from accessing the pointer in some way.
> Use rcu_swap_protected() instead to safely reset the pointer.
>
> - Old value of s->psample_group is not released or deallocated in any way,
> which results resource leak. Use psample_group_put() on non-NULL value
> obtained with rcu_swap_protected().
>
> - The function psample_group_put() that released reference to struct
> psample_group pointed by rcu-pointer s->psample_group doesn't respect rcu
> grace period when deallocating it. Extend struct psample_group with rcu
> head and use kfree_rcu when freeing it.
>
> Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
> Signed-off-by: Vlad Buslov <[email protected]>
Applied and queued up for -stable.
