From: Vlad Buslov <vla...@mellanox.com> Date: Tue, 27 Aug 2019 21:49:38 +0300
> Action sample doesn't properly handle psample_group pointer in overwrite > case. Following issues need to be fixed: > > - In tcf_sample_init() function RCU_INIT_POINTER() is used to set > s->psample_group, even though we neither setting the pointer to NULL, nor > preventing concurrent readers from accessing the pointer in some way. > Use rcu_swap_protected() instead to safely reset the pointer. > > - Old value of s->psample_group is not released or deallocated in any way, > which results resource leak. Use psample_group_put() on non-NULL value > obtained with rcu_swap_protected(). > > - The function psample_group_put() that released reference to struct > psample_group pointed by rcu-pointer s->psample_group doesn't respect rcu > grace period when deallocating it. Extend struct psample_group with rcu > head and use kfree_rcu when freeing it. > > Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action") > Signed-off-by: Vlad Buslov <vla...@mellanox.com> Applied and queued up for -stable.