net/sched: act_police: disallow 'goto chain' on fallback control action

in the following command:

 # tc action add action police rate <r> burst <b> conform-exceed <c1>/<c2>

'goto chain x' is allowed only for c1: setting it for c2 makes the kernel
crash with NULL pointer dereference, since TC core doesn't initialize the
chain handle.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 10 insertions, 2 deletions

diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 92649d2667ed..052855d47354 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -185,8 +185,6 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
 		new->peak_present = false;
 	}
 
-	if (tb[TCA_POLICE_RESULT])
-		new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
 	new->tcfp_burst = PSCHED_TICKS2NS(parm->burst);
 	new->tcfp_toks = new->tcfp_burst;
 	if (new->peak_present) {
@@ -198,6 +196,16 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
 	if (tb[TCA_POLICE_AVRATE])
 		new->tcfp_ewma_rate = nla_get_u32(tb[TCA_POLICE_AVRATE]);
 
+	if (tb[TCA_POLICE_RESULT]) {
+		new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
+		if (TC_ACT_EXT_CMP(new->tcfp_result, TC_ACT_GOTO_CHAIN)) {
+			NL_SET_ERR_MSG(extack,
+				       "goto chain not allowed on fallback");
+			err = -EINVAL;
+			goto failure;
+		}
+	}
+
 	spin_lock_bh(&police->tcf_lock);
 	new->tcfp_t_c = ktime_get_ns();
 	police->tcf_action = parm->action;