net: sched: act_sample: fix psample group handling on overwrite [Linux 4.19.72]

This Linux kernel change "net: sched: act_sample: fix psample group handling on overwrite" is included in the Linux 4.19.72 release. This change is authored by Vlad Buslov <vladbu [at]> on Tue Aug 27 21:49:38 2019 +0300. The commit for this change in Linux stable tree is 5ff0ab0 (patch) which is from upstream commit dbf47a2. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream dbf47a2.

net: sched: act_sample: fix psample group handling on overwrite

[ Upstream commit dbf47a2a094edf58983265e323ca4bdcdb58b5ee ]

Action sample doesn't properly handle psample_group pointer in overwrite
case. Following issues need to be fixed:

- In tcf_sample_init() function RCU_INIT_POINTER() is used to set
  s->psample_group, even though we neither setting the pointer to NULL, nor
  preventing concurrent readers from accessing the pointer in some way.
  Use rcu_swap_protected() instead to safely reset the pointer.

- Old value of s->psample_group is not released or deallocated in any way,
  which results resource leak. Use psample_group_put() on non-NULL value
  obtained with rcu_swap_protected().

- The function psample_group_put() that released reference to struct
  psample_group pointed by rcu-pointer s->psample_group doesn't respect rcu
  grace period when deallocating it. Extend struct psample_group with rcu
  head and use kfree_rcu when freeing it.

Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
Signed-off-by: Vlad Buslov <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>

There are 8 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 include/net/psample.h  | 1 +
 net/psample/psample.c  | 2 +-
 net/sched/act_sample.c | 5 ++++-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/net/psample.h b/include/net/psample.h
index 9b80f81..94cb37a 100644
--- a/include/net/psample.h
+++ b/include/net/psample.h
@@ -12,6 +12,7 @@ struct psample_group {
    u32 group_num;
    u32 refcount;
    u32 seq;
+   struct rcu_head rcu;

 struct psample_group *psample_group_get(struct net *net, u32 group_num);
diff --git a/net/psample/psample.c b/net/psample/psample.c
index 64f9562..4cea3532 100644
--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -156,7 +156,7 @@ static void psample_group_destroy(struct psample_group *group)
    psample_group_notify(group, PSAMPLE_CMD_DEL_GROUP);
-   kfree(group);
+   kfree_rcu(group, rcu);

 static struct psample_group *
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index ac37654..34ff6c3 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -99,7 +99,8 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
    s->tcf_action = parm->action;
    s->rate = rate;
    s->psample_group_num = psample_group_num;
-   RCU_INIT_POINTER(s->psample_group, psample_group);
+   rcu_swap_protected(s->psample_group, psample_group,
+              lockdep_is_held(&s->tcf_lock));

    if (tb[TCA_SAMPLE_TRUNC_SIZE]) {
        s->truncate = true;
@@ -107,6 +108,8 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,

+   if (psample_group)
+       psample_group_put(psample_group);
    if (ret == ACT_P_CREATED)
        tcf_idr_insert(tn, *a);
    return ret;

Leave a Reply

Your email address will not be published. Required fields are marked *