From mboxrd@z Thu Jan  1 00:00:00 1970
From: Cong Wang <xiyou.wangcong@gmail.com>
Subject: Re: [PATCH net-next v6 11/11] net: sched: change action API to use
 array of pointers to actions
Date: Tue, 7 Aug 2018 16:26:13 -0700
Message-ID: <CAM_iQpWpxf=yRNadgN+q0rwhd_E0c7pAy7fG+A=asqgk9JRx0Q@mail.gmail.com>
References: <1530800673-12280-1-git-send-email-vladbu@mellanox.com> <1530800673-12280-12-git-send-email-vladbu@mellanox.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
        David Miller <davem@davemloft.net>,
        Jamal Hadi Salim <jhs@mojatatu.com>,
        Jiri Pirko <jiri@resnulli.us>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Yevgeny Kliteynik <kliteyn@mellanox.com>
To: Vlad Buslov <vladbu@mellanox.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pf1-f194.google.com ([209.85.210.194]:40218 "EHLO
        mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726953AbeHHBnJ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 7 Aug 2018 21:43:09 -0400
Received: by mail-pf1-f194.google.com with SMTP id e13-v6so164458pff.7
        for <netdev@vger.kernel.org>; Tue, 07 Aug 2018 16:26:25 -0700 (PDT)
In-Reply-To: <1530800673-12280-12-git-send-email-vladbu@mellanox.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Thu, Jul 5, 2018 at 7:24 AM Vlad Buslov <vladbu@mellanox.com> wrote:
>         attr_size = tcf_action_full_attrs_size(attr_size);
>
>         if (event == RTM_GETACTION)
> -               ret = tcf_get_notify(net, portid, n, &actions, event, extack);
> +               ret = tcf_get_notify(net, portid, n, actions, event, extack);
>         else { /* delete */
> -               ret = tcf_del_notify(net, n, &actions, portid, attr_size, extack);
> +               ret = tcf_del_notify(net, n, actions, &acts_deleted, portid,
> +                                    attr_size, extack);
>                 if (ret)
>                         goto err;
>                 return ret;
>         }
>  err:
> -       tcf_action_put_lst(&actions);
> +       tcf_action_put_many(&actions[acts_deleted]);
>         return ret;

How does this even work?

You save an index in 'acts_deleted', but you pass &actions[acts_deleted]
to tcf_action_put_many(), which seems you want to start from
where it fails, but inside tcf_action_put_many() it starts from 0
to TCA_ACT_MAX_PRIO, out-of-bound access at least?