tca_get_fill function has 'bind' and 'ref' arguments that get passed down to action dump function. These arguments values are subtracted from actual reference and bind counter values before writing them to skb. In order to prevent concurrent action delete, RTM_GETACTION handler acquires a reference to action before 'dumping' it and releases it afterwards. This reference is temporal and should not be accounted by userspace clients. (both logically and to preserver current API behavior) Use existing infrastructure of tca_get_fill arguments to subtract that temporary reference and not expose it to userspace. Signed-off-by: Vlad Buslov <vladbu@xxxxxxxxxxxx> --- net/sched/act_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 3f02cd1..2772276e 100644 --- a/net/sched/act_api.c +++ b/net/sched/act_api.c @@ -935,7 +935,7 @@ tcf_get_notify(struct net *net, u32 portid, struct nlmsghdr *n, if (!skb) return -ENOBUFS; if (tca_get_fill(skb, actions, portid, n->nlmsg_seq, 0, event, - 0, 0) <= 0) { + 0, 1) <= 0) { NL_SET_ERR_MSG(extack, "Failed to fill netlink attributes while adding TC action"); kfree_skb(skb); return -EINVAL; @@ -1125,7 +1125,7 @@ tcf_del_notify(struct net *net, struct nlmsghdr *n, struct list_head *actions, return -ENOBUFS; if (tca_get_fill(skb, actions, portid, n->nlmsg_seq, 0, RTM_DELACTION, - 0, 1) <= 0) { + 0, 2) <= 0) { NL_SET_ERR_MSG(extack, "Failed to fill netlink TC action attributes"); kfree_skb(skb); return -EINVAL; -- 2.7.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html