From: Davide Caratti <dcaratti@redhat.com>
Date: Sat, 20 Oct 2018 23:33:08 +0200
Subject: net/sched: act_police: disallow 'goto chain' on fallback control
 action
Patch-mainline: v4.20-rc1
Git-commit: c08f5ed5d625926f38552b734b587a28e947b55c
References: bsc#1109837

in the following command:

 # tc action add action police rate <r> burst <b> conform-exceed <c1>/<c2>

'goto chain x' is allowed only for c1: setting it for c2 makes the kernel
crash with NULL pointer dereference, since TC core doesn't initialize the
chain handle.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
 net/sched/act_police.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -185,8 +185,6 @@ static int tcf_police_init(struct net *n
 		new->peak_present = false;
 	}
 
-	if (tb[TCA_POLICE_RESULT])
-		new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
 	new->tcfp_burst = PSCHED_TICKS2NS(parm->burst);
 	new->tcfp_toks = new->tcfp_burst;
 	if (new->peak_present) {
@@ -198,6 +196,16 @@ static int tcf_police_init(struct net *n
 	if (tb[TCA_POLICE_AVRATE])
 		new->tcfp_ewma_rate = nla_get_u32(tb[TCA_POLICE_AVRATE]);
 
+	if (tb[TCA_POLICE_RESULT]) {
+		new->tcfp_result = nla_get_u32(tb[TCA_POLICE_RESULT]);
+		if (TC_ACT_EXT_CMP(new->tcfp_result, TC_ACT_GOTO_CHAIN)) {
+			NL_SET_ERR_MSG(extack,
+				       "goto chain not allowed on fallback");
+			err = -EINVAL;
+			goto failure;
+		}
+	}
+
 	spin_lock_bh(&police->tcf_lock);
 	new->tcfp_t_c = ktime_get_ns();
 	police->tcf_action = parm->action;