net: Make consumed action consistent in sch_handle_egress

borkmann · davem330 · commit 3a1e2f43985a · 2023-08-28T10:18:03.000+01:00
While looking at TC_ACT_* handling, the TC_ACT_CONSUMED is only handled in sch_handle_ingress but not sch_handle_egress. This was added via cd11b16 ("net/tc: introduce TC_ACT_REINSERT.") and e5cf1ba ("act_mirred: use TC_ACT_REINSERT when possible") and later got renamed into TC_ACT_CONSUMED via 720f22f ("net: sched: refactor reinsert action"). The initial work was targeted for ovs back then and only needed on ingress, and the mirred action module also restricts it to only that. However, given it's an API contract it would still make sense to make this consistent to sch_handle_ingress and handle it on egress side in the same way, that is, setting return code to "success" and returning NULL back to the caller as otherwise an action module sitting on egress returning TC_ACT_CONSUMED could lead to an UAF when untreated. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/core/dev.c b/net/core/dev.c
@@ -4062,6 +4062,8 @@ sch_handle_egress(struct sk_buff *skb, int *ret, struct net_device *dev)
 	case TC_ACT_QUEUED:
 	case TC_ACT_TRAP:
 		consume_skb(skb);
+		fallthrough;
+	case TC_ACT_CONSUMED:
 		*ret = NET_XMIT_SUCCESS;
 		return NULL;
 	}

Original file line number	Diff line number	Diff line change
`@@ -4062,6 +4062,8 @@ sch_handle_egress(struct sk_buff skb, int ret, struct net_device *dev)`
`4062`	`4062`	`case TC_ACT_QUEUED:`
`4063`	`4063`	`case TC_ACT_TRAP:`
`4064`	`4064`	`consume_skb(skb);`
	`4065`	`+ fallthrough;`
	`4066`	`+ case TC_ACT_CONSUMED:`
`4065`	`4067`	`*ret = NET_XMIT_SUCCESS;`
`4066`	`4068`	`return NULL;`
`4067`	`4069`	`}`