On Fri, May 29, 2009 at 07:48:12AM +0000, Jarek Poplawski wrote:

On 29-05-2009 07:18, Minoru Usui wrote:

...

quoted

I investigated this problem, and I found a bug in tc_ctl_tfilter() in net/sched/cls_api.c.

When 'tc filter add' command is executed and proto-tcf does not exist, 
tcf_ctl_tfilter() allocates, initializes and chanins proto-tcf(tp) to
cops->tcf_chain()'s chain before calling tp->ops->change().

If tp->ops->change() returns an error, tcf_ctl_tfilter() returns an error
too, but proto-tcf(tp) is not unchained yet. 

I think tcf_ctl_tfilter() shouldn't chain proto-tcf to the chain before it returns
an error.

I didn't verify this too much, so I might be wrong, but it looks like
cls_cgroup_classify() does things a bit different than others (doesn't
check the 'head' etc. for NULL), so maybe you should consider fixing
it instead? (Btw., the tc classifier maintainer added to Cc).

OOPS! Others mostly don't check this either, so my suggestion was wrong.

Sorry,
Jarek P.