git.baikalelectronics.ru Git - kernel.git/commit

author	Cong Wang <xiyou.wangcong@gmail.com>
	Sat, 16 Feb 2019 18:58:26 +0000 (10:58 -0800)
committer	David S. Miller <davem@davemloft.net>
	Thu, 21 Feb 2019 04:11:10 +0000 (20:11 -0800)
commit	c0ba7bbd3e74c431f75c9f8cbb5ec8e30b4dbcb8
tree	b2c64f1f04e65965284581675b8ee1d122763ae2	tree \| snapshot
parent	b0c2e6c672655dba5ccd10191749b895161b4435	commit \| diff

net_sched: fix a race condition in tcindex_destroy()

(cherry picked from commit 17b1e6f992bc8d5513e35bd5909d733e01208a7f)

tcindex_destroy() invokes tcindex_destroy_element() via
a walker to delete each filter result in its perfect hash
table, and tcindex_destroy_element() calls tcindex_delete()
which schedules tcf RCU works to do the final deletion work.
Unfortunately this races with the RCU callback
__tcindex_destroy(), which could lead to use-after-free as
reported by Adrian.

Fix this by migrating this RCU callback to tcf RCU work too,
as that workqueue is ordered, we will not have use-after-free.

Note, we don't need to hold netns refcnt because we don't call
tcf_exts_destroy() here.

Fixes: dd20a22e8db2 ("net_sched: use tcf_queue_work() in tcindex filter")
Reported-by: Adrian <bugs@abtelecom.ro>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>