Fri, Aug 25, 2017 at 01:51:28AM CEST, [email protected] wrote:
>Like for TC actions, ->delete() is a special case,
>we have to prepare and fill the notification before delete
>otherwise would get use-after-free after we remove the
>reference count.
>
>Signed-off-by: Cong Wang <[email protected]>
>---
[...]
>+static int tclass_del_notify(struct net *net,
>+ const struct Qdisc_class_ops *cops,
>+ struct sk_buff *oskb, struct nlmsghdr *n,
>+ struct Qdisc *q, unsigned long cl)
>+{
>+ u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
>+ struct sk_buff *skb;
>+ int err = 0;
>+
>+ if (!cops->delete)
>+ return -EOPNOTSUPP;
>+
>+ skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
>+ if (!skb)
>+ return -ENOBUFS;
>+
>+ if (tc_fill_tclass(skb, q, cl, portid, n->nlmsg_seq, 0,
>+ RTM_DELTCLASS) < 0) {
>+ kfree_skb(skb);
>+ return -EINVAL;
>+ }
>+
>+ err = cops->delete(q, cl);
>+ if (err) {
>+ kfree_skb(skb);
>+ return err;
>+ }
>+
>+ return rtnetlink_send(skb, net, portid, RTNLGRP_TC,
>+ n->nlmsg_flags & NLM_F_ECHO);
There is a lot of code duplication with tclass_notify function. Don't
you rather want to split tclass_notify into tclass_notify_prepare and
tclass_notify_send and use these 2 from both tclass_notify and
tclass_del_notify?
