From: Cong Wang <[email protected]>
Date: Mon, 30 Oct 2017 11:10:09 -0700
> In commit 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks
> of tc filter")
> I defer tcf_chain_flush() to a workqueue, this causes a use-after-free
> because qdisc is already destroyed after we queue this work.
>
> The tcf_block_put_deferred() is no longer necessary after we get RTNL
> for each tc filter destroy work, no others could jump in at this point.
> Same for tcf_chain_hold(), we are fully serialized now.
>
> This also reduces one indirection therefore makes the code more
> readable. Note this brings back a rcu_barrier(), however comparing
> to the code prior to commit 7aa0045dadb6 we still reduced one
> rcu_barrier(). For net-next, we can consider to refcnt tcf block to
> avoid it.
>
> Fixes: 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks of
> tc filter")
> Cc: Daniel Borkmann <[email protected]>
> Cc: Jiri Pirko <[email protected]>
> Cc: John Fastabend <[email protected]>
> Cc: Jamal Hadi Salim <[email protected]>
> Cc: "Paul E. McKenney" <[email protected]>
> Cc: Eric Dumazet <[email protected]>
> Signed-off-by: Cong Wang <[email protected]>
Applied, thanks for fixing this use-after-free so quickly.
This will be another fun merge into net-next :-)
