From: Cong Wang <xiyou.wangc...@gmail.com>
Date: Sat, 16 Feb 2019 10:58:26 -0800
> (cherry picked from commit 8015d93ebd27484418d4952284fd02172fa4b0b2)
>
> tcindex_destroy() invokes tcindex_destroy_element() via
> a walker to delete each filter result in its perfect hash
> table, and tcindex_destroy_element() calls tcindex_delete()
> which schedules tcf RCU works to do the final deletion work.
> Unfortunately this races with the RCU callback
> __tcindex_destroy(), which could lead to use-after-free as
> reported by Adrian.
>
> Fix this by migrating this RCU callback to tcf RCU work too,
> as that workqueue is ordered, we will not have use-after-free.
>
> Note, we don't need to hold netns refcnt because we don't call
> tcf_exts_destroy() here.
>
> Fixes: 27ce4f05e2ab ("net_sched: use tcf_queue_work() in tcindex filter")
> Reported-by: Adrian <b...@abtelecom.ro>
> Cc: Ben Hutchings <b...@decadent.org.uk>
> Cc: Jamal Hadi Salim <j...@mojatatu.com>
> Cc: Jiri Pirko <j...@resnulli.us>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Applied.
