From: Zhiqiang Liu <[email protected]>
Date: Sat, 16 Mar 2019 17:02:54 +0800
> Commit ad6c9986bcb62 ("vxlan: Fix GRO cells race condition between
> receive and link delete") fixed a race condition for the typical case a vxlan
> device is dismantled from the current netns. But if a netns is dismantled,
> vxlan_destroy_tunnels() is called to schedule a unregister_netdevice_queue()
> of all the vxlan tunnels that are related to this netns.
>
> In vxlan_destroy_tunnels(), gro_cells_destroy() is called and finished before
> unregister_netdevice_queue(). This means that the gro_cells_destroy() call is
> done too soon, for the same reasons explained in above commit.
>
> So we need to fully respect the RCU rules, and thus must remove the
> gro_cells_destroy() call or risk use after-free.
>
> Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")
> Signed-off-by: Suanming.Mou <[email protected]>
> Suggested-by: Eric Dumazet <[email protected]>
> Reviewed-by: Stefano Brivio <[email protected]>
> Reviewed-by: Zhiqiang Liu <[email protected]>
> ---
> V1->V3:
> - update the commit message suggeted by Eric Dumazet
> - update Fixes: tag
Applied and queued up for -stable, thanks.
