• Cong Wang's avatar
    net_sched: fix a race condition in tcindex_destroy() · 056a1798
    Cong Wang authored
    [ Upstream commit 8015d93e ]
    
    tcindex_destroy() invokes tcindex_destroy_element() via
    a walker to delete each filter result in its perfect hash
    table, and tcindex_destroy_element() calls tcindex_delete()
    which schedules tcf RCU works to do the final deletion work.
    Unfortunately this races with the RCU callback
    __tcindex_destroy(), which could lead to use-after-free as
    reported by Adrian.
    
    Fix this by migrating this RCU callback to tcf RCU work too,
    as that workqueue is ordered, we will not have use-after-free.
    
    Note, we don't need to hold netns refcnt because we don't call
    tcf_exts_destroy() here.
    
    Fixes: 27ce4f05 ("net_sched: use tcf_queue_work() in tcindex filter")
    Reported-by: default avatarAdrian <bugs@abtelecom.ro>
    Cc: Ben Hutchings <ben@decadent.org.uk>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    056a1798
cls_tcindex.c 15.8 KB