From: Cong Wang <xiyou.wangc...@gmail.com>
Date: Mon, 30 Oct 2017 11:10:09 -0700
> In commit 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks
> of tc filter")
> I defer tcf_chain_flush() to a workqueue, this causes a use-after-free
> because qdisc is already destroyed after we queue this work.
>
> The tcf_block_put_deferred() is no longer necessary after we get RTNL
> for each tc filter destroy work, no others could jump in at this point.
> Same for tcf_chain_hold(), we are fully serialized now.
>
> This also reduces one indirection therefore makes the code more
> readable. Note this brings back a rcu_barrier(), however comparing
> to the code prior to commit 7aa0045dadb6 we still reduced one
> rcu_barrier(). For net-next, we can consider to refcnt tcf block to
> avoid it.
>
> Fixes: 7aa0045dadb6 ("net_sched: introduce a workqueue for RCU callbacks of
> tc filter")
> Cc: Daniel Borkmann <dan...@iogearbox.net>
> Cc: Jiri Pirko <j...@resnulli.us>
> Cc: John Fastabend <john.fastab...@gmail.com>
> Cc: Jamal Hadi Salim <j...@mojatatu.com>
> Cc: "Paul E. McKenney" <paul...@linux.vnet.ibm.com>
> Cc: Eric Dumazet <eduma...@google.com>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Applied, thanks for fixing this use-after-free so quickly.
This will be another fun merge into net-next :-)
