From: Roman Kapl <c...@rkapl.cz>
Date: Wed, 29 Nov 2017 20:20:14 +0100
> tcf_block_put_ext has assumed that all filters (and thus their goto
> actions) are destroyed in RCU callback and so can not race with our
> list iteration. However, that is not true during netns cleanup (see
> tcf_exts_get_net comment). The assumption was broken by the patch series
> c7e460ce5572..623859ae06b8 ("Merge branch 'net-sched-race-fix'").
>
> Prevent the user after free by holding all chains (except 0, that one is
> already held) as it was done before
> 822e86d997e4 ("net_sched: remove tcf_block_put_deferred()").
>
> To reproduce, run the following in a netns and then delete the ns:
> ip link add dtest type dummy
> tc qdisc add dev dtest ingress
> tc filter add dev dtest chain 1 parent ffff: handle 1 prio 1 flower
> action goto chain 2
>
> Fixes: 623859ae06b8 ("Merge branch 'net-sched-race-fix'")
> Signed-off-by: Roman Kapl <c...@rkapl.cz>
This doesn't apply cleanly to 'net'.
