net_sched: fix a race condition in tcindex_destroy()
authorCong Wang <xiyou.wangcong@gmail.com>
Mon, 11 Feb 2019 21:06:14 +0000 (13:06 -0800)
committerDavid S. Miller <davem@davemloft.net>
Tue, 12 Feb 2019 19:10:56 +0000 (14:10 -0500)
commit8015d93ebd27484418d4952284fd02172fa4b0b2
tree38d371d127638a0679b0879190a0e41efad59875
parent6a7dd172000bf3d50a24b2548fe9c692875d669c
net_sched: fix a race condition in tcindex_destroy()

tcindex_destroy() invokes tcindex_destroy_element() via
a walker to delete each filter result in its perfect hash
table, and tcindex_destroy_element() calls tcindex_delete()
which schedules tcf RCU works to do the final deletion work.
Unfortunately this races with the RCU callback
__tcindex_destroy(), which could lead to use-after-free as
reported by Adrian.

Fix this by migrating this RCU callback to tcf RCU work too,
as that workqueue is ordered, we will not have use-after-free.

Note, we don't need to hold netns refcnt because we don't call
tcf_exts_destroy() here.

Fixes: 27ce4f05e2ab ("net_sched: use tcf_queue_work() in tcindex filter")
Reported-by: Adrian <bugs@abtelecom.ro>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/cls_tcindex.c