On 11/20/2017 06:54 PM, Cong Wang wrote:
On Sun, Nov 19, 2017 at 8:17 AM, Roman Kapl <c...@rkapl.cz> wrote:
tcf_block_put_ext has assumed that all filters (and thus their goto
actions) are destroyed in RCU callback and thus can not race with our
list iteration. However, that is not true during netns cleanup (see
tcf_exts_get_net comment).
Prevent the user after free by holding the current list element we are
iterating over (foreach_safe is not enough).
Hmm...
Looks like we need to restore the trick we used previously, that is
holding refcnt for all list entries before this list iteration.
Was there a reason to hold all list entries in that trick? I thought
that holding just the current element will be enough, but maybe not.
