From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net v2] cls_flower: fix use after free in flower S/W
 path
Date: Fri, 22 Jun 2018 07:25:05 +0900 (KST)
Message-ID: <20180622.072505.191579217918884711.davem@davemloft.net>
References: <fd96de4e9dc358e3982922ae681fdb1b9d8ae72a.1529603970.git.pabeni@redhat.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, jhs@mojatatu.com, xiyou.wangcong@gmail.com,
        jiri@resnulli.us, marcelo.leitner@gmail.com, paulb@mellanox.com
To: pabeni@redhat.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([23.128.96.9]:38748 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932899AbeFUWZK (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 21 Jun 2018 18:25:10 -0400
In-Reply-To: <fd96de4e9dc358e3982922ae681fdb1b9d8ae72a.1529603970.git.pabeni@redhat.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Paolo Abeni <pabeni@redhat.com>
Date: Thu, 21 Jun 2018 20:02:16 +0200

> If flower filter is created without the skip_sw flag, fl_mask_put()
> can race with fl_classify() and we can destroy the mask rhashtable
> while a lookup operation is accessing it.
 ...
> Fix the above waiting for a RCU grace period before destroying the
> rhashtable: we need to use tcf_queue_work(), as rhashtable_destroy()
> must run in process context, as pointed out by Cong Wang.
> 
> v1 -> v2: use tcf_queue_work to run rhashtable_destroy().
> 
> Fixes: 05cd271fd61a ("cls_flower: Support multiple masks per priority")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Applied, thanks.