netfilter: nf_tables: Keep deleted flowtable hooks until after RCU

[ Upstream commit 642c89c475419b4d0c0d90e29d9c1a0e4351f379 ]

Documentation of list_del_rcu() warns callers to not immediately free
the deleted list item. While it seems not necessary to use the
RCU-variant of list_del() here in the first place, doing so seems to
require calling kfree_rcu() on the deleted item as well.

Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9e2695bedd2cec9f563ed08b0f1cccfa230cf979..2bd1c7e7edc3744ee990c0226bda8862d11f8eec 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7625,7 +7625,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
                flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
                                            FLOW_BLOCK_UNBIND);
                list_del_rcu(&hook->list);
-               kfree(hook);
+               kfree_rcu(hook, rcu);
        }
        kfree(flowtable->name);
        module_put(flowtable->data.type->owner);