From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Sep 2024 12:21:33 +0000 (+0200)
Subject: netfilter: nf_tables: Keep deleted flowtable hooks until after RCU
X-Git-Tag: v5.10.227~313
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=db9c5f08eea34cf4ec8c7c021819b78a2e129aa5;p=thirdparty%2Fkernel%2Fstable.git

netfilter: nf_tables: Keep deleted flowtable hooks until after RCU

[ Upstream commit 642c89c475419b4d0c0d90e29d9c1a0e4351f379 ]

Documentation of list_del_rcu() warns callers to not immediately free
the deleted list item. While it seems not necessary to use the
RCU-variant of list_del() here in the first place, doing so seems to
require calling kfree_rcu() on the deleted item as well.

Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9e2695bedd2ce..2bd1c7e7edc37 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7625,7 +7625,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
 		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
 					    FLOW_BLOCK_UNBIND);
 		list_del_rcu(&hook->list);
-		kfree(hook);
+		kfree_rcu(hook, rcu);
 	}
 	kfree(flowtable->name);
 	module_put(flowtable->data.type->owner);