cls_cgroup: use tcf_exts_get_net() before call_rcu()

Hold netns refcnt before call_rcu() and release it after
the tcf_exts_destroy() is done.

Note, on ->destroy() path we have to respect the return value
of tcf_exts_get_net(), on other paths it should always return
true, so we don't need to care.

Cc: Lucas Bates <lucasb@mojatatu.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index a97e069..309d589 100644 (file)
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -60,15 +60,21 @@ static const struct nla_policy cgroup_policy[TCA_CGROUP_MAX + 1] = {
        [TCA_CGROUP_EMATCHES]   = { .type = NLA_NESTED },
 };
 
+static void __cls_cgroup_destroy(struct cls_cgroup_head *head)
+{
+       tcf_exts_destroy(&head->exts);
+       tcf_em_tree_destroy(&head->ematches);
+       tcf_exts_put_net(&head->exts);
+       kfree(head);
+}
+
 static void cls_cgroup_destroy_work(struct work_struct *work)
 {
        struct cls_cgroup_head *head = container_of(work,
                                                    struct cls_cgroup_head,
                                                    work);
        rtnl_lock();
-       tcf_exts_destroy(&head->exts);
-       tcf_em_tree_destroy(&head->ematches);
-       kfree(head);
+       __cls_cgroup_destroy(head);
        rtnl_unlock();
 }
 
@@ -124,8 +130,10 @@ static int cls_cgroup_change(struct net *net, struct sk_buff *in_skb,
                goto errout;
 
        rcu_assign_pointer(tp->root, new);
-       if (head)
+       if (head) {
+               tcf_exts_get_net(&head->exts);
                call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
+       }
        return 0;
 errout:
        tcf_exts_destroy(&new->exts);
@@ -138,8 +146,12 @@ static void cls_cgroup_destroy(struct tcf_proto *tp)
        struct cls_cgroup_head *head = rtnl_dereference(tp->root);
 
        /* Head can still be NULL due to cls_cgroup_init(). */
-       if (head)
-               call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
+       if (head) {
+               if (tcf_exts_get_net(&head->exts))
+                       call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
+               else
+                       __cls_cgroup_destroy(head);
+       }
 }
 
 static int cls_cgroup_delete(struct tcf_proto *tp, void *arg, bool *last)