There is one synchronize_rcu instance left in the nf_tables config path, its required when something has to be removed that might still be visible from the packet path, such as rules or set elements. In such case, we have something like this: 1. transaction changes are applied 2. synchronize_rcu 3. data is free'd all of this happens under (per netns) transaction mutex. This patch set moves the last two steps to a work queue, so mutex can be released sooner. First patch splits set destructions into two phases. One 'delete' phase, which performs all needed steps to hide the to-be-removed element(s) from the configuration plane, and one 'free' phase, which can perform resource release, e.g. kfree, putting references and the like. Because a transaction can fail, its is necessary to re-add already-hidden elements again, else we will no longer be able to abort transactions properly. The first patch handles this. The last patch then makes transaction look like: 1. transaction changes are applied 2. transaction log gets appended to list 3. work queue is scheduled The work queue will still call synchronize_rcu, but this does no longer happen from the nf_tables config path.
