On Mon, Nov 12, 2018 at 10:43:45PM +0100, Florian Westphal wrote: > nft_compat ops do not have static storage duration, unlike all other > expressions. > > When nf_tables_expr_destroy() returns, expr->ops might have been > free'd already, so we need to store next address before calling > expression destructor. > > For same reason, we can't deref match pointer after nft_xt_put(). > > This can be easily reproduced by adding msleep() before > nft_match_destroy() returns. Applied, thanks Florian.
