On Tue, Sep 03, 2019 at 11:15:27AM +0800, wenxu@xxxxxxxxx wrote:
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index 113ac40..ca9e0cb 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -357,11 +357,12 @@ static void nft_indr_block_cb(struct net_device *dev,
> const struct nft_table *table;
> const struct nft_chain *chain;
>
> - list_for_each_entry_rcu(table, &net->nft.tables, list) {
> + mutex_lock(&net->nft.commit_mutex);
> + list_for_each_entry(table, &net->nft.tables, list) {
> if (table->family != NFPROTO_NETDEV)
> continue;
>
> - list_for_each_entry_rcu(chain, &table->chains, list) {
> + list_for_each_entry(chain, &table->chains, list) {
> if (!nft_is_base_chain(chain))
> continue;
nft_indr_block_cb() does not check for the offload flag in the
basechain...
