Control plane should mark a to-be-destroyed set as dead before the ->destroy function gets called. This needs to be done while control plane still holds the transaction mutex. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- net/netfilter/nf_tables_api.c | 3 +++ net/netfilter/nft_set_hash.c | 2 ++ 2 files changed, 5 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 224e5fb6a916..be8254d31988 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5276,6 +5276,9 @@ static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) for (i = 0; i < set->num_exprs; i++) nft_expr_destroy(ctx, set->exprs[i]); + if (WARN_ON_ONCE(!set->dead)) + set->dead = 1; + set->ops->destroy(ctx, set); nft_set_catchall_destroy(ctx, set); nft_set_put(set); diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 6968a3b34236..06337a089c34 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -451,6 +451,8 @@ static void nft_rhash_destroy(const struct nft_ctx *ctx, .set = set, }; + WARN_ON_ONCE(!set->dead); + cancel_delayed_work_sync(&priv->gc_work); rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy, (void *)&rhash_ctx); -- 2.43.0
