netfilter: nft_flow_offload: wait for garbage collector to run after cleanup

If netdevice goes down, then flowtable entries are scheduled to be
removed. Wait for garbage collector to have a chance to run so it can
delete them from the hashtable.

The flush call might sleep, so hold the nfnl mutex from
nft_flow_table_iterate() instead of rcu read side lock. The use of the
nfnl mutex is also implicitly fixing races between updates via nfnetlink
and netdevice event.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 5 insertions, 4 deletions

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0791813a1e7d..07dd1fac78a8 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5006,13 +5006,13 @@ void nft_flow_table_iterate(struct net *net,
         struct nft_flowtable *flowtable;
         const struct nft_table *table;
 
-        rcu_read_lock();
-        list_for_each_entry_rcu(table, &net->nft.tables, list) {
-                list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
+        nfnl_lock(NFNL_SUBSYS_NFTABLES);
+        list_for_each_entry(table, &net->nft.tables, list) {
+                list_for_each_entry(flowtable, &table->flowtables, list) {
                         iter(&flowtable->data, data);
                 }
         }
-        rcu_read_unlock();
+        nfnl_unlock(NFNL_SUBSYS_NFTABLES);
 }
 EXPORT_SYMBOL_GPL(nft_flow_table_iterate);
 
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 4503b8dcf9c0..1739ff8ca21f 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -208,6 +208,7 @@ static void nft_flow_offload_iterate_cleanup(struct nf_flowtable *flowtable,
                                              void *data)
 {
         nf_flow_table_iterate(flowtable, flow_offload_iterate_cleanup, data);
+        flush_delayed_work(&flowtable->gc_work);
 }
 
 static int flow_offload_netdev_event(struct notifier_block *this,