On Fri, Sep 07, 2018 at 08:13:56AM -0400, Jamal Hadi Salim wrote:
} else { bool last;
err = tfilter_del_notify(net, skb, n, tp, block, q, parent, fh, false, &last, extack);How can we ever get there with NULL fh?
Try: tc filter delete dev $P parent ffff: protocol ip prio 10 u32 tcm handle is 0, so will hit that code path.
Huh? It will hit tcf_proto_destroy() (and thus u32_destroy()), but where will it hit u32_delete()? Sure, we have fh == NULL there; what happens next is if (t->tcm_handle == 0) { tcf_chain_tp_remove(chain, &chain_info, tp); tfilter_notify(net, skb, n, tp, block, q, parent, fh, RTM_DELTFILTER, false); tcf_proto_destroy(tp, extack); and that's it. IDGI... Direct experiment shows that on e.g. tc qdisc add dev eth0 ingress tc filter add dev eth0 parent ffff: protocol ip prio 10 u32 match ip protocol 1 0xff tc filter delete dev eth0 parent ffff: protocol ip prio 10 u32 we get u32_destroy() called, with u32_destroy_hnode() called by it, but no u32_delete() is called at all, let alone with ht == NULL...