Message ID | 20170222093527.19698-1-aryabinin@virtuozzo.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Andrey Ryabinin <aryabinin@virtuozzo.com> Date: Wed, 22 Feb 2017 12:35:27 +0300 > DCCP doesn't purge timewait sockets on network namespace shutdown. > So, after net namespace destroyed we could still have an active timer > which will trigger use after free in tw_timer_handler(): ... > Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge > timewait sockets on net namespace destruction and prevent above issue. > > Fixes: f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH") > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> > Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Applied and queued up for -sable, thanks.
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index b043ec8..409d0cf 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -1017,9 +1017,15 @@ static void __net_exit dccp_v4_exit_net(struct net *net) inet_ctl_sock_destroy(net->dccp.v4_ctl_sk); } +static void __net_exit dccp_v4_exit_batch(struct list_head *net_exit_list) +{ + inet_twsk_purge(&dccp_hashinfo, AF_INET); +} + static struct pernet_operations dccp_v4_ops = { .init = dccp_v4_init_net, .exit = dccp_v4_exit_net, + .exit_batch = dccp_v4_exit_batch, }; static int __init dccp_v4_init(void) diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index cef60a4..233b573 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -1075,9 +1075,15 @@ static void __net_exit dccp_v6_exit_net(struct net *net) inet_ctl_sock_destroy(net->dccp.v6_ctl_sk); } +static void __net_exit dccp_v6_exit_batch(struct list_head *net_exit_list) +{ + inet_twsk_purge(&dccp_hashinfo, AF_INET6); +} + static struct pernet_operations dccp_v6_ops = { .init = dccp_v6_init_net, .exit = dccp_v6_exit_net, + .exit_batch = dccp_v6_exit_batch, }; static int __init dccp_v6_init(void)