diff options
| author | Pavel Emelyanov <xemul@openvz.org> | 2008-04-21 17:23:03 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-04-21 17:23:03 -0400 |
| commit | 2aed2827dfc2e7d2e385fc1580529a8fc7f33d47 (patch) | |
| tree | 29adbd9b866df063583fb438118c1c73e7e26013 | |
| parent | f25c3d613b12b4b6219d03e9930cac5f59541468 (diff) | |
[NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
The del_timer() function doesn't guarantee, that the timer callback
is not active by the time it exits.
Thus, the fib6_net_exit() may kfree() all the data, that is required
by the fib6_run_gc(). The race window is tiny, but slab poisoning can
trigger this bug.
Using del_timer_sync() will cure this.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv6/ip6_fib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 50f3f8f8a59b..1ee4fa17c129 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c | |||
| @@ -1543,7 +1543,7 @@ out_timer: | |||
| 1543 | static void fib6_net_exit(struct net *net) | 1543 | static void fib6_net_exit(struct net *net) |
| 1544 | { | 1544 | { |
| 1545 | rt6_ifdown(net, NULL); | 1545 | rt6_ifdown(net, NULL); |
| 1546 | del_timer(net->ipv6.ip6_fib_timer); | 1546 | del_timer_sync(net->ipv6.ip6_fib_timer); |
| 1547 | kfree(net->ipv6.ip6_fib_timer); | 1547 | kfree(net->ipv6.ip6_fib_timer); |
| 1548 | #ifdef CONFIG_IPV6_MULTIPLE_TABLES | 1548 | #ifdef CONFIG_IPV6_MULTIPLE_TABLES |
| 1549 | kfree(net->ipv6.fib6_local_tbl); | 1549 | kfree(net->ipv6.fib6_local_tbl); |