3 files changed, 18 insertions, 0 deletions

diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index aa540e6be502..d9dd0f707296 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -95,6 +95,11 @@ extern struct list_head net_namespace_list;
 #ifdef CONFIG_NET_NS
 extern void __put_net(struct net *net);
 
+static inline int net_alive(struct net *net)
+{
+        return net && atomic_read(&net->count);
+}
+
 static inline struct net *get_net(struct net *net)
 {
         atomic_inc(&net->count);
@@ -125,6 +130,12 @@ int net_eq(const struct net *net1, const struct net *net2)
         return net1 == net2;
 }
 #else
+
+static inline int net_alive(struct net *net)
+{
+        return 1;
+}
+
 static inline struct net *get_net(struct net *net)
 {
         return net;
diff --git a/net/core/dev.c b/net/core/dev.c
index 68d8df0992ab..c421a1f8f0b9 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2077,6 +2077,10 @@ int netif_receive_skb(struct sk_buff *skb)
 
         rcu_read_lock();
 
+        /* Don't receive packets in an exiting network namespace */
+        if (!net_alive(dev_net(skb->dev)))
+                goto out;
+
 #ifdef CONFIG_NET_CLS_ACT
         if (skb->tc_verd & TC_NCLS) {
                 skb->tc_verd = CLR_TC_NCLS(skb->tc_verd);
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 72b4c184dd84..7c52fe277b62 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -140,6 +140,9 @@ static void cleanup_net(struct work_struct *work)
         struct pernet_operations *ops;
         struct net *net;
 
+        /* Be very certain incoming network packets will not find us */
+        rcu_barrier();
+
         net = container_of(work, struct net, work);
 
         mutex_lock(&net_mutex);