diff options
author | Pavel Emelyanov <xemul@openvz.org> | 2008-04-21 14:23:03 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-04-21 14:23:03 -0700 |
commit | 2aed2827dfc2e7d2e385fc1580529a8fc7f33d47 (patch) | |
tree | 29adbd9b866df063583fb438118c1c73e7e26013 /net/ipv6 | |
parent | f25c3d613b12b4b6219d03e9930cac5f59541468 (diff) | |
download | kernel_samsung_tuna-2aed2827dfc2e7d2e385fc1580529a8fc7f33d47.zip kernel_samsung_tuna-2aed2827dfc2e7d2e385fc1580529a8fc7f33d47.tar.gz kernel_samsung_tuna-2aed2827dfc2e7d2e385fc1580529a8fc7f33d47.tar.bz2 |
[NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
The del_timer() function doesn't guarantee, that the timer callback
is not active by the time it exits.
Thus, the fib6_net_exit() may kfree() all the data, that is required
by the fib6_run_gc(). The race window is tiny, but slab poisoning can
trigger this bug.
Using del_timer_sync() will cure this.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/ip6_fib.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 50f3f8f..1ee4fa1 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1543,7 +1543,7 @@ out_timer: static void fib6_net_exit(struct net *net) { rt6_ifdown(net, NULL); - del_timer(net->ipv6.ip6_fib_timer); + del_timer_sync(net->ipv6.ip6_fib_timer); kfree(net->ipv6.ip6_fib_timer); #ifdef CONFIG_IPV6_MULTIPLE_TABLES kfree(net->ipv6.fib6_local_tbl); |