From 2aed2827dfc2e7d2e385fc1580529a8fc7f33d47 Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Mon, 21 Apr 2008 14:23:03 -0700 Subject: [NETNS]: The ip6_fib_timer can work with garbage on net namespace stop. The del_timer() function doesn't guarantee, that the timer callback is not active by the time it exits. Thus, the fib6_net_exit() may kfree() all the data, that is required by the fib6_run_gc(). The race window is tiny, but slab poisoning can trigger this bug. Using del_timer_sync() will cure this. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- net/ipv6/ip6_fib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 50f3f8f..1ee4fa1 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1543,7 +1543,7 @@ out_timer: static void fib6_net_exit(struct net *net) { rt6_ifdown(net, NULL); - del_timer(net->ipv6.ip6_fib_timer); + del_timer_sync(net->ipv6.ip6_fib_timer); kfree(net->ipv6.ip6_fib_timer); #ifdef CONFIG_IPV6_MULTIPLE_TABLES kfree(net->ipv6.fib6_local_tbl); -- cgit v1.1