From: Pavel Emelyanov Date: Mon, 21 Apr 2008 21:23:03 +0000 (-0700) Subject: [NETNS]: The ip6_fib_timer can work with garbage on net namespace stop. X-Git-Tag: v2.6.26-rc1~1095^2~12 X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=2aed2827dfc2e7d2e385fc1580529a8fc7f33d47;p=linux-2.6-omap-h63xx.git [NETNS]: The ip6_fib_timer can work with garbage on net namespace stop. The del_timer() function doesn't guarantee, that the timer callback is not active by the time it exits. Thus, the fib6_net_exit() may kfree() all the data, that is required by the fib6_run_gc(). The race window is tiny, but slab poisoning can trigger this bug. Using del_timer_sync() will cure this. Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 50f3f8f8a59..1ee4fa17c12 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1543,7 +1543,7 @@ out_timer: static void fib6_net_exit(struct net *net) { rt6_ifdown(net, NULL); - del_timer(net->ipv6.ip6_fib_timer); + del_timer_sync(net->ipv6.ip6_fib_timer); kfree(net->ipv6.ip6_fib_timer); #ifdef CONFIG_IPV6_MULTIPLE_TABLES kfree(net->ipv6.fib6_local_tbl);