[PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pavel Emelyanov <xemul@openvz.org>
To: Linux Netdev List <netdev@vger.kernel.org>,
	David Miller <davem@davemloft.net>
Subject: [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
Date: Mon, 21 Apr 2008 17:05:50 +0400	[thread overview]
Message-ID: <480C912E.70900@openvz.org> (raw)

The del_timer() function doesn't guarantee, that the timer callback
is not active by the time it exits.

Thus, the fib6_net_exit() may kfree() all the data, that is required
by the fib6_run_gc(). The race window is tiny, but slab poisoning can
trigger this bug.

Using del_timer_sync() will cure this.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>

---

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 50f3f8f..1ee4fa1 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1543,7 +1543,7 @@ out_timer:
 static void fib6_net_exit(struct net *net)
 {
 	rt6_ifdown(net, NULL);
-	del_timer(net->ipv6.ip6_fib_timer);
+	del_timer_sync(net->ipv6.ip6_fib_timer);
 	kfree(net->ipv6.ip6_fib_timer);
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
 	kfree(net->ipv6.fib6_local_tbl);

next             reply	other threads:[~2008-04-21 13:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-21 13:05 Pavel Emelyanov [this message]
2008-04-21 21:23 ` [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop David Miller
2008-04-23 16:14 ` YOSHIFUJI Hideaki / 吉藤英明
2008-04-24  8:03   ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:50f3f8f dfblob:1ee4fa1 )
 OR (
bs:"[PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=480C912E.70900@openvz.org \
    --to=xemul@openvz.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.