Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()

From: Andrey Ryabinin
Date: Wed Feb 22 2017 - 03:58:23 EST

Next message: Wanpeng Li: "Re: [tip:sched/core] sched/core: Add debugging code to catch missing update_rq_clock() calls"
Previous message: Chunfeng Yun: "[PATCH v3 1/8] phy: phy-mt65xx-usb3: improve RX detection stable time"
In reply to: David Miller: "Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()"
Next in thread: David Miller: "Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/21/2017 04:43 PM, Arnaldo Carvalho de Melo wrote:
> Em Tue, Feb 21, 2017 at 02:27:40PM +0300, Andrey Ryabinin escreveu:
>> DCCP doesn't purge timewait sockets on network namespace shutdown.
>> So, after net namespace destroyed we could still have an active timer
>> which will trigger use after free in tw_timer_handler():
>>
>>
>> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
>> timewait sockets on net namespace destruction and prevent above issue.
>
> Please add this, to help stable kernels to pick this up
>
> Fixes: b099ce2602d8 ("net: Batch inet_twsk_purge")
> Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
>

Fixes tag should blame commit f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH").
It introduced use of net namespace in the timer callback.

Next message: Wanpeng Li: "Re: [tip:sched/core] sched/core: Add debugging code to catch missing update_rq_clock() calls"
Previous message: Chunfeng Yun: "[PATCH v3 1/8] phy: phy-mt65xx-usb3: improve RX detection stable time"
In reply to: David Miller: "Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()"
Next in thread: David Miller: "Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]