Re: [PATCH v2] net/dccp: fix use after free in tw_timer_handler()

From: David Miller
Date: Wed Feb 22 2017 - 16:15:54 EST

Next message: Jaegeuk Kim: "Re: [f2fs-dev] [PATCH 08/10] f2fs: relax async discard commands more"
Previous message: Josh Poimboeuf: "Re: v4.10: kernel stack frame pointer .. has bad value (null)"
In reply to: Andrey Ryabinin: "[PATCH v2] net/dccp: fix use after free in tw_timer_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Date: Wed, 22 Feb 2017 12:35:27 +0300

> DCCP doesn't purge timewait sockets on network namespace shutdown.
> So, after net namespace destroyed we could still have an active timer
> which will trigger use after free in tw_timer_handler():
...
> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
> timewait sockets on net namespace destruction and prevent above issue.
>
> Fixes: f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH")
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Signed-off-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
> Acked-by: Arnaldo Carvalho de Melo <acme@xxxxxxxxxx>

Applied and queued up for -sable, thanks.

Next message: Jaegeuk Kim: "Re: [f2fs-dev] [PATCH 08/10] f2fs: relax async discard commands more"
Previous message: Josh Poimboeuf: "Re: v4.10: kernel stack frame pointer .. has bad value (null)"
In reply to: Andrey Ryabinin: "[PATCH v2] net/dccp: fix use after free in tw_timer_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]