From: David Miller <da...@davemloft.net>
Date: Tue, 21 Feb 2017 13:23:51 -0500 (EST)
> From: Andrey Ryabinin <aryabi...@virtuozzo.com>
> Date: Tue, 21 Feb 2017 14:27:40 +0300
>
>> DCCP doesn't purge timewait sockets on network namespace shutdown.
>> So, after net namespace destroyed we could still have an active timer
>> which will trigger use after free in tw_timer_handler():
> ...
>> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
>> timewait sockets on net namespace destruction and prevent above issue.
>>
>> Reported-by: Dmitry Vyukov <dvyu...@google.com>
>> Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com>
>
> Applied and queued up for -stable, thanks.
Actually, this doesn't even compile. Please fix this up and resubmit:
net/dccp/ipv4.c: In function ‘dccp_v4_exit_batch’:
net/dccp/ipv4.c:1022:34: warning: passing argument 2 of ‘inet_twsk_purge’ makes
integer from pointer without a cast [-Wint-conversion]
inet_twsk_purge(&dccp_hashinfo, &dccp_death_row, AF_INET);
^
In file included from ./include/linux/dccp.h:14:0,
from net/dccp/ipv4.c:13:
./include/net/inet_timewait_sock.h:118:6: note: expected ‘int’ but argument is
of type ‘struct inet_timewait_death_row *’
void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family);
^
net/dccp/ipv4.c:1022:2: error: too many arguments to function ‘inet_twsk_purge’
inet_twsk_purge(&dccp_hashinfo, &dccp_death_row, AF_INET);
^
