From: Andrey Ryabinin <[email protected]>
Date: Wed, 22 Feb 2017 12:35:27 +0300
> DCCP doesn't purge timewait sockets on network namespace shutdown.
> So, after net namespace destroyed we could still have an active timer
> which will trigger use after free in tw_timer_handler():
...
> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
> timewait sockets on net namespace destruction and prevent above issue.
>
> Fixes: f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH")
> Reported-by: Dmitry Vyukov <[email protected]>
> Signed-off-by: Andrey Ryabinin <[email protected]>
> Acked-by: Arnaldo Carvalho de Melo <[email protected]>
Applied and queued up for -sable, thanks.
