• F
    net: ipv4: ipmr_expire_timer causes crash when removing net namespace · acbb219d
    Francesco Ruggeri 提交于
    When tearing down a net namespace, ipv4 mr_table structures are freed
    without first deactivating their timers. This can result in a crash in
    run_timer_softirq.
    This patch mimics the corresponding behaviour in ipv6.
    Locking and synchronization seem to be adequate.
    We are about to kfree mrt, so existing code should already make sure that
    no other references to mrt are pending or can be created by incoming traffic.
    The functions invoked here do not cause new references to mrt or other
    race conditions to be created.
    Invoking del_timer_sync guarantees that ipmr_expire_timer is inactive.
    Both ipmr_expire_process (whose completion we may have to wait in
    del_timer_sync) and mroute_clean_tables internally use mfc_unres_lock
    or other synchronizations when needed, and they both only modify mrt.
    
    Tested in Linux 3.4.8.
    Signed-off-by: NFrancesco Ruggeri <fruggeri@aristanetworks.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    acbb219d
ipmr.c 57.8 KB