From: David Miller <davem@xxxxxxxxxxxxx>
Date: Tue, 21 Feb 2017 13:23:51 -0500 (EST)
> From: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
> Date: Tue, 21 Feb 2017 14:27:40 +0300
>
>> DCCP doesn't purge timewait sockets on network namespace shutdown.
>> So, after net namespace destroyed we could still have an active timer
>> which will trigger use after free in tw_timer_handler():
> ...
>> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
>> timewait sockets on net namespace destruction and prevent above issue.
>>
>> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
>> Signed-off-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
>
> Applied and queued up for -stable, thanks.
Actually, this doesn't even compile. Please fix this up and resubmit:
net/dccp/ipv4.c: In function ʽdccp_v4_exit_batchʼ:
net/dccp/ipv4.c:1022:34: warning: passing argument 2 of ʽinet_twsk_purgeʼ makes integer from pointer without a cast [-Wint-conversion]
inet_twsk_purge(&dccp_hashinfo, &dccp_death_row, AF_INET);
^
In file included from ./include/linux/dccp.h:14:0,
from net/dccp/ipv4.c:13:
./include/net/inet_timewait_sock.h:118:6: note: expected ʽintʼ but argument is of type ʽstruct inet_timewait_death_row *ʼ
void inet_twsk_purge(struct inet_hashinfo *hashinfo, int family);
^
net/dccp/ipv4.c:1022:2: error: too many arguments to function ʽinet_twsk_purgeʼ
inet_twsk_purge(&dccp_hashinfo, &dccp_death_row, AF_INET);
^
?τθΊ{.nΗ+?·????+%?Λ?±ιέΆ�??w?Ί{.nΗ+?·?qΚ??{ayΊ�Κ?Ϊ?λ,j�ʼf£ʼ·h??ο?κ??κηz_θ?�(ι???έʼj"?ϊ�Ά�m§??Ύ�«ώG«?ι?ʼΈ??¨θΪ&£ψ§~?α
