Re: [PATCH] net/dccp: fix use after free in tw_timer_handler()

From: David Miller
Date: Tue Feb 21 2017 - 13:25:30 EST


From: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Date: Tue, 21 Feb 2017 14:27:40 +0300

> DCCP doesn't purge timewait sockets on network namespace shutdown.
> So, after net namespace destroyed we could still have an active timer
> which will trigger use after free in tw_timer_handler():
...
> Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
> timewait sockets on net namespace destruction and prevent above issue.
>
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Signed-off-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>

Applied and queued up for -stable, thanks.