diff options
author | Eric Dumazet <edumazet@google.com> | 2022-02-16 10:20:37 -0800 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-02-17 08:41:54 -0800 |
commit | be6b41c15dc09c067492bd23668763f551747e4e (patch) | |
tree | 3326aea689f69ff1392b14ac63d47bc27b0fd044 /net/ipv6/addrconf.c | |
parent | faab39f63c1fc4bcdf135690f03bd596b578c67e (diff) |
ipv6/addrconf: ensure addrconf_verify_rtnl() has completed
Before freeing the hash table in addrconf_exit_net(),
we need to make sure the work queue has completed,
or risk NULL dereference or UAF.
Thus, use cancel_delayed_work_sync() to enforce this.
We do not hold RTNL in addrconf_exit_net(), making this safe.
Fixes: 8805d13ff1b2 ("ipv6/addrconf: use one delayed work per netns")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20220216182037.3742-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/ipv6/addrconf.c')
-rw-r--r-- | net/ipv6/addrconf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 57fbd6f03ff8..44e164706340 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -7187,7 +7187,7 @@ static void __net_exit addrconf_exit_net(struct net *net) kfree(net->ipv6.devconf_all); net->ipv6.devconf_all = NULL; - cancel_delayed_work(&net->ipv6.addr_chk_work); + cancel_delayed_work_sync(&net->ipv6.addr_chk_work); /* * Check hash table, then free it. */ |