summaryrefslogtreecommitdiff
path: root/net/ipv6/addrconf.c
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2022-02-16 10:20:37 -0800
committerJakub Kicinski <kuba@kernel.org>2022-02-17 08:41:54 -0800
commitbe6b41c15dc09c067492bd23668763f551747e4e (patch)
tree3326aea689f69ff1392b14ac63d47bc27b0fd044 /net/ipv6/addrconf.c
parentfaab39f63c1fc4bcdf135690f03bd596b578c67e (diff)
ipv6/addrconf: ensure addrconf_verify_rtnl() has completed
Before freeing the hash table in addrconf_exit_net(), we need to make sure the work queue has completed, or risk NULL dereference or UAF. Thus, use cancel_delayed_work_sync() to enforce this. We do not hold RTNL in addrconf_exit_net(), making this safe. Fixes: 8805d13ff1b2 ("ipv6/addrconf: use one delayed work per netns") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20220216182037.3742-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/ipv6/addrconf.c')
-rw-r--r--net/ipv6/addrconf.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 57fbd6f03ff8..44e164706340 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -7187,7 +7187,7 @@ static void __net_exit addrconf_exit_net(struct net *net)
kfree(net->ipv6.devconf_all);
net->ipv6.devconf_all = NULL;
- cancel_delayed_work(&net->ipv6.addr_chk_work);
+ cancel_delayed_work_sync(&net->ipv6.addr_chk_work);
/*
* Check hash table, then free it.
*/