From: Eric Dumazet Date: Wed, 16 Feb 2022 18:20:37 +0000 (-0800) Subject: ipv6/addrconf: ensure addrconf_verify_rtnl() has completed X-Git-Tag: xarray-5.18a~224^2~327 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=be6b41c15dc09c067492bd23668763f551747e4e;p=users%2Fwilly%2Fxarray.git ipv6/addrconf: ensure addrconf_verify_rtnl() has completed Before freeing the hash table in addrconf_exit_net(), we need to make sure the work queue has completed, or risk NULL dereference or UAF. Thus, use cancel_delayed_work_sync() to enforce this. We do not hold RTNL in addrconf_exit_net(), making this safe. Fixes: 8805d13ff1b2 ("ipv6/addrconf: use one delayed work per netns") Signed-off-by: Eric Dumazet Reported-by: syzbot Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220216182037.3742-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski --- diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 57fbd6f03ff8..44e164706340 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -7187,7 +7187,7 @@ static void __net_exit addrconf_exit_net(struct net *net) kfree(net->ipv6.devconf_all); net->ipv6.devconf_all = NULL; - cancel_delayed_work(&net->ipv6.addr_chk_work); + cancel_delayed_work_sync(&net->ipv6.addr_chk_work); /* * Check hash table, then free it. */