On Mon, Oct 01, 2018 at 06:16:27AM -0700, Eric Dumazet wrote: > syszbot found an interesting use-after-free [1] happening > while IPv4 fragment rhashtable was destroyed at netns dismantle. > > While no insertions can possibly happen at the time a dismantling > netns is destroying this rhashtable, timers can still fire and > attempt to remove elements from this rhashtable.
Hmm, I think that's your real problem. rhashtable_free_and_destroy doesn't take any locks with respect to the normal insertion/removal path so it definitely isn't safe to call it while you're still invoking the normal rhashtable remove function. Cheers, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
