On Mon, Oct 1, 2018 at 6:40 AM Herbert Xu <herb...@gondor.apana.org.au> wrote: > > On Mon, Oct 01, 2018 at 06:16:27AM -0700, Eric Dumazet wrote: > > syszbot found an interesting use-after-free [1] happening > > while IPv4 fragment rhashtable was destroyed at netns dismantle. > > > > While no insertions can possibly happen at the time a dismantling > > netns is destroying this rhashtable, timers can still fire and > > attempt to remove elements from this rhashtable. > > Hmm, I think that's your real problem. rhashtable_free_and_destroy > doesn't take any locks with respect to the normal insertion/removal > path so it definitely isn't safe to call it while you're still > invoking the normal rhashtable remove function. >
Ah... for some reason I thought it was ok to delete elems while rhashtable_free_and_destroy() was running. I would love not having to use a rhashtable_walk...() to first expunge the hash table before rhashtable_destroy()
