From: Eric Dumazet
Date: Fri, 12 Oct 2018 18:58:53 -0700
> syzbot found a use-after-free in inet6_mc_check [1]
>
> The problem here is that inet6_mc_check() uses rcu
> and read_lock(&iml->sflock)
>
> So the fact that ip6_mc_leave_src() is called under RTNL
> and the socket lock does not help us
syzbot found a use-after-free in inet6_mc_check [1]
The problem here is that inet6_mc_check() uses rcu
and read_lock(&iml->sflock)
So the fact that ip6_mc_leave_src() is called under RTNL
and the socket lock does not help us, we need to acquire
iml->sflock in write mode.
In the future, we should