From: Hou Tao houtao1@huawei.com
commit f76fa6b338055054f80c72b29c97fb95c1becadc upstream.
bpf_iter_attach_map() acquires a map uref, and the uref may be released before or in the middle of iterating map elements. For example, the uref could be released in bpf_iter_detach_map() as part of bpf_link_release(), or could be released in bpf_map_put_with_uref() as part of bpf_map_release().
Alternative fix is acquiring an extra bpf_link reference just like a pinned map iterator does, but it introduces unnecessary dependency on bpf_link instead of bpf_map.
So choose another fix: acquiring an extra map uref in .init_seq_private for array map iterator.
Fixes: d3cc2ab546ad ("bpf: Implement bpf iterator for array maps") Signed-off-by: Hou Tao houtao1@huawei.com Acked-by: Yonghong Song yhs@fb.com Link: https://lore.kernel.org/r/20220810080538.1845898-2-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov ast@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- kernel/bpf/arraymap.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -620,6 +620,11 @@ static int bpf_iter_init_array_map(void seq_info->percpu_value_buf = value_buf; }
+ /* bpf_iter_attach_map() acquires a map uref, and the uref may be + * released before or in the middle of iterating map elements, so + * acquire an extra map uref for iterator. + */ + bpf_map_inc_with_uref(map); seq_info->map = map; return 0; } @@ -628,6 +633,7 @@ static void bpf_iter_fini_array_map(void { struct bpf_iter_seq_array_map_info *seq_info = priv_data;
+ bpf_map_put_with_uref(seq_info->map); kfree(seq_info->percpu_value_buf); }