summaryrefslogtreecommitdiff
path: root/drivers/cpuidle
diff options
context:
space:
mode:
authorDaniel Borkmann <daniel@iogearbox.net>2017-08-21 02:48:12 +0300
committerDavid S. Miller <davem@davemloft.net>2017-08-21 05:45:54 +0300
commit274043c6c95636e62f5b2514e78fdba82eb47601 (patch)
treeff2739d650ef615ede783390a9a784859e0bc3e7 /drivers/cpuidle
parent63bfc50865a58acf793245917901b4621b459038 (diff)
downloadlinux-274043c6c95636e62f5b2514e78fdba82eb47601.tar.xz
bpf: fix double free from dev_map_notification()
In the current code, dev_map_free() can still race with dev_map_notification(). In dev_map_free(), we remove dtab from the list of dtabs after we purged all entries from it. However, we don't do xchg() with NULL or the like, so the entry at that point is still pointing to the device. If a unregister notification comes in at the same time, we therefore risk a double-free, since the pointer is still present in the map, and then pushed again to __dev_map_entry_free(). All this is completely unnecessary. Just remove the dtab from the list right before the synchronize_rcu(), so all outstanding readers from the notifier list have finished by then, thus we don't need to deal with this corner case anymore and also wouldn't need to nullify dev entires. This is fine because we iterate over the map releasing all entries and therefore dev references anyway. Fixes: 4cc7b9544b9a ("bpf: devmap fix mutex in rcu critical section") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/cpuidle')
0 files changed, 0 insertions, 0 deletions