On Thu, May 09, 2019 at 07:33:53PM -0700, Chenbo Feng wrote:
From: Alexei Starovoitov <ast@xxxxxx>
commit 9f691549f76d488a0c74397b3e51e943865ea01f upstream.
when htab_elem is removed from the bucket list the htab_elem.hash_node.next
field should not be overridden too early otherwise we have a tiny race window
between lookup and delete.
The bug was discovered by manual code analysis and reproducible
only with explicit udelay() in lookup_elem_raw().
Fixes: 6c9059817432 ("bpf: pre-allocate hash map elements")
Reported-by: Jonathan Perry <jonperry@xxxxxx>
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Chenbo Feng <fengc@xxxxxxxxxx>
Queued both for 4.9, thank you.
--
Thanks,
Sasha
