From: Hou Tao <houtao1@xxxxxxxxxx> commit ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 upstream. bpf_iter_attach_map() acquires a map uref, and the uref may be released before or in the middle of iterating map elements. For example, the uref could be released in bpf_iter_detach_map() as part of bpf_link_release(), or could be released in bpf_map_put_with_uref() as part of bpf_map_release(). So acquiring an extra map uref in bpf_iter_init_hash_map() and releasing it in bpf_iter_fini_hash_map(). Fixes: d6c4503cc296 ("bpf: Implement bpf iterator for hash maps") Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx> Acked-by: Yonghong Song <yhs@xxxxxx> Link: https://lore.kernel.org/r/20220810080538.1845898-3-houtao@xxxxxxxxxxxxxxx Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/bpf/hashtab.c | 2 ++ 1 file changed, 2 insertions(+) --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -2019,6 +2019,7 @@ static int bpf_iter_init_hash_map(void * seq_info->percpu_value_buf = value_buf; } + bpf_map_inc_with_uref(map); seq_info->map = map; seq_info->htab = container_of(map, struct bpf_htab, map); return 0; @@ -2028,6 +2029,7 @@ static void bpf_iter_fini_hash_map(void { struct bpf_iter_seq_hash_map_info *seq_info = priv_data; + bpf_map_put_with_uref(seq_info->map); kfree(seq_info->percpu_value_buf); }