Re: [PATCH net-next] bpf: fix double free from dev_map_notification()

From: Daniel Borkmann Date: Mon, 21 Aug 2017 01:48:12 +0200 > In the current code, dev_map_free() can still race with > dev_map_notification(). > In dev_map_free(), we remove dtab from the list of dtabs after we purged > all entries from it. However, we don't do xchg()

Re: [PATCH net-next] bpf: fix double free from dev_map_notification()

On 08/21/2017 02:42 AM, Alexei Starovoitov wrote: On 8/20/17 4:48 PM, Daniel Borkmann wrote: [...] I wonder why it was done the other way around in the first place then? dev_map_list is there only for notifier and since the map is freed with all the devices totally makes sense to isolate it

Re: [PATCH net-next] bpf: fix double free from dev_map_notification()

On 8/20/17 4:48 PM, Daniel Borkmann wrote: In the current code, dev_map_free() can still race with dev_map_notification(). In dev_map_free(), we remove dtab from the list of dtabs after we purged all entries from it. However, we don't do xchg() with NULL or the like, so the entry at that point

[PATCH net-next] bpf: fix double free from dev_map_notification()

In the current code, dev_map_free() can still race with dev_map_notification(). In dev_map_free(), we remove dtab from the list of dtabs after we purged all entries from it. However, we don't do xchg() with NULL or the like, so the entry at that point is still pointing to the device. If a