From 0875f0de76e980ec5d67bb6af2cdf825d4559b96 Mon Sep 17 00:00:00 2001
From: Hou Tao <houtao1@huawei.com>
Date: Sun, 8 Oct 2023 10:36:34 +0800
Subject: [PATCH] bpf: Check map->usercnt again after timer->timer is assigned

Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 kernel/bpf/helpers.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 6f600cc95ccd..77d3deb2e576 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1138,8 +1138,17 @@ BPF_CALL_3(bpf_timer_init, struct bpf_timer_kern *, timer, struct bpf_map *, map
 	hrtimer_init(&t->timer, clockid, HRTIMER_MODE_REL_SOFT);
 	t->timer.function = bpf_timer_cb;
 	timer->timer = t;
+	/* Guarantee timer->timer is visible to bpf_timer_cancel_and_free() */
+	smp_mb__before_atomic();
+	if (!atomic64_read(&map->usercnt)) {
+		timer->timer = NULL;
+		ret = -EPERM;
+		goto out;
+	}
+	t = NULL;
 out:
 	__bpf_spin_unlock_irqrestore(&timer->lock);
+	kfree(t);
 	return ret;
 }
 
-- 
2.29.2