Skip to content

Commit f85daf0

Browse files
HBh25Yklassert
authored andcommitted
xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()
xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of pols[0]. This refcount can be dropped in xfrm_expand_policies() when xfrm_expand_policies() return error. pols[0]'s refcount is balanced in here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with num_pols == 1 to drop this refcount when xfrm_expand_policies() return error. This patch also fix an illegal address access. pols[0] will save a error point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve an illegal address in xfrm_bundle_lookup's error path. Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path. Fixes: 80c802f ("xfrm: cache bundles instead of policies for outgoing flows") Signed-off-by: Hangyu Hua <[email protected]> Signed-off-by: Steffen Klassert <[email protected]>
1 parent 9f4fc18 commit f85daf0

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

net/xfrm/xfrm_policy.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2678,8 +2678,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
26782678
*num_xfrms = 0;
26792679
return 0;
26802680
}
2681-
if (IS_ERR(pols[0]))
2681+
if (IS_ERR(pols[0])) {
2682+
*num_pols = 0;
26822683
return PTR_ERR(pols[0]);
2684+
}
26832685

26842686
*num_xfrms = pols[0]->xfrm_nr;
26852687

@@ -2694,6 +2696,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
26942696
if (pols[1]) {
26952697
if (IS_ERR(pols[1])) {
26962698
xfrm_pols_put(pols, *num_pols);
2699+
*num_pols = 0;
26972700
return PTR_ERR(pols[1]);
26982701
}
26992702
(*num_pols)++;

0 commit comments

Comments
 (0)