git.baikalelectronics.ru Git - kernel.git/commit

author	Hangyu Hua <hbh25y@gmail.com>
	Wed, 1 Jun 2022 06:46:25 +0000 (14:46 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 29 Jul 2022 15:14:10 +0000 (17:14 +0200)
commit	7211efd4d164cf9ccb82926f40c23ba39b4f252a
tree	3d2bc20ba20ff5a55c237bed93df71f1cfb6388b	tree \| snapshot
parent	911d4a9d6fd5d02e59ba27296243c89d1400be2d	commit \| diff

xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()

[ Upstream commit d5b498b46edd95255ec5cf3e2da09142539821cc ]

xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of
pols[0]. This refcount can be dropped in xfrm_expand_policies() when
xfrm_expand_policies() return error. pols[0]'s refcount is balanced in
here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with
num_pols == 1 to drop this refcount when xfrm_expand_policies() return
error.

This patch also fix an illegal address access. pols[0] will save a error
point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve
an illegal address in xfrm_bundle_lookup's error path.

Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path.

Fixes: bceb06bc1841 ("xfrm: cache bundles instead of policies for outgoing flows")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>