Re: [PATCH v2] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

[Steffen Klassert]

On Tue, Jun 02, 2026 at 06:49:05PM +0900, Sanghyun Park wrote:
> Fix the race by pruning the bin while still holding xfrm_policy_lock,
> before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
> the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
> becomes unused and is removed.
> 
> Race:
> 
>   CPU0 (XFRM_MSG_DELPOLICY)           CPU1 (XFRM_MSG_NEWSPDINFO)
>   ==========================          ==========================
>   xfrm_policy_bysel_ctx():
>     spin_lock_bh(xfrm_policy_lock)
>     bin = xfrm_policy_inexact_lookup()
>     __xfrm_policy_unlink(pol)
>     spin_unlock_bh(xfrm_policy_lock)
>     xfrm_policy_kill(ret)
>     // wide window, lock not held
>                                        xfrm_hash_rebuild():
>                                          spin_lock_bh(xfrm_policy_lock)
>                                          __xfrm_policy_inexact_flush():
>                                            kfree_rcu(bin)  // bin freed
>                                          spin_unlock_bh(xfrm_policy_lock)
>     xfrm_policy_inexact_prune_bin(bin)
>     // UAF: bin is freed
> 
> Fixes: 6be3b0db6db8 ("xfrm: policy: add inexact policy search tree infrastructure")
> Signed-off-by: Sanghyun Park <sanghyun.park.cnu@xxxxxxxxx>

Applied, thanks a lot!