Re: [PATCH v2] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()

From: Steffen Klassert
Date: Sat Jun 04 2022 - 03:40:25 EST


On Wed, Jun 01, 2022 at 02:46:25PM +0800, Hangyu Hua wrote:
> xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of
> pols[0]. This refcount can be dropped in xfrm_expand_policies() when
> xfrm_expand_policies() return error. pols[0]'s refcount is balanced in
> here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with
> num_pols == 1 to drop this refcount when xfrm_expand_policies() return
> error.
>
> This patch also fix an illegal address access. pols[0] will save a error
> point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve
> an illegal address in xfrm_bundle_lookup's error path.
>
> Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path.
>
> Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing flows")
> Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>

Applied, thanks!