From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.secunet.com (mx1.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E690D3EDE48 for ; Wed, 10 Jun 2026 14:08:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781100502; cv=none; b=XpQrZfgDNViaS6PE7AKg2mbbx+OwZeU6Eoho4V4X9IIFzZ3rtlliroHQBS7djGXBYyCaHuKJwKKprP9lO/Bc4O+tNU3Hp4ogbzrnHWLj98c6AdFoXeOwSyyD/J2UEUOaUcqNEym2IZHuqKi3owfmyVlXReiiTvKGmXUfBO4vPnw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781100502; c=relaxed/simple; bh=DP+GolRHB1T7jNChIk4s8bco8i3Z40NUxuuAwc18iHE=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=VK7TBkXt977C448NYAHgR7lh7t5ZaaTEEBdC/0YHk1YFD1CpAAIRfsPQxgB+o8GnEX9MoFgF+8E7uUQiD+EakYACACCAQ/9VHr1Ao3c7zWCFafNRnBi2MsRyUFWoAYayIHhj7viTxbA/IF3aENX1+3LMBCZ28MXG8/FWUQdOvr8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=WJoDJccT; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="WJoDJccT" Received: from localhost (localhost [127.0.0.1]) by mx1.secunet.com (Postfix) with ESMTP id 8903D207D8; Wed, 10 Jun 2026 16:08:15 +0200 (CEST) X-Virus-Scanned: by secunet Received: from mx1.secunet.com ([127.0.0.1]) by localhost (mx1.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZMqkkerLqcT; Wed, 10 Jun 2026 16:08:15 +0200 (CEST) Received: from EXCH-01.secunet.de (rl1.secunet.de [10.32.0.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.secunet.com (Postfix) with ESMTPS id E1C8120758; Wed, 10 Jun 2026 16:08:14 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.secunet.com E1C8120758 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1781100494; bh=1f4MeDP/ypBGZr4FGe856IS9x0kUL9G4fD4gnTfI6x0=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=WJoDJccTMUNByNo0qbbnaIuA/owZBV7iA3BBylGIf2iAwghQpFJt9END4VvpCE780 p3/deMPJ5cAKxPyKnKg/0R7XTQzXXsX6PQqf1VAnsK+w5O3+pl6GSb+tliD3b4hYz/ iYj93/wy/z5yLBb7tAhYCcshR/IbnrxMMxVZZTSEPX8cobkagGtcnM3U/BB660k/En fuf5fdovtsAr28hNA5rk8Augfn8MwflG2YszJ8W6ef5n5vGEu/eOXTBt4aciq/7Dbt v06/64y1l3lq8o5v2ygr+xXlncxnsjPLWtRybIhirVxDoni7tz19ZEzq1lTv0g67rz hr2CbLLKKArPg== Received: from secunet.com (10.182.7.193) by EXCH-01.secunet.de (10.32.0.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Wed, 10 Jun 2026 16:08:14 +0200 Received: (nullmailer pid 2563200 invoked by uid 1000); Wed, 10 Jun 2026 14:08:07 -0000 From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 3/6] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Date: Wed, 10 Jun 2026 16:07:42 +0200 Message-ID: <20260610140800.2562818-4-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260610140800.2562818-1-steffen.klassert@secunet.com> References: <20260610140800.2562818-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: EXCH-04.secunet.de (10.32.0.184) To EXCH-01.secunet.de (10.32.0.171) From: Sanghyun Park Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) ========================== ========================== xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin = xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed Fixes: 6be3b0db6db8 ("xfrm: policy: add inexact policy search tree infrastructure") Signed-off-by: Sanghyun Park Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_policy.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index dd09d2063da2..959544425692 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1156,15 +1156,6 @@ static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool } } -static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b) -{ - struct net *net = read_pnet(&b->k.net); - - spin_lock_bh(&net->xfrm.xfrm_policy_lock); - __xfrm_policy_inexact_prune_bin(b, false); - spin_unlock_bh(&net->xfrm.xfrm_policy_lock); -} - static void __xfrm_policy_inexact_flush(struct net *net) { struct xfrm_pol_inexact_bin *bin, *t; @@ -1707,12 +1698,12 @@ xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id, } ret = pol; } + if (bin && delete) + __xfrm_policy_inexact_prune_bin(bin, false); spin_unlock_bh(&net->xfrm.xfrm_policy_lock); if (ret && delete) xfrm_policy_kill(ret); - if (bin && delete) - xfrm_policy_inexact_prune_bin(bin); return ret; } EXPORT_SYMBOL(xfrm_policy_bysel_ctx); -- 2.43.0