From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [91.216.245.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9925736A37F for ; Fri, 3 Jul 2026 05:47:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.216.245.30 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783057655; cv=none; b=ORJNAox7H5ZskXypiNR8PCtOtmK7azahzRFreAK6SA81nDPsA7oga7rQ35ATNxrCBF1/oxZUZfc/CRD56qG4adlYbQLlTKjfeDsttBXJ1I35NW71wb6YDvijRwz7+KsE3cpgK4YvUmikZXrtYr4KkaXm7ZZCC5r5C8afp8+KFT4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783057655; c=relaxed/simple; bh=jxAEDOXDu90dcfT6Q0xSXK/pKc8Cnuh8gxIq8c7fVFo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=hgBjzWc5u45Uq07ATfs05Qxq4DOFVuElF/+0HwnaL7pdqmgST/aNccgTsodp1JGadapYhqnfdnnvcVX4+BCSWYwyFTlWlrrnaEnbhzXxdBZUz1wupamwGLGumaDH7KBeWS/RUqUZI/XuCG5uLKiLr7bpXYjH3n/NnfKS/ySMqp0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de; spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=strlen.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=strlen.de Received: by Chamillionaire.breakpoint.cc (Postfix, from userid 1003) id 1BF2160491; Fri, 03 Jul 2026 07:47:20 +0200 (CEST) Date: Fri, 3 Jul 2026 07:47:19 +0200 From: Florian Westphal To: "Xiang Mei (Microsoft)" Cc: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net, netdev@vger.kernel.org, horms@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, AutonomousCodeSecurity@microsoft.com, tgopinath@linux.microsoft.com, kys@microsoft.com Subject: Re: [PATCH ipsec v2] xfrm: policy: preallocate inexact bins before xfrm_hash_rebuild reinsert Message-ID: References: <20260703051932.966884-1-xmei5@asu.edu> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260703051932.966884-1-xmei5@asu.edu> Xiang Mei (Microsoft) wrote: > xfrm_hash_rebuild()'s first loop preallocates the bins/chains the reinsert > loop needs, so the reinsert (after hlist_del_rcu()) cannot allocate or > fail. But its guard is inverted: it skips policies with prefixlen < > threshold and preallocates for the rest. > > prefixlen < threshold is exactly when policy_hash_bysel() returns NULL and > the reinsert takes the allocating xfrm_policy_inexact_insert() path. So the > loop preallocates for the exact policies (which never allocate) and skips > the inexact ones, whose bin/node is then allocated GFP_ATOMIC during > reinsert. On failure the error path only WARN_ONCE()s and continues, > leaving a poisoned bydst node; the next rebuild's hlist_del_rcu() > dereferences LIST_POISON2 and takes a GPF. Reachable under memory pressure, > deterministic via failslab. > > Invert the guard so preallocation covers exactly the reinserted policies; > the reinsert then allocates nothing and cannot fail. > > Crash: > Oops: general protection fault, probably for non-canonical address > 0xfbd59c0000000024: 0000 [#1] SMP KASAN NOPTI > KASAN: maybe wild-memory-access in range [0xdead...] > ... > Workqueue: events xfrm_hash_rebuild > RIP: 0010:xfrm_hash_rebuild+0x5b3/0x1190 > RAX: dead000000000122 (LIST_POISON2 + offset) > ... > Call Trace: > hlist_del_rcu (include/linux/rculist.h:599) > xfrm_hash_rebuild (net/xfrm/xfrm_policy.c:1365) > process_one_work (kernel/workqueue.c:3322) > worker_thread (kernel/workqueue.c:3486) > kthread (kernel/kthread.c:436) > ret_from_fork (arch/x86/kernel/process.c:158) > ret_from_fork_asm (arch/x86/entry/entry_64.S:245) > ... > Kernel panic - not syncing: Fatal exception in interrupt > > Fixes: 24969facd704 ("xfrm: policy: store inexact policies in an rhashtable") > Reported-by: AutonomousCodeSecurity@microsoft.com > Signed-off-by: Xiang Mei (Microsoft) Reviewed-by: Florian Westphal