xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() - starfive-tech/linux.git - StarFive Tech Linux Kernel for VisionFive (JH7110) boards (mirror)

diff options

author	Hangyu Hua <hbh25y@gmail.com>	2022-06-01 09:46:25 +0300
committer	Steffen Klassert <steffen.klassert@secunet.com>	2022-06-02 12:05:19 +0300
commit	f85daf0e725358be78dfd208dea5fd665d8cb901 (patch)
tree	57ff2df72148d7d98119d5a828cd18a7c371fb4a /net/ipv4/esp4.c
parent	9f4fc18bf285f20c1498f8fcfb586fa70a070fb5 (diff)
download	linux-f85daf0e725358be78dfd208dea5fd665d8cb901.tar.xz

xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()

xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of pols[0]. This refcount can be dropped in xfrm_expand_policies() when xfrm_expand_policies() return error. pols[0]'s refcount is balanced in here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with num_pols == 1 to drop this refcount when xfrm_expand_policies() return error. This patch also fix an illegal address access. pols[0] will save a error point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve an illegal address in xfrm_bundle_lookup's error path. Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path. Fixes: 80c802f3073e ("xfrm: cache bundles instead of policies for outgoing flows") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Diffstat (limited to 'net/ipv4/esp4.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: