xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup()
upstream commit:f85daf0e72xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of pols[0]. This refcount can be dropped in xfrm_expand_policies() when xfrm_expand_policies() return error. pols[0]'s refcount is balanced in here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with num_pols == 1 to drop this refcount when xfrm_expand_policies() return error. This patch also fix an illegal address access. pols[0] will save a error point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve an illegal address in xfrm_bundle_lookup's error path. Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path. Fixes:80c802f307("xfrm: cache bundles instead of policies for outgoing flows") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This commit is contained in:
Hangyu Hua
Jianping Liu
parent
b96175c56f
commit
3faa1c1ccc
|
|
@ -2677,8 +2677,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
|
|||
*num_xfrms = 0;
|
||||
return 0;
|
||||
}
|
||||
if (IS_ERR(pols[0]))
|
||||
if (IS_ERR(pols[0])) {
|
||||
*num_pols = 0;
|
||||
return PTR_ERR(pols[0]);
|
||||
}
|
||||
|
||||
*num_xfrms = pols[0]->xfrm_nr;
|
||||
|
||||
|
|
@ -2693,6 +2695,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
|
|||
if (pols[1]) {
|
||||
if (IS_ERR(pols[1])) {
|
||||
xfrm_pols_put(pols, *num_pols);
|
||||
*num_pols = 0;
|
||||
return PTR_ERR(pols[1]);
|
||||
}
|
||||
(*num_pols)++;
|
||||
|
|
|
|||
Loading…
Reference in New Issue