From nobody Mon Jun 8 03:19:35 2026 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4FF3369981 for ; Tue, 2 Jun 2026 09:50:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780393803; cv=none; b=Mk6p0brcJnRsMxJkoYg4o/8JOxK9znzDndKPMLuZa1fBwnpHkQEuRcKmJf47XBoWcf1QBwuNKg+7/2thRbnmnv51wP7C0gBmX+yS+ldx/d7IDIW6sLd+3n2ODfDQRRdVpaUTF0v/hMkLZxCNQ5THToOwRnDPZPamvA5MUqOp/B4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780393803; c=relaxed/simple; bh=lfdnB8JHOL6TJUwmiVdb7QmVDU4hGb/TlMaA14Jn80k=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=bK97kOdH8Dwq71NMI8xU4Keiq3D1rdSEHUMKKtz2b70BylwZyMeBD1iWC480uY6BoetkC/K15IDU/YQ/q5/4xpF7A9hYPfEWVojjsWC15lbzZV0ezlU3prnd8DnWoL6PlxD9B83MtRmBI7LUmGT3cURRvDsCAXohPCr8CrnUjlA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=r1riN+nt; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="r1riN+nt" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2bf02708e8fso37885455ad.2 for ; Tue, 02 Jun 2026 02:50:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780393801; x=1780998601; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=7D7KX83byfNQhjrfKE/R/xlqUStOZtk9OhZBvAEMzKo=; b=r1riN+ntBHVqPNuHcKM++1mcJIKfxNrMmXHgkagi+8uCTkdqaFDHyahS+maVKwRZiV af9WNgIx3/V+ZDk7+OaDXYbDSr79Wz4C5t1b0l0tTzR+gA7yY+poQPoXzqX+XW3Rkx3J +ttDJ1fLsQhWCyKl/q19prOLwAzSjInT8iIgHZZtvFMB0SAruB8dJ5V3TfB0W7Ue6YDW Ul1uszKbUvwYXw1EJpcFMU2d/1IanXxc5S/RgCUJBcTexcrz2Xqk1kHyV4kqm3G993TT PHeILix3y5cvEBGb/s24E35RPyCyqjuYPwAn72nEycir3xYEz275sk4zK/Cw1QnVsEab bd5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780393801; x=1780998601; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7D7KX83byfNQhjrfKE/R/xlqUStOZtk9OhZBvAEMzKo=; b=jMpj/qC6pumR+N4fu4ly8eyetMBuitwJmGCm4+B+0WgUq7IOqBlDTZW8T4/wyZbEKk kCLzX0VDE+WUrkfVzXXTevXGyZ537Wd0fY/nbooZV13PR5PdCrduAIQ04dfF11ZxF7MO RvcCCjCPmUcCcF1TLYp8OzGgr0vy6k5H/2lg5yPxgdOfywoFutQHv29AuwMYwcXsrs7m hBkzZWXbDL/arhOKKLQxnlEBsyHfSDcrH8azrgMgBZFWuDBGfCitf0cv+ohvsBXYkTKe 2WmWCsHP4//eoDDzJHyOxjT1OitS132oFhTDHU0+ET1yaatK3xVSquid4KFK7ntHo5Ix XYlw== X-Forwarded-Encrypted: i=1; AFNElJ+ZyMdDnifYv6SwmTKOUe2vEMrXoj1CMQHqCcPuZ+I2v+al4Y4Sk/E7WOC/6ozT6Vr0Z9rFdRY2yJh71yY=@vger.kernel.org X-Gm-Message-State: AOJu0YztZgw+87cIZhZvmSpSOdJqu0SuYjds94Bikf2SbON0HqUTR297 fGbyWrwTXN2cIdAe5d3IAi+aGub+2KxB5TVRQ/VMWVAhFbS40ZePvc3I X-Gm-Gg: Acq92OFqgme+CUfCOvnNc4F/9pGkQ0nYBluYZCtpWupp6iskJYLFdXqsWBHApITI4FU 5og4WBBtWlEQFGOSS7gWyqRz+uxprt+/46M6m+tdmddmaHMpNB8lUOu6dCHoUNSbM7iDjSrc7OR /NpQhwUxWcvT/+EA8tIl4N4Bv+Vbd5Y0QWY6DK8rKFBXoXfJOLSOYOp2ZiRb+F3I7iWkwTpabuh nKE+RkSEbg5Lo78617SvPUENGcy2A2p4BxGqOVVIMR/GwZToqJ+2u3qHe4+gS8CEw0feG2fKHJf ieVcM3+Pow/OPWnM0r3xDH992P9WRpglzcEJvQ69Q1/ixCBDWoGYfJpPZhQ/1wgFhW9BiMPXuoP HZjgaN1HBHNlfR6/glBLP8Q5gJAHfdB2jdsJYYZ41zos/qTL3rCAuoxOAr8WqPIUnIOSXnLI4+I iz5bbIlLxGeCDhqNAar5Df1hmjM1iEOoW6JEXN7BIELICRB/s30HcjYZSPfjFJl1Ln+4NDL4b+k 048em/70b0dpWqQVgw1k64c1w== X-Received: by 2002:a17:902:e5cf:b0:2c0:d9b7:b7b0 with SMTP id d9443c01a7336-2c0d9b7bbb8mr96460005ad.31.1780393801088; Tue, 02 Jun 2026 02:50:01 -0700 (PDT) Received: from secrnd-cstp.tailb7f510.ts.net ([125.131.91.97]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bf28973335sm125017325ad.63.2026.06.02.02.49.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jun 2026 02:50:00 -0700 (PDT) From: Sanghyun Park To: steffen.klassert@secunet.com Cc: Sanghyun Park , fw@strlen.de, herbert@gondor.apana.org.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Date: Tue, 2 Jun 2026 18:49:05 +0900 Message-ID: <20260602094908.2194262-1-sanghyun.park.cnu@gmail.com> X-Mailer: git-send-email 2.48.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fix the race by pruning the bin while still holding xfrm_policy_lock, before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since the lock is already held. The wrapper xfrm_policy_inexact_prune_bin() becomes unused and is removed. Race: CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D xfrm_policy_bysel_ctx(): spin_lock_bh(xfrm_policy_lock) bin =3D xfrm_policy_inexact_lookup() __xfrm_policy_unlink(pol) spin_unlock_bh(xfrm_policy_lock) xfrm_policy_kill(ret) // wide window, lock not held xfrm_hash_rebuild(): spin_lock_bh(xfrm_policy_lock) __xfrm_policy_inexact_flush(): kfree_rcu(bin) // bin freed spin_unlock_bh(xfrm_policy_lock) xfrm_policy_inexact_prune_bin(bin) // UAF: bin is freed Fixes: 6be3b0db6db8 ("xfrm: policy: add inexact policy search tree infrastr= ucture") Signed-off-by: Sanghyun Park --- Changes in v2: - Use the correct Fixes tag. - Drop the extra ret condition and keep the original bin && delete condition, only moving the prune before dropping xfrm_policy_lock. - Trim reproduction and KASAN details from the changelog. - Avoid whitespace damage. net/xfrm/xfrm_policy.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index fca07f8e60..14fc87b2e7 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1156,15 +1156,6 @@ static void __xfrm_policy_inexact_prune_bin(struct x= frm_pol_inexact_bin *b, bool } } =20 -static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b) -{ - struct net *net =3D read_pnet(&b->k.net); - - spin_lock_bh(&net->xfrm.xfrm_policy_lock); - __xfrm_policy_inexact_prune_bin(b, false); - spin_unlock_bh(&net->xfrm.xfrm_policy_lock); -} - static void __xfrm_policy_inexact_flush(struct net *net) { struct xfrm_pol_inexact_bin *bin, *t; @@ -1707,12 +1698,12 @@ xfrm_policy_bysel_ctx(struct net *net, const struct= xfrm_mark *mark, u32 if_id, } ret =3D pol; } + if (bin && delete) + __xfrm_policy_inexact_prune_bin(bin, false); spin_unlock_bh(&net->xfrm.xfrm_policy_lock); =20 if (ret && delete) xfrm_policy_kill(ret); - if (bin && delete) - xfrm_policy_inexact_prune_bin(bin); return ret; } EXPORT_SYMBOL(xfrm_policy_bysel_ctx);