• Hangbin Liu's avatar
    xfrm: move xfrm_garbage_collect out of xfrm_policy_flush · e0cee9f3
    Hangbin Liu authored
    commit 138437f5 upstream.
    
    Now we will force to do garbage collection if any policy removed in
    xfrm_policy_flush(). But during xfrm_net_exit(). We call flow_cache_fini()
    first and set set fc->percpu to NULL. Then after we call xfrm_policy_fini()
    -> frxm_policy_flush() -> flow_cache_flush(), we will get NULL pointer
    dereference when check percpu_empty. The code path looks like:
    
    flow_cache_fini()
      - fc->percpu = NULL
    xfrm_policy_fini()
      - xfrm_policy_flush()
        - xfrm_garbage_collect()
          - flow_cache_flush()
            - flow_cache_percpu_empty()
    	  - fcp = per_cpu_ptr(fc->percpu, cpu)
    
    To reproduce, just add ipsec in netns and then remove the netns.
    
    v2:
    As Xin Long suggested, since only two other places need to call it. move
    xfrm_garbage_collect() outside xfrm_policy_flush().
    
    v3:
    Fix subject mismatch after v2 fix.
    
    Fixes: 35db0691 ("xfrm: do the garbage collection after flushing policy")
    Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
    Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    e0cee9f3
af_key.c 102 KB