• Florian Westphal's avatar
    xfrm: policy: delete inexact policies from inexact list on hash rebuild · 1548bc4e
    Florian Westphal authored
    An xfrm hash rebuild has to reset the inexact policy list before the
    policies get re-inserted: A change of hash thresholds will result in
    policies to get moved from inexact tree to the policy hash table.
    
    If the thresholds are increased again later, they get moved from hash
    table to inexact tree.
    
    We must unlink all policies from the inexact tree before re-insertion.
    
    Otherwise 'migrate' may find policies that are in main hash table a
    second time, when it searches the inexact lists.
    
    Furthermore, re-insertion without deletion can cause elements ->next to
    point back to itself, causing soft lockups or double-frees.
    
    Reported-by: syzbot+9d971dd21eb26567036b@syzkaller.appspotmail.com
    Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
    Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    1548bc4e
xfrm_policy.c 101 KB