From: Nicolas Dichtel nicolas.dichtel@6wind.com
commit 93ec1320b0170d7a207eda2d119c669b673401ed upstream.
As stated in the comment above xfrm_nlmsg_multicast(), rcu read lock must be held before calling this function.
Reported-by: syzbot+3d9866419b4aa8f985d6@syzkaller.appspotmail.com Fixes: 703b94b93c19 ("xfrm: notify default policy on update") Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com Signed-off-by: Steffen Klassert steffen.klassert@secunet.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/xfrm/xfrm_user.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1920,6 +1920,7 @@ static int xfrm_notify_userpolicy(struct int len = NLMSG_ALIGN(sizeof(*up)); struct nlmsghdr *nlh; struct sk_buff *skb; + int err;
skb = nlmsg_new(len, GFP_ATOMIC); if (skb == NULL) @@ -1938,7 +1939,11 @@ static int xfrm_notify_userpolicy(struct
nlmsg_end(skb, nlh);
- return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + rcu_read_lock(); + err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + rcu_read_unlock(); + + return err; }
static bool xfrm_userpolicy_is_valid(__u8 policy)