Syzkaller reports suspicious RCU usage in xfrm_set_default in 5.10 stable releases. The problem has been fixed by the following patch which can be cleanly applied to 5.10 branch.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
From: Nicolas Dichtel nicolas.dichtel@6wind.com
commit 93ec1320b0170d7a207eda2d119c669b673401ed upstream.
As stated in the comment above xfrm_nlmsg_multicast(), rcu read lock must be held before calling this function.
Reported-by: syzbot+3d9866419b4aa8f985d6@syzkaller.appspotmail.com Fixes: 9856c3a129dd ("xfrm: notify default policy on update") Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com Signed-off-by: Steffen Klassert steffen.klassert@secunet.com Signed-off-by: Fedor Pchelkin pchelkin@ispras.ru --- net/xfrm/xfrm_user.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index d9841f44487f..b5a517916895 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1920,6 +1920,7 @@ static int xfrm_notify_userpolicy(struct net *net) int len = NLMSG_ALIGN(sizeof(*up)); struct nlmsghdr *nlh; struct sk_buff *skb; + int err;
skb = nlmsg_new(len, GFP_ATOMIC); if (skb == NULL) @@ -1938,7 +1939,10 @@ static int xfrm_notify_userpolicy(struct net *net)
nlmsg_end(skb, nlh);
- return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + rcu_read_lock(); + err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + rcu_read_unlock(); + return err; }
static bool xfrm_userpolicy_is_valid(__u8 policy)
linux-stable-mirror@lists.linaro.org
-
Fedor Pchelkin