Syzkaller reports suspicious RCU usage in xfrm_set_default in 5.10 stable
releases. The problem has been fixed by the following patch which can be
cleanly applied to 5.10 branch.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
From: Nicolas Dichtel <[email protected]>
commit 93ec1320b0170d7a207eda2d119c669b673401ed upstream.
As stated in the comment above xfrm_nlmsg_multicast(), rcu read lock must
be held before calling this function.
Reported-by: [email protected]
Fixes: 9856c3a129dd ("xfrm: notify default policy on update")
Signed-off-by: Nicolas Dichtel <[email protected]>
Signed-off-by: Steffen Klassert <[email protected]>
Signed-off-by: Fedor Pchelkin <[email protected]>
---
net/xfrm/xfrm_user.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d9841f44487f..b5a517916895 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1920,6 +1920,7 @@ static int xfrm_notify_userpolicy(struct net *net)
int len = NLMSG_ALIGN(sizeof(*up));
struct nlmsghdr *nlh;
struct sk_buff *skb;
+ int err;
skb = nlmsg_new(len, GFP_ATOMIC);
if (skb == NULL)
@@ -1938,7 +1939,10 @@ static int xfrm_notify_userpolicy(struct net *net)
nlmsg_end(skb, nlh);
- return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
+ rcu_read_lock();
+ err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
+ rcu_read_unlock();
+ return err;
}
static bool xfrm_userpolicy_is_valid(__u8 policy)
--
2.34.1