Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp282671pxb; Wed, 22 Sep 2021 01:59:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxYgj1gSI6GWv7eIBDuzxDCHvPkEbmnmdfgmzzpF/E86900M6NLXot+AVAScXoCQ6pC1oeQ X-Received: by 2002:a05:6e02:1b8e:: with SMTP id h14mr10727189ili.18.1632301195436; Wed, 22 Sep 2021 01:59:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632301195; cv=none; d=google.com; s=arc-20160816; b=Dw7gNEfaK56SXJ/sbbI+VYpEpadhEpOCTdkuR99BVc65OfTZh1r80fGJj3bye55/3S NMOH7dRLDLpXcN0fsUUYBiv37yHFC2TbGQk+2InPIPz20fy40lgQvQrlaH1wtqkZUO3E +pdvp3R4gFUJ8nSrkw9XJHJ6fElE2N8Q6h//a7EJFXCrDl2aKAD3Qewgm6FWpgP9TqWx WtZNCaFNuilDmkO96tNsQo97SBoAyEpxG2EL9YHnl77aleXUUvYlHJMTygpamccXNENN 1YYU8BiGst+kSPjjpoG7uV4hnG6kEHuK5r8RvdgGf2FMPbiZt8F931cOBe820oqzlkQD fZ/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=ZhN853pHWD3V/eFmTa30c5eefEtQ+ENRiO7ikQIQqfc=; b=zbvxAokw1l9IF8LEN5UhFsqyXpyFpJhnfK2S3vgtPKA6HhA62roU/TG3RZiHAGvimW dJhc9TaM+GaYHedqCEsDRrvn74UMroR2VAmo2BXkVMXYCcfJk4IQ1bzqV564iyA3ZRR/ bzT8jdL0+hKHVkCMa54/VekC6oKR08+UiBOEDhi1ePHd4FeK3hy0LcJGNujXq3HkqEhW HfVDGSG1Eq757PYGiUbssuQbTO8o+zmphAbGU1v/zHoiGKTBkvz+kRx5uMoFdDiEv69u Ag/LmbrdniCohtjZBNspTMlB2z9AcGcsfDJGGcgsX+lDRHvTPNp1stT5XbDPVkWe8OaJ EXRg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=6wind.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o7si2051905ilj.101.2021.09.22.01.59.32; Wed, 22 Sep 2021 01:59:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=6wind.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234145AbhIVJAK (ORCPT + 99 others); Wed, 22 Sep 2021 05:00:10 -0400 Received: from host.78.145.23.62.rev.coltfrance.com ([62.23.145.78]:53156 "EHLO proxy.6wind.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S234051AbhIVJAJ (ORCPT ); Wed, 22 Sep 2021 05:00:09 -0400 X-Greylist: delayed 497 seconds by postgrey-1.27 at vger.kernel.org; Wed, 22 Sep 2021 05:00:09 EDT Received: from bretzel (unknown [10.16.0.57]) by proxy.6wind.com (Postfix) with ESMTPS id DDE37B43C9F; Wed, 22 Sep 2021 10:50:20 +0200 (CEST) Received: from dichtel by bretzel with local (Exim 4.92) (envelope-from ) id 1mSxxM-0003X5-RP; Wed, 22 Sep 2021 10:50:20 +0200 From: Nicolas Dichtel To: steffen.klassert@secunet.com, syzbot+3d9866419b4aa8f985d6@syzkaller.appspotmail.com Cc: davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, netdev@vger.kernel.org, Nicolas Dichtel Subject: [PATCH ipsec] xfrm: fix rcu lock in xfrm_notify_userpolicy() Date: Wed, 22 Sep 2021 10:50:06 +0200 Message-Id: <20210922085006.13570-1-nicolas.dichtel@6wind.com> X-Mailer: git-send-email 2.33.0 In-Reply-To: <0000000000003533d205cc8a624b@google.com> References: <0000000000003533d205cc8a624b@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As stated in the comment above xfrm_nlmsg_multicast(), rcu read lock must be held before calling this function. Reported-by: syzbot+3d9866419b4aa8f985d6@syzkaller.appspotmail.com Fixes: 703b94b93c19 ("xfrm: notify default policy on update") Signed-off-by: Nicolas Dichtel --- net/xfrm/xfrm_user.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 0eba0c27c665..3a3cb09eec12 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1967,6 +1967,7 @@ static int xfrm_notify_userpolicy(struct net *net) int len = NLMSG_ALIGN(sizeof(*up)); struct nlmsghdr *nlh; struct sk_buff *skb; + int err; skb = nlmsg_new(len, GFP_ATOMIC); if (skb == NULL) @@ -1988,7 +1989,11 @@ static int xfrm_notify_userpolicy(struct net *net) nlmsg_end(skb, nlh); - return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + rcu_read_lock(); + err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY); + rcu_read_unlock(); + + return err; } static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh, -- 2.33.0