Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Tue, 15 Aug 2023 15:51:44 +0800
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     Leon Romanovsky <leon@kernel.org>
Cc:     Florian Westphal <fw@strlen.de>,
        Dong Chenchen <dongchenchen2@huawei.com>,
        steffen.klassert@secunet.com, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        timo.teras@iki.fi, yuehaibing@huawei.com, weiyongjun1@huawei.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [Patch net, v2] net: xfrm: skip policies marked as dead while
 reinserting policies
Message-ID: <ZNsukMSQmzmXpgbS@gondor.apana.org.au>
References: <20230814140013.712001-1-dongchenchen2@huawei.com>
 <20230815060026.GE22185@unreal>
 <20230815060454.GA2833@breakpoint.cc>
 <20230815073033.GJ22185@unreal>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230815073033.GJ22185@unreal>
Precedence: bulk

On Tue, Aug 15, 2023 at 10:30:33AM +0300, Leon Romanovsky wrote:
>
> But policy has, and we are not interested in validity of it as first
> check in if (...) will be true for policy->walk.dead.
> 
> So it is safe to call to dir = xfrm_policy_id2dir(policy->index) even
> for dead policy.

If you dereference policy->index on a walker object it will read memory
before the start of the walker object.  That could do anything, perhaps
even triggering a page fault.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt