From: Li RongQing <roy.qing.li@gmail.com>
Date: Wed, 29 Apr 2015 00:42:44 +0000 (+0800)
Subject: xfrm: fix a race in xfrm_state_lookup_byspi
X-Git-Tag: v3.16.35~1884
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8a6f35ac08c49516442e9f1b7551f0094b86c225;p=thirdparty%2Fkernel%2Fstable.git

xfrm: fix a race in xfrm_state_lookup_byspi

commit bdddbf6996c0b9299efc97b8f66e06286f3aa8c9 upstream.

The returned xfrm_state should be hold before unlock xfrm_state_lock,
otherwise the returned xfrm_state maybe be released.

Fixes: c454997e6[{pktgen, xfrm} Introduce xfrm_state_lookup_byspi..]
Cc: Fan Du <fan.du@intel.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Acked-by: Fan Du <fan.du@intel.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 0ab54134bb40b..86f381b09d8dc 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -934,8 +934,8 @@ struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
 			x->id.spi != spi)
 			continue;
 
-		spin_unlock_bh(&net->xfrm.xfrm_state_lock);
 		xfrm_state_hold(x);
+		spin_unlock_bh(&net->xfrm.xfrm_state_lock);
 		return x;
 	}
 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);