xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()

author Sanghyun Park <sanghyun.park.cnu@gmail.com>

Tue, 2 Jun 2026 09:49:05 +0000 (18:49 +0900)

committer Steffen Klassert <steffen.klassert@secunet.com>

Thu, 4 Jun 2026 09:55:22 +0000 (11:55 +0200)
author Sanghyun Park <sanghyun.park.cnu@gmail.com>
Tue, 2 Jun 2026 09:49:05 +0000 (18:49 +0900)
committer Steffen Klassert <steffen.klassert@secunet.com>
Thu, 4 Jun 2026 09:55:22 +0000 (11:55 +0200)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c

index dd09d2063da2d68cd40b72d7a944ed24286b942d..95954442569290719b9fdb7b0f9462d70b5d755e 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1156,15 +1156,6 @@ static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool
         }
  }
  
-static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
-{
-       struct net *net = read_pnet(&b->k.net);
-
-       spin_lock_bh(&net->xfrm.xfrm_policy_lock);
-       __xfrm_policy_inexact_prune_bin(b, false);
-       spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
-}
-
  static void __xfrm_policy_inexact_flush(struct net *net)
  {
         struct xfrm_pol_inexact_bin *bin, *t;
@@ -1707,12 +1698,12 @@ xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
                 }
                 ret = pol;
         }
+       if (bin && delete)
+               __xfrm_policy_inexact_prune_bin(bin, false);
         spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  
         if (ret && delete)
                 xfrm_policy_kill(ret);
-       if (bin && delete)
-               xfrm_policy_inexact_prune_bin(bin);
         return ret;
  }
  EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
author	Sanghyun Park <sanghyun.park.cnu@gmail.com>
	Tue, 2 Jun 2026 09:49:05 +0000 (18:49 +0900)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Thu, 4 Jun 2026 09:55:22 +0000 (11:55 +0200)