• Michal Kubecek's avatar
    xfrm: fix race between netns cleanup and state expire notification · 3f8fd8ad
    Michal Kubecek authored
    commit 21ee543e upstream.
    
    The xfrm_user module registers its pernet init/exit after xfrm
    itself so that its net exit function xfrm_user_net_exit() is
    executed before xfrm_net_exit() which calls xfrm_state_fini() to
    cleanup the SA's (xfrm states). This opens a window between
    zeroing net->xfrm.nlsk pointer and deleting all xfrm_state
    instances which may access it (via the timer). If an xfrm state
    expires in this window, xfrm_exp_state_notify() will pass null
    pointer as socket to nlmsg_multicast().
    
    As the notifications are called inside rcu_read_lock() block, it
    is sufficient to retrieve the nlsk socket with rcu_dereference()
    and check the it for null.
    Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    3f8fd8ad
xfrm_user.c 70.6 KB