fdb4fba1ba
[ Upstream commit f85daf0e725358be78dfd208dea5fd665d8cb901 ]
xfrm_policy_lookup() will call xfrm_pol_hold_rcu() to get a refcount of
pols[0]. This refcount can be dropped in xfrm_expand_policies() when
xfrm_expand_policies() return error. pols[0]'s refcount is balanced in
here. But xfrm_bundle_lookup() will also call xfrm_pols_put() with
num_pols == 1 to drop this refcount when xfrm_expand_policies() return
error.
This patch also fix an illegal address access. pols[0] will save a error
point when xfrm_policy_lookup fails. This lead to xfrm_pols_put to resolve
an illegal address in xfrm_bundle_lookup's error path.
Fix these by setting num_pols = 0 in xfrm_expand_policies()'s error path.
Fixes:
|
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
xfrm_algo.c | ||
xfrm_device.c | ||
xfrm_hash.c | ||
xfrm_hash.h | ||
xfrm_input.c | ||
xfrm_interface.c | ||
xfrm_ipcomp.c | ||
xfrm_output.c | ||
xfrm_policy.c | ||
xfrm_proc.c | ||
xfrm_replay.c | ||
xfrm_state.c | ||
xfrm_sysctl.c | ||
xfrm_user.c |