Commit "xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype" [Linked] resolved a locking bug in xfrm_policy_lookup_bytype that causes an RCU reader-writer deadlock on the mutex wrapped by xfrm_policy_hash_generation on PREEMPT_RT since 77cc278f7b20 ("xfrm: policy: Use sequence counters with associated lock"). However, xfrm_sk_policy_lookup can still reach xfrm_policy_lookup_bytype while holding rcu_read_lock(), as: xfrm_sk_policy_lookup() rcu_read_lock() security_xfrm_policy_lookup() xfrm_policy_lookup() xfrm_policy_lookup_bytype() read_seqcount_begin() mutex_lock(&hash_resize_mutex) This results in the same deadlock on hash_resize_mutex, where xfrm_hash_resize is holding the mutex and sleeping inside synchronize_rcu, and xfrm_policy_lookup_bytype blocks on the mutex inside the RCU read side critical section. To resolve this, shorten the RCU read side critical section within xfrm_sk_policy_lookup by taking a reference on the associated xfrm_policy, and avoid calling xfrm_policy_lookup_bytype with the rcu_read_lock() held. Fixes: 77cc278f7b20 ("xfrm: policy: Use sequence counters with associated lock") Link: https://lore.kernel.org/r/20210528160407.32127-1-varad.gautam@xxxxxxxx/ Signed-off-by: Varad Gautam <varad.gautam@xxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx # v5.9 --- net/xfrm/xfrm_policy.c | 65 +++++++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 0b7409f19ecb1..28e072007c72d 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2152,42 +2152,47 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir, u16 family, u32 if_id) { struct xfrm_policy *pol; + bool match; + int err = 0; - rcu_read_lock(); again: + rcu_read_lock(); pol = rcu_dereference(sk->sk_policy[dir]); - if (pol != NULL) { - bool match; - int err = 0; - - if (pol->family != family) { - pol = NULL; - goto out; - } + if (pol == NULL) { + rcu_read_unlock(); + goto out; + } - match = xfrm_selector_match(&pol->selector, fl, family); - if (match) { - if ((sk->sk_mark & pol->mark.m) != pol->mark.v || - pol->if_id != if_id) { - pol = NULL; - goto out; - } - err = security_xfrm_policy_lookup(pol->security, - fl->flowi_secid, - dir); - if (!err) { - if (!xfrm_pol_hold_rcu(pol)) - goto again; - } else if (err == -ESRCH) { - pol = NULL; - } else { - pol = ERR_PTR(err); - } - } else - pol = NULL; + /* Take a reference on this pol and call rcu_read_unlock(). */ + if (!xfrm_pol_hold_rcu(pol)) { + rcu_read_unlock(); + goto again; } -out: rcu_read_unlock(); + + if (pol->family != family) + goto out_put; + + match = xfrm_selector_match(&pol->selector, fl, family); + if (!match) + goto out_put; + + if ((sk->sk_mark & pol->mark.m) != pol->mark.v || + pol->if_id != if_id) + goto out_put; + + err = security_xfrm_policy_lookup(pol->security, + fl->flowi_secid, + dir); + if (!err) { + /* Safe to return, we have a ref on pol. */ + goto out; + } + + out_put: + xfrm_pol_put(pol); + pol = (err && err != -ESRCH) ? ERR_PTR(err) : NULL; + out: return pol; } -- 2.30.2