)]}'
{
  "commit": "7f2d76c9c03257c0782afef9d95321fa04096f60",
  "tree": "555b0a0dfaf8314c600dd70229d440b394cdd122",
  "parents": [
    "eb48730bb827d1550401a5d391903f9d90b493c8"
  ],
  "author": {
    "name": "Sanghyun Park",
    "email": "sanghyun.park.cnu@gmail.com",
    "time": "Tue Jun 02 18:49:05 2026 +0900"
  },
  "committer": {
    "name": "Steffen Klassert",
    "email": "steffen.klassert@secunet.com",
    "time": "Thu Jun 04 11:55:22 2026 +0200"
  },
  "message": "xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()\n\nFix the race by pruning the bin while still holding xfrm_policy_lock,\nbefore dropping it. Use __xfrm_policy_inexact_prune_bin() directly since\nthe lock is already held. The wrapper xfrm_policy_inexact_prune_bin()\nbecomes unused and is removed.\n\nRace:\n\n  CPU0 (XFRM_MSG_DELPOLICY)           CPU1 (XFRM_MSG_NEWSPDINFO)\n  \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d          \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n  xfrm_policy_bysel_ctx():\n    spin_lock_bh(xfrm_policy_lock)\n    bin \u003d xfrm_policy_inexact_lookup()\n    __xfrm_policy_unlink(pol)\n    spin_unlock_bh(xfrm_policy_lock)\n    xfrm_policy_kill(ret)\n    // wide window, lock not held\n                                       xfrm_hash_rebuild():\n                                         spin_lock_bh(xfrm_policy_lock)\n                                         __xfrm_policy_inexact_flush():\n                                           kfree_rcu(bin)  // bin freed\n                                         spin_unlock_bh(xfrm_policy_lock)\n    xfrm_policy_inexact_prune_bin(bin)\n    // UAF: bin is freed\n\nFixes: 6be3b0db6db8 (\"xfrm: policy: add inexact policy search tree infrastructure\")\nSigned-off-by: Sanghyun Park \u003csanghyun.park.cnu@gmail.com\u003e\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "dd09d2063da2d68cd40b72d7a944ed24286b942d",
      "old_mode": 33188,
      "old_path": "net/xfrm/xfrm_policy.c",
      "new_id": "95954442569290719b9fdb7b0f9462d70b5d755e",
      "new_mode": 33188,
      "new_path": "net/xfrm/xfrm_policy.c"
    }
  ]
}