Timo Teräs wrote:

Herbert Xu wrote:

quoted

On Tue, Mar 30, 2010 at 07:55:07AM +0300, Timo Teräs wrote:

quoted

Herbert Xu wrote:

quoted

On Mon, Mar 29, 2010 at 05:12:38PM +0300, Timo Teras wrote:

quoted

@@ -1132,7 +1119,7 @@ int xfrm_sk_policy_insert(struct sock *sk, 

int dir, struct xfrm_policy *pol)
         __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
     }
     if (old_pol)
-        __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
+        old_pol = __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
     write_unlock_bh(&xfrm_policy_lock);
      if (old_pol) {

So when can this actually fail?

Considering that the socket reference is received from the 
sk->sk_policy,
and the hash bucket we use is "XFRM_POLICY_MAX+dir", it's non-obvious if
it can fail or not.

It would look like the timer can kill a policy and unlink it, but it
would still be found from sk_policy.

Socket policies cannot expire.

Was not aware of that. The above is not needed then.

Since the exported function xfrm_policy_byid() can result in deletion
of socket policy, it's safer to leave this change in. This is can be
even triggered via xfrm_user since it does not check 'dir' for the
policy expired message it handles. Any custom module could do similar
harm.