Re: [PATCH ipsec] xfrm: policy: use hlist_del_init_rcu in xfrm_hash_rebuild to avoid bydst poison
From: Florian Westphal <fw@strlen.de>
Date: 2026-07-03 03:58:37
Xiang Mei [off-list ref] wrote:
Agreed, and my patch hides it instead of avoiding it. The problem is
the prep loop's guard is inverted:
if (policy->selector.prefixlen_d < dbits ||
policy->selector.prefixlen_s < sbits)
continue;
That skips exactly the policies reinserted via the tree (prefixlen <
threshold => policy_hash_bysel() NULL => xfrm_policy_inexact_insert()),Indeed.
locates for the exact ones instead, which never allocate and get
pruned again at out_unlock. So the inexact bin/node is allocated GFP_ATOMIC
after the hlist_del_rcu(), and that's the failure the WARN catches.
The reproducer lowers then raises the threshold so those bins are pruned
and reallocated during reinsert; failslab just makes the failure
deterministic, OOM would do the same.
v2 inverts the guard so prep prepares the set that's actually reinserted:
- if (policy->selector.prefixlen_d < dbits ||
- policy->selector.prefixlen_s < sbits)
+ if (policy->selector.prefixlen_d >= dbits &&
+ policy->selector.prefixlen_s >= sbits)
continue;Much better!
I checked the new patch on the reproducer, and the crash can't be triggered. If you agree with this new patch, I'll send this as v2.
Please do, thanks!