AZL-58000

In the Linux kernel, the following vulnerability has been resolved:

xfrm: state: fix out-of-bounds read during lookup

lookup and resize can run in parallel.

The xfrmstatehash_generation seqlock ensures a retry, but the hash functions can observe a hmask value that is too large for the new hlist array.

rehash does: rcuassignpointer(net->xfrm.statebydst, ndst) [..] net->xfrm.statehmask = nhashmask;

While state lookup does: h = xfrmdsthash(net, daddr, saddr, tmpl->reqid, encapfamily); hlistforeachentryrcu(x, net->xfrm.statebydst + h, bydst) {

This is only safe in case the update to statebydst is larger than net->xfrm.xfrmstate_hmask (or if the lookup function gets serialized via state spinlock again).

Fix this by prefetching statehmask and the associated pointers. The xfrmstatehashgeneration seqlock retry will ensure that the pointer and the hmask will be consistent.

The existing helpers, like xfrmdsthash(), are now unsafe for RCU side, add lockdep assertions to document that they are only safe for insert side.

xfrmstatelookup_byaddr() uses the spinlock rather than RCU. AFAICS this is an oversight from back when state lookup was converted to RCU, this lock should be replaced with RCU in a future patch.