Description: In xfrm6_tunnel_free_spi of net/ipv6/xfrm6_tunnel.c, there is a possible use after free due to improper locking 
References:
 https://source.android.com/security/bulletin/pixel/2020-12-01
Notes:
 carnil> From contact with the Android security team we only know:
 carnil> Android Security team did some research on the 4.14.y series
 carnil> which they use in this product and found that apparently a code
 carnil> change between 4.14.170 and 4.14.180 fixed the issue. It was
 carnil> though not clear exactly which change resolved the
 carnil> vulnerability. For 4.14.y it is believed that all versions from
 carnil> 4.14.180 up are fixed. This still leaves open which is/are the
 carnil> upstream commits adressing the issue and so to determine the
 carnil> state for the other branches.
 carnil> Could it be possibly related to 4c59406ed003 ("xfrm: policy:
 carnil> Fix doulbe free in xfrm_policy_timer") which was 5.6, 5.5.14,
 carnil> 5.4.29, 4.19.114, 4.14.175, 4.9.218 and 4.4.218?
 carnil> Android Security team indicated that this indeed seem a good
 carnil> candidate.
 bwh> Commit 4c59406ed003 fixes double-free of xfrm_policy, but I'm
 bwh> not sure how it relates to a use-after-free in xfrm6_tunnel
 bwh> (xfrm6_tunnel_free_spi() is called via __xfrm_state_destroy(),
 bwh> via xfrm_state_put(), so what calls that?).  However I agree
 bwh> it is the only commit in that range that could plausibly have
 bwh> fixed the issue.
Bugs:
upstream: released (5.6) [4c59406ed00379c8663f8663d82b2537467ce9d7]
5.10-upstream-stable: N/A "Fixed before branch point"
4.19-upstream-stable: released (4.19.114) [7ad217a824f7fab1e8534a6dfa82899ae1900bcb]
4.9-upstream-stable: released (4.9.218) [86e98ce7de083649e330d518e98a80b9e39b5d43]
sid: released (5.5.17-1)
4.19-buster-security: released (4.19.118-1)
4.9-stretch-security: released (4.9.228-1)