From: Petr Wozniak <petr.wozniak@gmail.com>
To: netdev@vger.kernel.org, sd@queasysnail.net
Cc: steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
kuba@kernel.org, horms@kernel.org, pabeni@redhat.com,
edumazet@google.com, davem@davemloft.net
Subject: Re: [PATCH net v4] xfrm: propagate -EINPROGRESS from validate_xmit_xfrm()
Date: Sun, 21 Jun 2026 12:06:31 +0200 [thread overview]
Message-ID: <178203639130.40316.5573016895988206218@gmail.com> (raw)
In-Reply-To: <20260603064659.3867-1-petr.wozniak@gmail.com>
Reposting on the list, as you asked.
Apologies for missing your comment about the 2nd x->type_offload->xmit()
call across several versions -- entirely my fault.
You're right: in the skb_list_walk_safe() loop, if all GSO segments
return -EINPROGRESS, skb is advanced to NULL and the function returns
NULL instead of ERR_PTR(-EINPROGRESS). v5 1/2 fixes it:
- return skb;
+ return skb ? skb : ERR_PTR(-EINPROGRESS);
At that point NULL can only mean all segments were stolen -- the error
path (err != -EINPROGRESS) returns NULL directly from inside the loop.
v5 1/2 also restores the blank line in validate_xmit_skb_list() and adds
the missing maintainers to Cc.
For the use-after-free I mentioned: I confirmed it. validate_xmit_xfrm()
unlinks async-stolen segments but never updates the list head ->prev, so
when the last segment is stolen, validate_xmit_skb_list() chains onto it
via tail->next. v5 2/2 fixes it by repointing skb->prev at the last
retained segment. As you suggested, the two fixes go as a series.
I could not confirm the head-list leak on a closer look, so I left it
out; I'll send a separate patch if I find it.
The v5 series has been sent.
Thanks,
Petr
prev parent reply other threads:[~2026-06-21 10:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 6:46 [PATCH net v4] xfrm: propagate -EINPROGRESS from validate_xmit_xfrm() Petr Wozniak
2026-06-04 11:29 ` Sabrina Dubroca
2026-06-21 10:03 ` [PATCH net v5 0/2] xfrm: fix async crypto (-EINPROGRESS) handling in validate_xmit_xfrm() Petr Wozniak
2026-06-21 10:03 ` [PATCH net v5 1/2] xfrm: propagate -EINPROGRESS from validate_xmit_xfrm() Petr Wozniak
2026-06-21 10:03 ` [PATCH net v5 2/2] xfrm: fix stale skb->prev after async crypto steals a GSO segment Petr Wozniak
2026-06-30 14:01 ` [PATCH net v5 0/2] xfrm: fix async crypto (-EINPROGRESS) handling in validate_xmit_xfrm() Steffen Klassert
2026-06-21 10:06 ` Petr Wozniak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178203639130.40316.5573016895988206218@gmail.com \
--to=petr.wozniak@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.