Re: xfrm: Possible refcount bug in xfrm_dev_state_add() ?

[Leon Romanovsky <leon@kernel.org>]

On Sat, Jan 17, 2026 at 08:00:16PM +0900, Tetsuo Handa wrote:
> Just browsing call trace for
> 
>   unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2
>   ref_tracker: netdev@ffff888052f24618 has 1/1 users at
>        __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]
>        netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]
>        xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316
>        xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]
>        xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022
>        xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507
>        netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550
>        xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529
>        netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
>        netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344
>        netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894
>        sock_sendmsg_nosec net/socket.c:727 [inline]
>        __sock_sendmsg net/socket.c:742 [inline]
>        ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592
>        ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646
>        __sys_sendmsg+0x16d/0x220 net/socket.c:2678
>        do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>        do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> problem, I noticed a different-but-possible refcount bug.
> 
> Commit 67a63387b141 ("xfrm: Fix negative device refcount on offload failure.")
> resets xso->dev to NULL. Commit 50bd870a9e5c ("xfrm: Add ESN support for IPSec
> HW offload") also resets xso->dev to NULL. Then, why not commit 585b64f5a620
> ("xfrm: delay initialization of offload path till its actually requested") also
> resets xso->dev to NULL (like shown below) ? (Note that I don't know the
> background of these commits...)
> 
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> index 52ae0e034d29..daa640f1ff9c 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -308,6 +308,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
>  
>  	if (!x->type_offload) {
>  		NL_SET_ERR_MSG(extack, "Type doesn't support offload");
> +		xso->dev = NULL;

I do not expect this change to have any visible impact. After this failure,
the xso object should not be reused, so setting "xso->dev = NULL" is likely
unnecessary as well.

Thanks

>  		dev_put(dev);
>  		return -EINVAL;
>  	}
>