From: Leon Romanovsky <leon@kernel.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
Boris Pismenny <borisp@mellanox.com>,
"David S. Miller" <davem@davemloft.net>,
Florian Westphal <fw@strlen.de>,
Kristian Evensen <kristian.evensen@gmail.com>,
Raed Salem <raeds@mellanox.com>, Raed Salem <raeds@nvidia.com>,
Saeed Mahameed <saeedm@mellanox.com>,
Yossi Kuperman <yossiku@mellanox.com>,
Network Development <netdev@vger.kernel.org>,
Aviad Yehezkel <aviadye@nvidia.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] xfrm: force flush upon NETDEV_UNREGISTER event
Date: Mon, 26 Jan 2026 13:07:12 +0200 [thread overview]
Message-ID: <20260126110712.GJ13967@unreal> (raw)
In-Reply-To: <5811ec38-907e-4788-8a0e-7758f12dc9d0@I-love.SAKURA.ne.jp>
On Thu, Jan 22, 2026 at 10:07:46PM +0900, Tetsuo Handa wrote:
> On 2026/01/22 20:32, Steffen Klassert wrote:
> > On Thu, Jan 22, 2026 at 08:28:31PM +0900, Tetsuo Handa wrote:
> >> On 2026/01/22 20:15, Steffen Klassert wrote:
> >>> Hm, I'd say we should not try to offload to a device that does
> >>> not support NETIF_F_HW_ESP.
> >>
> >> I was about to post the patch below, but you are suggesting that "do not allow calling
> >> xfrm_dev_state_add()/xfrm_dev_policy_add() if (dev->features & NETIF_F_HW_ESP) == 0" ?
> >
> > As said, I think this is the correct way to do it. But let's wait
> > on opinions from the hardware people.
>
> OK. I guess something like below.
>
> net/xfrm/xfrm_device.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> index 52ae0e034d29..19aa61609d24 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -292,6 +292,13 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
> dst_release(dst);
> }
>
> + if (!(dev->features & NETIF_F_HW_ESP)) {
> + NL_SET_ERR_MSG(extack, "Device doesn't support offload");
> + xso->dev = NULL;
> + dev_put(dev);
> + return -EINVAL;
> + }
Steffen, Tetsuo
If by "HW people" you mean me, we always set NETIF_F_HW_ESP when adding
the .xfrm_dev_*_add() callbacks.
1334 void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
1335 {
1336 struct mlx5_core_dev *mdev = priv->mdev;
1337 struct net_device *netdev = priv->netdev;
1338
1339 if (!mlx5_ipsec_device_caps(mdev))
1340 return;
1341
1342 mlx5_core_info(mdev,
1343 "mlx5e: IPSec ESP acceleration enabled\n");
1344
1345 netdev->xfrmdev_ops = &mlx5e_ipsec_xfrmdev_ops;
1346 netdev->features |= NETIF_F_HW_ESP;
1347 netdev->hw_enc_features |= NETIF_F_HW_ESP;
So we are left with two possibilities: either the device registered XFRM
ops without setting NETIF_F_HW_ESP, or netdev->features was modified
without clearing the xfrmdev_ops pointer.
Which device is triggering the syzcaller crash?
Thanks
> +
> if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_state_add) {
> xso->dev = NULL;
> dev_put(dev);
> @@ -367,7 +374,8 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
> if (!dev)
> return -EINVAL;
>
> - if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_policy_add) {
> + if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_policy_add ||
> + !(dev->features & NETIF_F_HW_ESP)) {
> xdo->dev = NULL;
> dev_put(dev);
> NL_SET_ERR_MSG(extack, "Policy offload is not supported");
>
>
>
> On 2026/01/22 20:15, Steffen Klassert wrote:
> >> But I have a question regarding security_xfrm_state_delete()/security_xfrm_policy_delete().
> >>
> >> xfrm_dev_state_flush_secctx_check() calls security_xfrm_state_delete() which can make
> >> xfrm_dev_state_flush() no-op by returning an error value.
> >> xfrm_dev_policy_flush_secctx_check() calls security_xfrm_policy_delete() which can make
> >> xfrm_dev_policy_flush() no-op by returning an error value.
> >>
> >> Since xfrm_dev_state_flush()/xfrm_dev_policy_flush() are called by NETDEV_UNREGISTER
> >> event (which is a signal for releasing all resources that prevent "struct net_device"
> >> references from dropping), making xfrm_dev_state_flush()/xfrm_dev_policy_flush() no-op (by
> >> allowing security_xfrm_state_delete()/security_xfrm_policy_delete() to return an error) is
> >> a denial-of-service bug.
> >
> > This means that the calling task doesn't have the permission to delete the
> > state, some LSM has a policy the does not grant this permission.
>
> But NETDEV_UNREGISTER event can fire without explicit request from a user.
> Roughly speaking, current behavior is that
>
> while (security_xfrm_state_delete() != 0) {
> schedule_timeout_uninterruptible(10 * HZ);
> pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
> dev->name, netdev_refcnt_read(dev));
> }
> while (security_xfrm_policy_delete() != 0) {
> schedule_timeout_uninterruptible(10 * HZ);
> pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
> dev->name, netdev_refcnt_read(dev));
> }
>
> might be executed upon e.g. termination of a userspace process.
>
> >
> >>
> >> Therefore, I wonder what are security_xfrm_state_delete() and security_xfrm_policy_delete()
> >> for. Can I kill xfrm_dev_state_flush_secctx_check() and xfrm_dev_policy_flush_secctx_check() ?
> >
> > This might violate a LSM policy then.
>
> But LSM policy that results in system hung upon automatic cleanup logic is so stupid.
> I want to kill xfrm_dev_state_flush_secctx_check() and xfrm_dev_policy_flush_secctx_check()
> in order to eliminate possibility of system hung.
>
next prev parent reply other threads:[~2026-01-26 11:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-17 16:03 xfrm: question regarding NETDEV_UNREGISTER handling Tetsuo Handa
2026-01-19 11:19 ` [PATCH] xfrm: force flush upon NETDEV_UNREGISTER event Tetsuo Handa
2026-01-22 8:24 ` Tetsuo Handa
2026-01-22 11:15 ` Steffen Klassert
2026-01-22 11:28 ` Tetsuo Handa
2026-01-22 11:32 ` Steffen Klassert
2026-01-22 13:07 ` Tetsuo Handa
2026-01-26 11:07 ` Leon Romanovsky [this message]
2026-01-26 15:57 ` Tetsuo Handa
2026-01-26 14:16 ` Sabrina Dubroca
2026-01-26 22:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260126110712.GJ13967@unreal \
--to=leon@kernel.org \
--cc=aviadye@nvidia.com \
--cc=borisp@mellanox.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=herbert@gondor.apana.org.au \
--cc=kristian.evensen@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=raeds@mellanox.com \
--cc=raeds@nvidia.com \
--cc=saeedm@mellanox.com \
--cc=steffen.klassert@secunet.com \
--cc=yossiku@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.