[PATCH] xfrm: iptfs: fix deadlock in iptfs_destroy_state

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dudu Lu <phx0fer@gmail.com>
To: netdev@vger.kernel.org
Cc: steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
	davem@davemloft.net, Dudu Lu <phx0fer@gmail.com>
Subject: [PATCH] xfrm: iptfs: fix deadlock in iptfs_destroy_state
Date: Mon, 13 Apr 2026 16:51:38 +0800	[thread overview]
Message-ID: <20260413085138.72623-1-phx0fer@gmail.com> (raw)

iptfs_destroy_state() acquires x->lock (spin_lock_bh) and then calls
hrtimer_cancel(&xtfs->iptfs_timer). The timer callback
iptfs_delay_timer() also acquires x->lock (spin_lock). If the timer
fires on another CPU during destroy, hrtimer_cancel() waits for the
callback to complete, but the callback is blocked trying to acquire
the same lock — a classic ABBA deadlock.

The same pattern exists for drop_timer: destroy holds drop_lock and
calls hrtimer_cancel(&xtfs->drop_timer), while iptfs_drop_timer()
also acquires drop_lock.

Fix by cancelling the timers before acquiring the locks. The timer
callbacks check for state validity, so a late cancel is safe. The
queue splice is still done under the lock for consistency.

Fixes: 4b3faf610cc6 ("xfrm: iptfs: add new iptfs xfrm mode impl")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
---
 net/xfrm/xfrm_iptfs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 97bc979e55ba..11291b87158c 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2708,8 +2708,10 @@ static void iptfs_destroy_state(struct xfrm_state *x)
 	if (!xtfs)
 		return;

-	spin_lock_bh(&xtfs->x->lock);
 	hrtimer_cancel(&xtfs->iptfs_timer);
+	hrtimer_cancel(&xtfs->drop_timer);
+
+	spin_lock_bh(&xtfs->x->lock);
 	__skb_queue_head_init(&list);
 	skb_queue_splice_init(&xtfs->queue, &list);
 	spin_unlock_bh(&xtfs->x->lock);
@@ -2717,9 +2719,7 @@ static void iptfs_destroy_state(struct xfrm_state *x)
 	while ((skb = __skb_dequeue(&list)))
 		kfree_skb(skb);

-	spin_lock_bh(&xtfs->drop_lock);
-	hrtimer_cancel(&xtfs->drop_timer);
-	spin_unlock_bh(&xtfs->drop_lock);
+	/* drop_timer already cancelled above */

 	if (xtfs->ra_newskb)
 		kfree_skb(xtfs->ra_newskb);
-- 
2.39.3 (Apple Git-145)

next             reply	other threads:[~2026-04-13  8:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13  8:51 Dudu Lu [this message]
2026-04-15 14:35 ` [PATCH] xfrm: iptfs: fix deadlock in iptfs_destroy_state Simon Horman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:97bc979e55b dfblob:11291b87158 )
 OR (
bs:"[PATCH] xfrm: iptfs: fix deadlock in iptfs_destroy_state" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260413085138.72623-1-phx0fer@gmail.com \
    --to=phx0fer@gmail.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.