From: Simon Horman <horms@kernel.org>
To: dongchenchen2@huawei.com
Cc: 'Simon Horman' <horms@kernel.org>,
steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, tpluszz77@gmail.com, netdev@vger.kernel.org,
zhangchangzhong@huawei.com
Subject: Re: [PATCH net] net: xfrm: Fix dev refcnt leak in async resumption
Date: Wed, 13 May 2026 18:07:56 +0100 [thread overview]
Message-ID: <20260513170755.253159-2-horms@kernel.org> (raw)
In-Reply-To: <20260509074443.104163-1-dongchenchen2@huawei.com>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
net: xfrm: Fix dev refcnt leak in async resumption
This commit adds a dev_put() to the return path of xfrm_input() when afinfo
is NULL during asynchronous resumption, aiming to prevent a device reference
leak.
> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
> index f65291eba1f68..c98a29d80a534 100644
> --- a/net/xfrm/xfrm_input.c
> +++ b/net/xfrm/xfrm_input.c
> @@ -765,6 +765,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
> return err;
This return is reached when xfrm_gro is true and gro_cells_receive() has
just consumed the skb.
If afinfo is NULL, err remains -EAFNOSUPPORT (-97).
When a negative error is returned back to the synchronous IPv4 input path
(ip_protocol_deliver_rcu), doesn't the IP stack typically resubmit the
packet using the negated error code (-err = 97) as the protocol number?
Could this cause a use-after-free when the IP stack attempts to dereference
the already-consumed skb?
Also, since transport_finish() was skipped, could this inject an skb with
unreset headers into the GRO engine?
Would it be safer to jump to the drop label immediately if !afinfo?
> }
>
> + if (unlikely(!afinfo) && async)
> + dev_put(skb->dev);
> return err;
In the asynchronous path, callers like the bottom-half crypto completion
callbacks return void and ignore the return value of xfrm_input():
net/ipv4/esp4.c:esp_input_done2() {
...
xfrm_input_resume(skb, err);
}
Does this code leak the skb memory?
Returning an error here drops the device reference but appears to leave the
skb un-freed, as it is never passed to the next protocol layer or explicitly
freed via kfree_skb() or by jumping to the drop label.
> }
>
next prev parent reply other threads:[~2026-05-13 17:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 7:44 [PATCH net] net: xfrm: Fix dev refcnt leak in async resumption Dong Chenchen
2026-05-13 17:07 ` Simon Horman [this message]
2026-05-14 3:43 ` dongchenchen (A)
2026-05-14 4:53 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513170755.253159-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=dongchenchen2@huawei.com \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=tpluszz77@gmail.com \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.