Re: [RFC PATCH net-next 3/7] arm64: dts: airoha: add EN7581 SOE node

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jihong Min" <hurryman2212@gmail.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [RFC PATCH net-next 3/7] arm64: dts: airoha: add EN7581 SOE node
Date: Mon, 15 Jun 2026 04:58:06 +0000	[thread overview]
Message-ID: <20260615045807.17D911F00A3E@smtp.kernel.org> (raw)
In-Reply-To: <20260614040032.1567994-4-hurryman2212@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Dereferencing `x->xso.dev` without a NULL check in `xfrm_output` can lead to a kernel panic.
--

commit c38a10fca161e28cf54507d8d670ee75e47687df
Author: Jihong Min <hurryman2212@gmail.com>

xfrm: allow packet offload drivers to own transmit

This commit adds an optional xdo_dev_packet_xmit() callback for packet
offload drivers. It allows devices to perform driver-specific transmit
preparation instead of continuing through the regular XFRM output path.
Drivers implementing this callback will consume the skb and return the
final transmit status.

> diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
> index cc35c2fcbbe09..9f11559b02210 100644
> --- a/net/xfrm/xfrm_output.c
> +++ b/net/xfrm/xfrm_output.c
> @@ -770,6 +770,17 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
>  	}
>  
>  	if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET) {
> +#ifdef CONFIG_XFRM_OFFLOAD
> +		const struct xfrmdev_ops *ops;
> +#endif
> +
> +#ifdef CONFIG_XFRM_OFFLOAD
> +		ops = x->xso.dev->xfrmdev_ops;

[Severity: High]
Is it possible for x->xso.dev to be NULL here?

During device unregistration, xfrm_dev_state_free() clears xso->dev to NULL
(via WRITE_ONCE) before updating xso->type to XFRM_DEV_OFFLOAD_UNSPECIFIED.
Because xfrm_output() processes packets concurrently without locking, could
a data race occur where the transmit path observes xso.type as
XFRM_DEV_OFFLOAD_PACKET but then reads xso.dev as NULL?

If this happens, wouldn't evaluating ops = x->xso.dev->xfrmdev_ops cause a
NULL pointer dereference regression?

The adjacent xfrm_dev_offload_ok() function seems to anticipate this
concurrent modification by explicitly checking for a NULL dev. Should a
similar NULL check be added here?

> +		/* Callback validates, consumes skb and returns final TX status. */
> +		if (ops && ops->xdo_dev_packet_xmit)
> +			return ops->xdo_dev_packet_xmit(skb, x);
> +#endif
> +
>  		if (!xfrm_dev_offload_ok(skb, x)) {
>  			XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
>  			kfree_skb(skb);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260614040032.1567994-1-hurryman2212@gmail.com?part=3

next prev parent reply	other threads:[~2026-06-15  4:58 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-14  4:00 [RFC PATCH net-next 0/7] net: airoha: add EN7581 SOE ESP packet offload Jihong Min
2026-06-14  4:00 ` [RFC PATCH net-next 1/7] xfrm: allow packet offload drivers to own transmit Jihong Min
2026-06-15  4:58   ` sashiko-bot
2026-06-14  4:00 ` [RFC PATCH net-next 2/7] dt-bindings: net: airoha: add EN7581 SOE Jihong Min
2026-06-14  4:00 ` [RFC PATCH net-next 3/7] arm64: dts: airoha: add EN7581 SOE node Jihong Min
2026-06-15  4:58   ` sashiko-bot [this message]
2026-06-14  4:00 ` [RFC PATCH net-next 4/7] net: airoha: add SOE registers and driver state Jihong Min
2026-06-14  4:00 ` [RFC PATCH net-next 5/7] net: airoha: add QDMA support for SOE packets Jihong Min
2026-06-15  4:58   ` sashiko-bot
2026-06-14  4:00 ` [RFC PATCH net-next 6/7] net: airoha: add PPE support for SOE flows Jihong Min
2026-06-15  4:58   ` sashiko-bot
2026-06-14  4:00 ` [RFC PATCH net-next 7/7] net: airoha: add SOE XFRM packet offload support Jihong Min
2026-06-15  4:58   ` sashiko-bot
2026-06-14  4:18 ` [RFC PATCH net-next 0/7] net: airoha: add EN7581 SOE ESP packet offload Jihong Min

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260615045807.17D911F00A3E@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=hurryman2212@gmail.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.