Re: [PATCH net v2] xfrm: always flush state and policy upon NETDEV_UNREGISTER event

[Steffen Klassert <steffen.klassert@secunet.com>]

On Fri, Jan 30, 2026 at 07:42:47PM +0900, Tetsuo Handa wrote:
> syzbot is reporting that "struct xfrm_state" refcount is leaking.
> 
>   unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2
>   ref_tracker: netdev@ffff888052f24618 has 1/1 users at
>        __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]
>        netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]
>        xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316
>        xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]
>        xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022
>        xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507
>        netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550
>        xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529
>        netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
>        netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344
>        netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894
>        sock_sendmsg_nosec net/socket.c:727 [inline]
>        __sock_sendmsg net/socket.c:742 [inline]
>        ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592
>        ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646
>        __sys_sendmsg+0x16d/0x220 net/socket.c:2678
>        do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>        do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
>        entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware
> offloading API") implemented xfrm_dev_unregister() as no-op despite
> xfrm_dev_state_add() from xfrm_state_construct() acquires a reference
> to "struct net_device".
> I guess that that commit expected that NETDEV_DOWN event is fired before
> NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()
> is called only if (dev->features & NETIF_F_HW_ESP) != 0.
> 
> Sabrina Dubroca identified steps to reproduce the same symptoms as below.
> 
>   echo 0 > /sys/bus/netdevsim/new_device
>   dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)
>   ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \
>      spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128   \
>      offload crypto dev $dev dir out
>   ethtool -K $dev esp-hw-offload off
>   echo 0 > /sys/bus/netdevsim/del_device
> 
> Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after
> xfrm_dev_state_add() acquired a reference to "struct net_device".
> Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit
> when acquiring a reference to "struct net_device".
> 
> Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device")
> re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that
> commit for unknown reason chose to share xfrm_dev_down() between the
> NETDEV_DOWN event and the NETDEV_UNREGISTER event.
> I guess that that commit missed the behavior in the previous paragraph.
> 
> Therefore, we need to re-introduce xfrm_dev_unregister() in order to
> release the reference to "struct net_device" by unconditionally flushing
> state and policy.
> 
> Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
> Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
> Cc: Sabrina Dubroca <sd@queasysnail.net>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

Now applied to the ipsec tree, thanks a lot!