Re: [PATCH net] net: xfrm: Fix dev refcnt leak in async resumption

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "dongchenchen (A)" <dongchenchen2@huawei.com>
To: Simon Horman <horms@kernel.org>
Cc: <steffen.klassert@secunet.com>, <herbert@gondor.apana.org.au>,
	<davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
	<pabeni@redhat.com>, <tpluszz77@gmail.com>,
	<netdev@vger.kernel.org>, <zhangchangzhong@huawei.com>
Subject: Re: [PATCH net] net: xfrm: Fix dev refcnt leak in async resumption
Date: Thu, 14 May 2026 11:43:47 +0800	[thread overview]
Message-ID: <c37967eb-7b98-4765-b166-9b6857a70b1f@huawei.com> (raw)
In-Reply-To: <20260513170755.253159-2-horms@kernel.org>


> From: 'Simon Horman' <horms@kernel.org>
>
> This is an AI-generated review of your patch. The human sending this
> email has considered the AI review valid, or at least plausible.
> Full review at: https://sashiko.dev
> ---
> net: xfrm: Fix dev refcnt leak in async resumption
>
> This commit adds a dev_put() to the return path of xfrm_input() when afinfo
> is NULL during asynchronous resumption, aiming to prevent a device reference
> leak.
>
>> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
>> index f65291eba1f68..c98a29d80a534 100644
>> --- a/net/xfrm/xfrm_input.c
>> +++ b/net/xfrm/xfrm_input.c
>> @@ -765,6 +765,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
>>   			return err;
> This return is reached when xfrm_gro is true and gro_cells_receive() has
> just consumed the skb.
>
> If afinfo is NULL, err remains -EAFNOSUPPORT (-97).
>
> When a negative error is returned back to the synchronous IPv4 input path
> (ip_protocol_deliver_rcu), doesn't the IP stack typically resubmit the
> packet using the negated error code (-err = 97) as the protocol number?
>
> Could this cause a use-after-free when the IP stack attempts to dereference
> the already-consumed skb?
>
> Also, since transport_finish() was skipped, could this inject an skb with
> unreset headers into the GRO engine?
>
> Would it be safer to jump to the drop label immediately if !afinfo?
>
>>   		}
>>   
>> +		if (unlikely(!afinfo) && async)
>> +			dev_put(skb->dev);
>>   		return err;
> In the asynchronous path, callers like the bottom-half crypto completion
> callbacks return void and ignore the return value of xfrm_input():
>
> net/ipv4/esp4.c:esp_input_done2() {
>      ...
>      xfrm_input_resume(skb, err);
> }
>
> Does this code leak the skb memory?
>
> Returning an error here drops the device reference but appears to leave the
> skb un-freed, as it is never passed to the next protocol layer or explicitly
> freed via kfree_skb() or by jumping to the drop label.

Yes, indeed.
We need to perform the goto drop operation before xfrm_gro is determined
to fix the skb leakage and the problem that xfrm_gro does not unset the
header. as bellow:

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index f65291eba1f6..109ee8893761 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -750,8 +750,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                 err = -EAFNOSUPPORT;
                 rcu_read_lock();
                 afinfo = xfrm_state_afinfo_get_rcu(x->props.family);
-               if (likely(afinfo))
+               if (likely(afinfo)) {
                         err = afinfo->transport_finish(skb, xfrm_gro || async);
+               } else {
+                       rcu_read_unlock();
+                       goto drop;
+               }
                 rcu_read_unlock();
                 if (xfrm_gro) {
                         sp = skb_sec_path(skb);

Thanks a lot for your review! v2 will be submit
-------
Best regards
Dong Chenchen

>>   	}
>>

next prev parent reply	other threads:[~2026-05-14  3:43 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-09  7:44 [PATCH net] net: xfrm: Fix dev refcnt leak in async resumption Dong Chenchen
2026-05-13 17:07 ` Simon Horman
2026-05-14  3:43   ` dongchenchen (A) [this message]
2026-05-14  4:53 ` Herbert Xu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f65291eba1f dfblob:109ee889376 )
 OR (
bs:"Re: [PATCH net] net: xfrm: Fix dev refcnt leak in async resumption" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c37967eb-7b98-4765-b166-9b6857a70b1f@huawei.com \
    --to=dongchenchen2@huawei.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=steffen.klassert@secunet.com \
    --cc=tpluszz77@gmail.com \
    --cc=zhangchangzhong@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.