From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 862283EDE55; Tue, 12 May 2026 18:04:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778609079; cv=none; b=Vndu/KUEstVnkYAt3YxYtvK2AAMgkWO6lCMxXH4Ok7hiv3yrJ9ySVp9YIFqqkqRo2DaZSMAbvwUn7HQDsKYE3QcxUVhZj1oebfeo/oHkk8KlGy4csW0oQgdcza+/6hDsbsNC5vG5Kl+KP7LTjdDUC85bUp3vxBEfPp9tdLFGARE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778609079; c=relaxed/simple; bh=tbeHnjyuwOwzMQ6fqyDlgxwGv7bH0OBOjWju+kIzxY0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IzAPjM74eLMgTvVWMr6H1L2piosdCxCJTvRke+7eInUltB2aIwiJ8BE5oH9H/4YL1rWh0/uqzB9vDcM6BI+MYOv8FQ8aBFxRJwCGP1n197uuWJUmt3RF2jY1umYtypV58rclmp6sNEUWXQ5g3kdGfOSvFszNnFh3BEHg4HVULfc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=WfsSmAl0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="WfsSmAl0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1DDD1C2BCB0; Tue, 12 May 2026 18:04:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778609079; bh=tbeHnjyuwOwzMQ6fqyDlgxwGv7bH0OBOjWju+kIzxY0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WfsSmAl0vbytHGHYWD4TSISGimJQ3So7q6qhrXL0NeyWeWsrSpMdyhcHbacDLSR/J dOVzyzm1IW8pMohvJXSPLotJi9nvH06oopWhTvMfL8n7k5/Gv87E+Crijk0TkQeMYD dtoHkXBV3HRKqeT4wkh7NJD0hX3emkLfSMADLs1s= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ruide Cao , Yilin Zhu , Ren Wei , Simon Horman , Steffen Klassert Subject: [PATCH 7.0 056/307] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Date: Tue, 12 May 2026 19:37:31 +0200 Message-ID: <20260512173941.306088341@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260512173940.117428952@linuxfoundation.org> References: <20260512173940.117428952@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yilin Zhu commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream. xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path. Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") Cc: stable@kernel.org Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ruide Cao Signed-off-by: Yilin Zhu Signed-off-by: Ren Wei Reviewed-by: Simon Horman Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/ipv6/xfrm6_protocol.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/ipv6/xfrm6_protocol.c +++ b/net/ipv6/xfrm6_protocol.c @@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, skb, flags); - if (dst->error) + if (dst->error) { + dst_release(dst); goto drop; + } skb_dst_set(skb, dst); }