From: Leon Romanovsky <leon@kernel.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
Boris Pismenny <borisp@mellanox.com>,
"David S. Miller" <davem@davemloft.net>,
Florian Westphal <fw@strlen.de>,
Kristian Evensen <kristian.evensen@gmail.com>,
Raed Salem <raeds@mellanox.com>, Raed Salem <raeds@nvidia.com>,
Saeed Mahameed <saeedm@mellanox.com>,
Yossi Kuperman <yossiku@mellanox.com>,
Network Development <netdev@vger.kernel.org>,
Aviad Yehezkel <aviadye@nvidia.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] xfrm: force flush upon NETDEV_UNREGISTER event
Date: Mon, 26 Jan 2026 13:07:12 +0200 [thread overview]
Message-ID: <20260126110712.GJ13967@unreal> (raw)
In-Reply-To: <5811ec38-907e-4788-8a0e-7758f12dc9d0@I-love.SAKURA.ne.jp>
On Thu, Jan 22, 2026 at 10:07:46PM +0900, Tetsuo Handa wrote:
> On 2026/01/22 20:32, Steffen Klassert wrote:
> > On Thu, Jan 22, 2026 at 08:28:31PM +0900, Tetsuo Handa wrote:
> >> On 2026/01/22 20:15, Steffen Klassert wrote:
> >>> Hm, I'd say we should not try to offload to a device that does
> >>> not support NETIF_F_HW_ESP.
> >>
> >> I was about to post the patch below, but you are suggesting that "do not allow calling
> >> xfrm_dev_state_add()/xfrm_dev_policy_add() if (dev->features & NETIF_F_HW_ESP) == 0" ?
> >
> > As said, I think this is the correct way to do it. But let's wait
> > on opinions from the hardware people.
>
> OK. I guess something like below.
>
> net/xfrm/xfrm_device.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> index 52ae0e034d29..19aa61609d24 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -292,6 +292,13 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
> dst_release(dst);
> }
>
> + if (!(dev->features & NETIF_F_HW_ESP)) {
> + NL_SET_ERR_MSG(extack, "Device doesn't support offload");
> + xso->dev = NULL;
> + dev_put(dev);
> + return -EINVAL;
> + }
Steffen, Tetsuo
If by "HW people" you mean me, we always set NETIF_F_HW_ESP when adding
the .xfrm_dev_*_add() callbacks.
1334 void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
1335 {
1336 struct mlx5_core_dev *mdev = priv->mdev;
1337 struct net_device *netdev = priv->netdev;
1338
1339 if (!mlx5_ipsec_device_caps(mdev))
1340 return;
1341
1342 mlx5_core_info(mdev,
1343 "mlx5e: IPSec ESP acceleration enabled\n");
1344
1345 netdev->xfrmdev_ops = &mlx5e_ipsec_xfrmdev_ops;
1346 netdev->features |= NETIF_F_HW_ESP;
1347 netdev->hw_enc_features |= NETIF_F_HW_ESP;
So we are left with two possibilities: either the device registered XFRM
ops without setting NETIF_F_HW_ESP, or netdev->features was modified
without clearing the xfrmdev_ops pointer.
Which device is triggering the syzcaller crash?
Thanks
> +
> if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_state_add) {
> xso->dev = NULL;
> dev_put(dev);
> @@ -367,7 +374,8 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
> if (!dev)
> return -EINVAL;
>
> - if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_policy_add) {
> + if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_policy_add ||
> + !(dev->features & NETIF_F_HW_ESP)) {
> xdo->dev = NULL;
> dev_put(dev);
> NL_SET_ERR_MSG(extack, "Policy offload is not supported");
>
>
>
> On 2026/01/22 20:15, Steffen Klassert wrote:
> >> But I have a question regarding security_xfrm_state_delete()/security_xfrm_policy_delete().
> >>
> >> xfrm_dev_state_flush_secctx_check() calls security_xfrm_state_delete() which can make
> >> xfrm_dev_state_flush() no-op by returning an error value.
> >> xfrm_dev_policy_flush_secctx_check() calls security_xfrm_policy_delete() which can make
> >> xfrm_dev_policy_flush() no-op by returning an error value.
> >>
> >> Since xfrm_dev_state_flush()/xfrm_dev_policy_flush() are called by NETDEV_UNREGISTER
> >> event (which is a signal for releasing all resources that prevent "struct net_device"
> >> references from dropping), making xfrm_dev_state_flush()/xfrm_dev_policy_flush() no-op (by
> >> allowing security_xfrm_state_delete()/security_xfrm_policy_delete() to return an error) is
> >> a denial-of-service bug.
> >
> > This means that the calling task doesn't have the permission to delete the
> > state, some LSM has a policy the does not grant this permission.
>
> But NETDEV_UNREGISTER event can fire without explicit request from a user.
> Roughly speaking, current behavior is that
>
> while (security_xfrm_state_delete() != 0) {
> schedule_timeout_uninterruptible(10 * HZ);
> pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
> dev->name, netdev_refcnt_read(dev));
> }
> while (security_xfrm_policy_delete() != 0) {
> schedule_timeout_uninterruptible(10 * HZ);
> pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
> dev->name, netdev_refcnt_read(dev));
> }
>
> might be executed upon e.g. termination of a userspace process.
>
> >
> >>
> >> Therefore, I wonder what are security_xfrm_state_delete() and security_xfrm_policy_delete()
> >> for. Can I kill xfrm_dev_state_flush_secctx_check() and xfrm_dev_policy_flush_secctx_check() ?
> >
> > This might violate a LSM policy then.
>
> But LSM policy that results in system hung upon automatic cleanup logic is so stupid.
> I want to kill xfrm_dev_state_flush_secctx_check() and xfrm_dev_policy_flush_secctx_check()
> in order to eliminate possibility of system hung.
>
next prev parent reply other threads:[~2026-01-26 11:07 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-17 16:03 xfrm: question regarding NETDEV_UNREGISTER handling Tetsuo Handa
2026-01-19 11:19 ` [PATCH] xfrm: force flush upon NETDEV_UNREGISTER event Tetsuo Handa
2026-01-22 8:24 ` Tetsuo Handa
2026-01-22 11:15 ` Steffen Klassert
2026-01-22 11:28 ` Tetsuo Handa
2026-01-22 11:32 ` Steffen Klassert
2026-01-22 13:07 ` Tetsuo Handa
2026-01-26 11:07 ` Leon Romanovsky [this message]
2026-01-26 15:57 ` Tetsuo Handa
2026-01-26 14:16 ` Sabrina Dubroca
2026-01-26 22:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260126110712.GJ13967@unreal \
--to=leon@kernel.org \
--cc=aviadye@nvidia.com \
--cc=borisp@mellanox.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=herbert@gondor.apana.org.au \
--cc=kristian.evensen@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=raeds@mellanox.com \
--cc=raeds@nvidia.com \
--cc=saeedm@mellanox.com \
--cc=steffen.klassert@secunet.com \
--cc=yossiku@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox