* Re: [PATCH net 1/1] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
2026-04-12 5:07 ` [PATCH net 1/1] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Ren Wei
@ 2026-04-14 12:33 ` Simon Horman
2026-04-14 12:43 ` Simon Horman
1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2026-04-14 12:33 UTC (permalink / raw)
To: Ren Wei
Cc: netdev, steffen.klassert, herbert, davem, dsahern, edumazet, kuba,
pabeni, sd, yifanwucs, tomapufckgml, yuantan098, bird,
caoruide123, zylzyl2333
On Sun, Apr 12, 2026 at 01:07:54PM +0800, Ren Wei wrote:
> From: Yilin Zhu <zylzyl2333@gmail.com>
>
> xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
> already have a dst attached. ip6_route_input_lookup() returns a
> referenced dst entry even when the lookup resolves to an error route.
>
> If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
> the dst to the skb and without releasing the reference returned by the
> lookup. Repeated packets hitting this path therefore leak dst entries.
>
> Release the dst before jumping to the drop path.
>
> Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
> Cc: stable@kernel.org
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Co-developed-by: Yuan Tan <yuantan098@gmail.com>
> Signed-off-by: Yuan Tan <yuantan098@gmail.com>
> Suggested-by: Xin Liu <bird@lzu.edu.cn>
> Tested-by: Ruide Cao <caoruide123@gmail.com>
> Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
> net/ipv6/xfrm6_protocol.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH net 1/1] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
2026-04-12 5:07 ` [PATCH net 1/1] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Ren Wei
2026-04-14 12:33 ` Simon Horman
@ 2026-04-14 12:43 ` Simon Horman
1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2026-04-14 12:43 UTC (permalink / raw)
To: n05ec
Cc: 'Simon Horman', netdev, steffen.klassert, herbert, davem,
dsahern, edumazet, kuba, pabeni, sd, yifanwucs, tomapufckgml,
yuantan098, bird, caoruide123, zylzyl2333
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
This commit fixes a dst entry leak in xfrm6_rcv_encap() by ensuring
the dst is released when ip6_route_input_lookup() returns an error route.
> diff --git a/net/ipv6/xfrm6_protocol.c b/net/ipv6/xfrm6_protocol.c
> index ea2f805d3b014..9b586fcec4850 100644
> --- a/net/ipv6/xfrm6_protocol.c
> +++ b/net/ipv6/xfrm6_protocol.c
> @@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
>
> dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
> skb, flags);
This isn't a bug introduced by this patch, but is it possible for skb->dev
to be NULL here?
When ESP packets are delivered over TCP, they are processed asynchronously
via handle_esp() in net/xfrm/espintcp.c. This dynamically resolves skb->dev
using dev_get_by_index_rcu(). If the interface was removed before this runs,
it returns NULL.
Because TCP receive paths drop the skb's dst entry, skb_dst(skb) is NULL.
When handle_esp() passes the skb to xfrm6_rcv_encap(), it enters the
!skb_dst(skb) block and unconditionally accesses skb->dev->ifindex and
calls dev_net(skb->dev).
Could this result in a NULL pointer dereference if the interface is torn
down while packets are being processed asynchronously?
> - if (dst->error)
> + if (dst->error) {
> + dst_release(dst);
> goto drop;
> + }
> skb_dst_set(skb, dst);
> }
>
^ permalink raw reply [flat|nested] 3+ messages in thread