[PATCH 0/10] pull request (net): ipsec 2026-05-29

Netdev List
 help / color / mirror / Atom feed

From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	<netdev@vger.kernel.org>
Subject: [PATCH 0/10] pull request (net): ipsec 2026-05-29
Date: Fri, 29 May 2026 11:26:02 +0200	[thread overview]
Message-ID: <20260529092648.3878973-1-steffen.klassert@secunet.com> (raw)

1) xfrm: route MIGRATE notifications to caller's netns
   Thread the caller's netns through km_migrate() so that
   MIGRATE notifications go to the issuing netns, fixing both the
   init_net listener leak and MOBIKE notifications inside
   non-init netns. From Maoyi Xie.

2) xfrm: ipcomp: Free destination pages on acomp errors
   Move the out_free_req label up so that allocated destination
   pages are released on decompression errors, not only on success.
   From Herbert Xu.

3) xfrm: Check for underflow in xfrm_state_mtu
   Reject configurations that cause xfrm_state_mtu() to underflow,
   preventing a negative TFCPAD value from becoming a memset size
   that triggers an out-of-bounds write of several terabytes.
   From David Ahern.

4) xfrm: ah: use skb_to_full_sk in async output callbacks
   Convert the possibly-incomplete skb->sk to a full socket pointer
   in async AH callbacks so that a request_sock or timewait_sock
   never reaches xfrm_output_resume() downstream consumers.
   From Michael Bommarito.

5) Add and revert: esp: fix page frag reference leak on skb_to_sgvec failure
   The patch does not fix te issue completely.

6) xfrm: esp: restore combined single-frag length gate
   Check the aligned post-trailer combined length against a page limit
   in the fast path, preventing skb_page_frag_refill() from falling
   back to a page too small for the destination scatterlist.
   From Jingguo Tan.

7) xfrm: iptfs: reset runtime state when cloning SAs
   Reinitialise the clone's mode_data runtime objects before
   publishing it, preventing queued skbs from being freed with
   list state copied from the original SA when migration fails.
   From Shaomin Chen.

8) xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
   Flush policy tables and drain the workqueue in a .pre_exit handler
   so that cleanup_net() pays one RCU grace period per batch instead
   of one per namespace, fixing stalls at high CLONE_NEWNET rates.
   From Usama Arif.

9) xfrm: input: hold netns during deferred transport reinjection
   Take a netns reference when queueing deferred transport reinjection
   work and drop it after the callback completes, keeping the skb->cb
   net pointer valid until the deferred work runs.
   From Zhengchuan Liang.

Please pull or let me know if there are problems.

Thanks!

The following changes since commit b266bacba796ff5c4dcd2ae2fc08aacf7ab39153:

  net: ethernet: cortina: Drop half-assembled SKB (2026-05-06 18:43:41 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git tags/ipsec-2026-05-29

for you to fetch changes up to 6851161feb01cea41358c9ec304bd2f981fc8505:

  Revert "esp: fix page frag reference leak on skb_to_sgvec failure" (2026-05-29 10:23:25 +0200)

----------------------------------------------------------------
ipsec-2026-05-29

----------------------------------------------------------------
David Ahern (1):
      xfrm: Check for underflow in xfrm_state_mtu

Herbert Xu (1):
      xfrm: ipcomp: Free destination pages on acomp errors

Jingguo Tan (1):
      xfrm: esp: restore combined single-frag length gate

Maoyi Xie (1):
      xfrm: route MIGRATE notifications to caller's netns

Michael Bommarito (1):
      xfrm: ah: use skb_to_full_sk in async output callbacks

Shaomin Chen (1):
      xfrm: iptfs: reset runtime state when cloning SAs

Steffen Klassert (1):
      Revert "esp: fix page frag reference leak on skb_to_sgvec failure"

Usama Arif (1):
      xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit

Zhengchuan Liang (1):
      xfrm: input: hold netns during deferred transport reinjection

e521588 (1):
      esp: fix page frag reference leak on skb_to_sgvec failure

 include/net/xfrm.h     |  3 ++-
 net/ipv4/ah4.c         |  2 +-
 net/ipv4/esp4.c        |  4 ++--
 net/ipv6/ah6.c         |  2 +-
 net/ipv6/esp6.c        |  4 ++--
 net/key/af_key.c       |  6 +++---
 net/xfrm/xfrm_input.c  | 16 ++++++++++++----
 net/xfrm/xfrm_ipcomp.c | 12 ++++++++----
 net/xfrm/xfrm_iptfs.c  | 28 +++++++++++++++++++++++-----
 net/xfrm/xfrm_policy.c | 17 +++++++++--------
 net/xfrm/xfrm_state.c  | 23 ++++++++++++++++++-----
 net/xfrm/xfrm_user.c   |  5 ++---
 12 files changed, 83 insertions(+), 39 deletions(-)

next             reply	other threads:[~2026-05-29  9:26 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29  9:26 Steffen Klassert [this message]
2026-05-29  9:26 ` [PATCH 01/10] xfrm: route MIGRATE notifications to caller's netns Steffen Klassert
2026-05-29 20:20   ` patchwork-bot+netdevbpf
2026-05-29  9:26 ` [PATCH 02/10] xfrm: ipcomp: Free destination pages on acomp errors Steffen Klassert
2026-05-29  9:26 ` [PATCH 03/10] xfrm: Check for underflow in xfrm_state_mtu Steffen Klassert
2026-05-29  9:26 ` [PATCH 04/10] xfrm: ah: use skb_to_full_sk in async output callbacks Steffen Klassert
2026-05-29  9:26 ` [PATCH 05/10] esp: fix page frag reference leak on skb_to_sgvec failure Steffen Klassert
2026-05-29  9:26 ` [PATCH 06/10] xfrm: esp: restore combined single-frag length gate Steffen Klassert
2026-05-29  9:26 ` [PATCH 07/10] xfrm: iptfs: reset runtime state when cloning SAs Steffen Klassert
2026-05-29  9:26 ` [PATCH 08/10] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Steffen Klassert
2026-05-29  9:26 ` [PATCH 09/10] xfrm: input: hold netns during deferred transport reinjection Steffen Klassert
2026-05-29  9:26 ` [PATCH 10/10] Revert "esp: fix page frag reference leak on skb_to_sgvec failure" Steffen Klassert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260529092648.3878973-1-steffen.klassert@secunet.com \
    --to=steffen.klassert@secunet.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox