* [PATCH ipsec 1/4] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
2026-02-23 23:05 [PATCH ipsec 0/4] xfrm: misc bugfixes Sabrina Dubroca
@ 2026-02-23 23:05 ` Sabrina Dubroca
2026-02-23 23:05 ` [PATCH ipsec 2/4] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len Sabrina Dubroca
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sabrina Dubroca @ 2026-02-23 23:05 UTC (permalink / raw)
To: netdev; +Cc: Steffen Klassert, Herbert Xu, Sabrina Dubroca
We're returning an error caused by invalid user input without setting
an extack. Add one.
Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_user.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 403b5ecac2c5..3e6477c6082e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1850,6 +1850,7 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
if (pcpu_num >= num_possible_cpus()) {
err = -EINVAL;
+ NL_SET_ERR_MSG(extack, "pCPU number too big");
goto out_noput;
}
}
@@ -3001,8 +3002,10 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (attrs[XFRMA_SA_PCPU]) {
x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
err = -EINVAL;
- if (x->pcpu_num >= num_possible_cpus())
+ if (x->pcpu_num >= num_possible_cpus()) {
+ NL_SET_ERR_MSG(extack, "pCPU number too big");
goto free_state;
+ }
}
err = verify_newpolicy_info(&ua->policy, extack);
--
2.51.2
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH ipsec 2/4] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
2026-02-23 23:05 [PATCH ipsec 0/4] xfrm: misc bugfixes Sabrina Dubroca
2026-02-23 23:05 ` [PATCH ipsec 1/4] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi Sabrina Dubroca
@ 2026-02-23 23:05 ` Sabrina Dubroca
2026-02-23 23:05 ` [PATCH ipsec 3/4] xfrm: call xdo_dev_state_delete during state update Sabrina Dubroca
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sabrina Dubroca @ 2026-02-23 23:05 UTC (permalink / raw)
To: netdev; +Cc: Steffen Klassert, Herbert Xu, Sabrina Dubroca
pcpu_num = 0 is a valid value. The marker for "unset pcpu_num" which
makes copy_to_user_state_extra not add the XFRMA_SA_PCPU attribute is
UINT_MAX.
Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3e6477c6082e..4dd8341225bc 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3676,7 +3676,7 @@ static inline unsigned int xfrm_sa_len(struct xfrm_state *x)
}
if (x->if_id)
l += nla_total_size(sizeof(x->if_id));
- if (x->pcpu_num)
+ if (x->pcpu_num != UINT_MAX)
l += nla_total_size(sizeof(x->pcpu_num));
/* Must count x->lastused as it may become non-zero behind our back. */
--
2.51.2
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH ipsec 3/4] xfrm: call xdo_dev_state_delete during state update
2026-02-23 23:05 [PATCH ipsec 0/4] xfrm: misc bugfixes Sabrina Dubroca
2026-02-23 23:05 ` [PATCH ipsec 1/4] xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi Sabrina Dubroca
2026-02-23 23:05 ` [PATCH ipsec 2/4] xfrm: fix the condition on x->pcpu_num in xfrm_sa_len Sabrina Dubroca
@ 2026-02-23 23:05 ` Sabrina Dubroca
2026-02-23 23:05 ` [PATCH ipsec 4/4] esp: fix skb leak with espintcp and async crypto Sabrina Dubroca
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sabrina Dubroca @ 2026-02-23 23:05 UTC (permalink / raw)
To: netdev; +Cc: Steffen Klassert, Herbert Xu, Sabrina Dubroca
When we update an SA, we construct a new state and call
xdo_dev_state_add, but never insert it. The existing state is updated,
then we immediately destroy the new state. Since we haven't added it,
we don't go through the standard state delete code, and we're skipping
removing it from the device (but xdo_dev_state_free will get called
when we destroy the temporary state).
This is similar to commit c5d4d7d83165 ("xfrm: Fix deletion of
offloaded SAs on failure.").
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 98b362d51836..a00c4fe1ab0c 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2264,6 +2264,7 @@ int xfrm_state_update(struct xfrm_state *x)
err = 0;
x->km.state = XFRM_STATE_DEAD;
+ xfrm_dev_state_delete(x);
__xfrm_state_put(x);
}
--
2.51.2
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH ipsec 4/4] esp: fix skb leak with espintcp and async crypto
2026-02-23 23:05 [PATCH ipsec 0/4] xfrm: misc bugfixes Sabrina Dubroca
` (2 preceding siblings ...)
2026-02-23 23:05 ` [PATCH ipsec 3/4] xfrm: call xdo_dev_state_delete during state update Sabrina Dubroca
@ 2026-02-23 23:05 ` Sabrina Dubroca
2026-02-24 16:37 ` [PATCH ipsec 0/4] xfrm: misc bugfixes Simon Horman
2026-02-26 7:32 ` Steffen Klassert
5 siblings, 0 replies; 7+ messages in thread
From: Sabrina Dubroca @ 2026-02-23 23:05 UTC (permalink / raw)
To: netdev; +Cc: Steffen Klassert, Herbert Xu, Sabrina Dubroca
When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.
With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.
Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/ipv4/esp4.c | 9 ++++++---
net/ipv6/esp6.c | 9 ++++++---
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 2c922afadb8f..6dfc0bcdef65 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -235,10 +235,13 @@ static void esp_output_done(void *data, int err)
xfrm_dev_resume(skb);
} else {
if (!err &&
- x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
- esp_output_tail_tcp(x, skb);
- else
+ x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) {
+ err = esp_output_tail_tcp(x, skb);
+ if (err != -EINPROGRESS)
+ kfree_skb(skb);
+ } else {
xfrm_output_resume(skb_to_full_sk(skb), skb, err);
+ }
}
}
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index e75da98f5283..9f75313734f8 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -271,10 +271,13 @@ static void esp_output_done(void *data, int err)
xfrm_dev_resume(skb);
} else {
if (!err &&
- x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
- esp_output_tail_tcp(x, skb);
- else
+ x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) {
+ err = esp_output_tail_tcp(x, skb);
+ if (err != -EINPROGRESS)
+ kfree_skb(skb);
+ } else {
xfrm_output_resume(skb_to_full_sk(skb), skb, err);
+ }
}
}
--
2.51.2
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH ipsec 0/4] xfrm: misc bugfixes
2026-02-23 23:05 [PATCH ipsec 0/4] xfrm: misc bugfixes Sabrina Dubroca
` (3 preceding siblings ...)
2026-02-23 23:05 ` [PATCH ipsec 4/4] esp: fix skb leak with espintcp and async crypto Sabrina Dubroca
@ 2026-02-24 16:37 ` Simon Horman
2026-02-26 7:32 ` Steffen Klassert
5 siblings, 0 replies; 7+ messages in thread
From: Simon Horman @ 2026-02-24 16:37 UTC (permalink / raw)
To: Sabrina Dubroca; +Cc: netdev, Steffen Klassert, Herbert Xu
On Tue, Feb 24, 2026 at 12:05:10AM +0100, Sabrina Dubroca wrote:
> These patches fix a few small bugs in IPsec.
>
> Sabrina Dubroca (4):
> xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
> xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
> xfrm: call xdo_dev_state_delete during state update
> esp: fix skb leak with espintcp and async crypto
>
> net/ipv4/esp4.c | 9 ++++++---
> net/ipv6/esp6.c | 9 ++++++---
> net/xfrm/xfrm_state.c | 1 +
> net/xfrm/xfrm_user.c | 7 +++++--
> 4 files changed, 18 insertions(+), 8 deletions(-)
For the series:
Reviewed-by: Simon Horman <horms@kernel.org>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH ipsec 0/4] xfrm: misc bugfixes
2026-02-23 23:05 [PATCH ipsec 0/4] xfrm: misc bugfixes Sabrina Dubroca
` (4 preceding siblings ...)
2026-02-24 16:37 ` [PATCH ipsec 0/4] xfrm: misc bugfixes Simon Horman
@ 2026-02-26 7:32 ` Steffen Klassert
5 siblings, 0 replies; 7+ messages in thread
From: Steffen Klassert @ 2026-02-26 7:32 UTC (permalink / raw)
To: Sabrina Dubroca; +Cc: netdev, Herbert Xu
On Tue, Feb 24, 2026 at 12:05:10AM +0100, Sabrina Dubroca wrote:
> These patches fix a few small bugs in IPsec.
>
> Sabrina Dubroca (4):
> xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
> xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
> xfrm: call xdo_dev_state_delete during state update
> esp: fix skb leak with espintcp and async crypto
>
> net/ipv4/esp4.c | 9 ++++++---
> net/ipv6/esp6.c | 9 ++++++---
> net/xfrm/xfrm_state.c | 1 +
> net/xfrm/xfrm_user.c | 7 +++++--
> 4 files changed, 18 insertions(+), 8 deletions(-)
Series applied, thanks a lot Sabrina!
^ permalink raw reply [flat|nested] 7+ messages in thread