[PATCH net] xfrm: Fix dev use-after-free in xfrm async resumption

Netdev List
 help / color / mirror / Atom feed

* [PATCH net] xfrm: Fix dev use-after-free in xfrm async resumption
@ 2026-05-29  9:21 Dong Chenchen
  2026-06-01  6:32 ` Steffen Klassert
  0 siblings, 1 reply; 3+ messages in thread
From: Dong Chenchen @ 2026-05-29  9:21 UTC (permalink / raw)
  To: steffen.klassert, herbert, davem, edumazet, kuba, pabeni, horms,
	tpluszz77
  Cc: netdev, zhangchangzhong, xuchunxiao3, Dong Chenchen

xfrm async resumption hold skb->dev refcnt until after transport_finish.
However, xfrm_rcv_cb may modify skb->dev to tunnel dev without taking
device reference, such as vti_rcv_cb. The subsequent async resumption
will decrement the tunnel device's reference count, which lead to uaf
of tunnel dev and refcnt leak of orig dev as below:

unregister_netdevice: waiting for vti1 to become free. Usage count = -2

Release refcnt of the original dev after tunnel rcv modify skb->dev to
fix it.

Fixes: 1c428b038400 ("xfrm: hold dev ref until after transport_finish NF_HOOK")
Reported-by: Xu Chunxiao <xuchunxiao3@huawei.com>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
---
 net/xfrm/xfrm_input.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index f65291eba1f6..c979872b6006 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -467,6 +467,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 {
 	const struct xfrm_state_afinfo *afinfo;
 	struct net *net = dev_net(skb->dev);
+	struct net_device *dev = skb->dev;
 	int err;
 	__be32 seq;
 	__be32 seq_hi;
@@ -730,6 +731,10 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 	if (err)
 		goto drop;
 
+	if (async && skb->dev != dev) {
+		dev_put(dev);
+		async = 0;
+	}
 	nf_reset_ct(skb);
 
 	if (decaps) {
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] xfrm: Fix dev use-after-free in xfrm async resumption
  2026-05-29  9:21 [PATCH net] xfrm: Fix dev use-after-free in xfrm async resumption Dong Chenchen
@ 2026-06-01  6:32 ` Steffen Klassert
  2026-06-01 12:17   ` dongchenchen (A)
  0 siblings, 1 reply; 3+ messages in thread
From: Steffen Klassert @ 2026-06-01  6:32 UTC (permalink / raw)
  To: Dong Chenchen
  Cc: herbert, davem, edumazet, kuba, pabeni, horms, tpluszz77, netdev,
	zhangchangzhong, xuchunxiao3

On Fri, May 29, 2026 at 05:21:11PM +0800, Dong Chenchen wrote:
> xfrm async resumption hold skb->dev refcnt until after transport_finish.
> However, xfrm_rcv_cb may modify skb->dev to tunnel dev without taking
> device reference, such as vti_rcv_cb. The subsequent async resumption
> will decrement the tunnel device's reference count, which lead to uaf
> of tunnel dev and refcnt leak of orig dev as below:
> 
> unregister_netdevice: waiting for vti1 to become free. Usage count = -2
> 
> Release refcnt of the original dev after tunnel rcv modify skb->dev to
> fix it.
> 
> Fixes: 1c428b038400 ("xfrm: hold dev ref until after transport_finish NF_HOOK")
> Reported-by: Xu Chunxiao <xuchunxiao3@huawei.com>
> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
> ---
>  net/xfrm/xfrm_input.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
> index f65291eba1f6..c979872b6006 100644
> --- a/net/xfrm/xfrm_input.c
> +++ b/net/xfrm/xfrm_input.c
> @@ -467,6 +467,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
>  {
>  	const struct xfrm_state_afinfo *afinfo;
>  	struct net *net = dev_net(skb->dev);
> +	struct net_device *dev = skb->dev;
>  	int err;
>  	__be32 seq;
>  	__be32 seq_hi;
> @@ -730,6 +731,10 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
>  	if (err)
>  		goto drop;
>  
> +	if (async && skb->dev != dev) {
> +		dev_put(dev);
> +		async = 0;
> +	}
>  	nf_reset_ct(skb);
>  
>  	if (decaps) {

Sashiko found issues with this patch:

https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260529092111.1089315-1-dongchenchen2%40huawei.com

Please review!

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] xfrm: Fix dev use-after-free in xfrm async resumption
  2026-06-01  6:32 ` Steffen Klassert
@ 2026-06-01 12:17   ` dongchenchen (A)
  0 siblings, 0 replies; 3+ messages in thread
From: dongchenchen (A) @ 2026-06-01 12:17 UTC (permalink / raw)
  To: Steffen Klassert
  Cc: herbert, davem, edumazet, kuba, pabeni, horms, tpluszz77, netdev,
	zhangchangzhong, xuchunxiao3

> On Fri, May 29, 2026 at 05:21:11PM +0800, Dong Chenchen wrote:
>> xfrm async resumption hold skb->dev refcnt until after transport_finish.
>> However, xfrm_rcv_cb may modify skb->dev to tunnel dev without taking
>> device reference, such as vti_rcv_cb. The subsequent async resumption
>> will decrement the tunnel device's reference count, which lead to uaf
>> of tunnel dev and refcnt leak of orig dev as below:
>>
>> unregister_netdevice: waiting for vti1 to become free. Usage count = -2
>>
>> Release refcnt of the original dev after tunnel rcv modify skb->dev to
>> fix it.
>>
>> Fixes: 1c428b038400 ("xfrm: hold dev ref until after transport_finish NF_HOOK")
>> Reported-by: Xu Chunxiao <xuchunxiao3@huawei.com>
>> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
>> ---
>>   net/xfrm/xfrm_input.c | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
>> index f65291eba1f6..c979872b6006 100644
>> --- a/net/xfrm/xfrm_input.c
>> +++ b/net/xfrm/xfrm_input.c
>> @@ -467,6 +467,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
>>   {
>>   	const struct xfrm_state_afinfo *afinfo;
>>   	struct net *net = dev_net(skb->dev);
>> +	struct net_device *dev = skb->dev;
>>   	int err;
>>   	__be32 seq;
>>   	__be32 seq_hi;
>> @@ -730,6 +731,10 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
>>   	if (err)
>>   		goto drop;
>>   
>> +	if (async && skb->dev != dev) {
>> +		dev_put(dev);
>> +		async = 0;
>> +	}
>>   	nf_reset_ct(skb);
>>   
>>   	if (decaps) {
> Sashiko found issues with this patch:
>
> https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260529092111.1089315-1-dongchenchen2%40huawei.com
>
> Please review!
>

Hi, Steffen! Thanks a lot for your review.

This patch indeed cannot fix all the issues in the branches.
Maybe we can stash original skb->dev and move dev_put in
transport_finish to xfrm_input to fix it.
But there is a question, xfrm_rcv_cb modify skb->dev to tunnel or
xfrmi dev without taking device reference. Is it safe to directly
access the new dev from skb in the subsequent async resumption?
Will this trigger the issue again mentioned in 1c428b038400 ("xfrm:
hold dev ref until after transport_finish NF_HOOK")? It seems that
it is difficult to protect new skb->dev within the xfrm_input process.

Best regards
Dong Chenchen


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-01 12:17 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-29  9:21 [PATCH net] xfrm: Fix dev use-after-free in xfrm async resumption Dong Chenchen
2026-06-01  6:32 ` Steffen Klassert
2026-06-01 12:17   ` dongchenchen (A)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox