[PATCH net] xfrm: iptfs: reset runtime state when cloning SAs

Netdev List
 help / color / mirror / Atom feed

* [PATCH net] xfrm: iptfs: reset runtime state when cloning SAs
@ 2026-05-20 18:07 Shaomin Chen
  2026-05-26 10:24 ` Steffen Klassert
  0 siblings, 1 reply; 2+ messages in thread
From: Shaomin Chen @ 2026-05-20 18:07 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, Steffen Klassert, Herbert Xu, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Christian Hopps, stable

iptfs_clone_state() clones the IPTFS mode data with kmemdup(). This
copies runtime objects which must not be shared with the original SA,
including the embedded sk_buff_head, hrtimers, spinlock, and in-flight
reassembly/reorder state.

If xfrm_state_migrate() fails after clone_state() but before the later
init_state() call has reinitialized those fields, the cloned state can be
destroyed by xfrm_state_gc_task() with list and timer state copied from the
original SA. With queued packets this lets the clone splice and free skbs
owned by the original IPTFS queue, leading to use-after-free and
double-free reports in iptfs_destroy_state() and skb release paths.

Reinitialize the clone's runtime state before publishing it through
x->mode_data. Because clone_state() now publishes a destroyable mode_data
object before init_state(), take the mode callback module reference there.
Avoid taking it again from __iptfs_init_state() for the same object.

Fixes: 0e4fbf013fa5 ("xfrm: iptfs: add user packet (tunnel ingress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
---
 net/xfrm/xfrm_iptfs.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/net/xfrm/xfrm_iptfs.c b/net/xfrm/xfrm_iptfs.c
index 97bc979e55ba..6c6bbc040517 100644
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2650,7 +2650,8 @@ static void __iptfs_init_state(struct xfrm_state *x,
 	x->props.enc_hdr_len = sizeof(struct ip_iptfs_hdr);
 
 	/* Always keep a module reference when x->mode_data is set */
-	__module_get(x->mode_cbs->owner);
+	if (x->mode_data != xtfs)
+		__module_get(x->mode_cbs->owner);
 
 	x->mode_data = xtfs;
 	xtfs->x = x;
@@ -2658,22 +2659,39 @@ static void __iptfs_init_state(struct xfrm_state *x,
 
 static int iptfs_clone_state(struct xfrm_state *x, struct xfrm_state *orig)
 {
+	struct skb_wseq *w_saved = NULL;
 	struct xfrm_iptfs_data *xtfs;
 
 	xtfs = kmemdup(orig->mode_data, sizeof(*xtfs), GFP_KERNEL);
 	if (!xtfs)
 		return -ENOMEM;
 
-	xtfs->ra_newskb = NULL;
 	if (xtfs->cfg.reorder_win_size) {
-		xtfs->w_saved = kzalloc_objs(*xtfs->w_saved,
-					     xtfs->cfg.reorder_win_size);
-		if (!xtfs->w_saved) {
+		w_saved = kzalloc_objs(*w_saved, xtfs->cfg.reorder_win_size);
+		if (!w_saved) {
 			kfree_sensitive(xtfs);
 			return -ENOMEM;
 		}
 	}
+	xtfs->w_saved = w_saved;
+
+	__skb_queue_head_init(&xtfs->queue);
+	xtfs->queue_size = 0;
+	hrtimer_setup(&xtfs->iptfs_timer, iptfs_delay_timer, CLOCK_MONOTONIC,
+		      IPTFS_HRTIMER_MODE);
+
+	spin_lock_init(&xtfs->drop_lock);
+	hrtimer_setup(&xtfs->drop_timer, iptfs_drop_timer, CLOCK_MONOTONIC,
+		      IPTFS_HRTIMER_MODE);
 
+	xtfs->w_seq_set = false;
+	xtfs->w_wantseq = 0;
+	xtfs->w_savedlen = 0;
+	xtfs->ra_newskb = NULL;
+	xtfs->ra_wantseq = 0;
+	xtfs->ra_runtlen = 0;
+
+	__module_get(x->mode_cbs->owner);
 	x->mode_data = xtfs;
 	xtfs->x = x;
 
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] xfrm: iptfs: reset runtime state when cloning SAs
  2026-05-20 18:07 [PATCH net] xfrm: iptfs: reset runtime state when cloning SAs Shaomin Chen
@ 2026-05-26 10:24 ` Steffen Klassert
  0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2026-05-26 10:24 UTC (permalink / raw)
  To: Shaomin Chen
  Cc: netdev, linux-kernel, Herbert Xu, David S. Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Simon Horman, Christian Hopps,
	stable

On Thu, May 21, 2026 at 02:07:23AM +0800, Shaomin Chen wrote:
> iptfs_clone_state() clones the IPTFS mode data with kmemdup(). This
> copies runtime objects which must not be shared with the original SA,
> including the embedded sk_buff_head, hrtimers, spinlock, and in-flight
> reassembly/reorder state.
> 
> If xfrm_state_migrate() fails after clone_state() but before the later
> init_state() call has reinitialized those fields, the cloned state can be
> destroyed by xfrm_state_gc_task() with list and timer state copied from the
> original SA. With queued packets this lets the clone splice and free skbs
> owned by the original IPTFS queue, leading to use-after-free and
> double-free reports in iptfs_destroy_state() and skb release paths.
> 
> Reinitialize the clone's runtime state before publishing it through
> x->mode_data. Because clone_state() now publishes a destroyable mode_data
> object before init_state(), take the mode callback module reference there.
> Avoid taking it again from __iptfs_init_state() for the same object.
> 
> Fixes: 0e4fbf013fa5 ("xfrm: iptfs: add user packet (tunnel ingress) handling")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>

Applied, thanks a lot!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-26 10:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 18:07 [PATCH net] xfrm: iptfs: reset runtime state when cloning SAs Shaomin Chen
2026-05-26 10:24 ` Steffen Klassert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox