[PATCH ipsec-rc 0/2] Two fixes in policy/state offload area

[PATCH ipsec-rc 0/2] Two fixes in policy/state offload area

[Leon Romanovsky]

From: Leon Romanovsky <leonro@nvidia.com>

Hi,

These two patches fixes leaks of HW objects in IPsec packet offload mode.

Thanks

Leon Romanovsky (2):
  xfrm: delete offloaded policy
  xfrm: don't skip free of empty state in acquire policy

 include/net/xfrm.h    | 1 +
 net/xfrm/xfrm_state.c | 8 ++------
 net/xfrm/xfrm_user.c  | 1 +
 3 files changed, 4 insertions(+), 6 deletions(-)

-- 
2.41.0

[PATCH ipsec-rc 1/2] xfrm: delete offloaded policy

[Leon Romanovsky]

From: Leon Romanovsky <leonro@nvidia.com>

The policy memory was released but not HW driver data. Add
call to xfrm_dev_policy_delete(), so drivers will have a chance
to release their resources.

Fixes: 919e43fad516 ("xfrm: add an interface to offload policy")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 net/xfrm/xfrm_user.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c34a2a06ca94..5a117aac4274 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2336,6 +2336,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 					    NETLINK_CB(skb).portid);
 		}
 	} else {
+		xfrm_dev_policy_delete(xp);
 		xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
 
 		if (err != 0)
-- 
2.41.0

[PATCH ipsec-rc 2/2] xfrm: don't skip free of empty state in acquire policy

[Leon Romanovsky]

From: Leon Romanovsky <leonro@nvidia.com>

In destruction flow, the assignment of NULL to xso->dev
caused to skip of xfrm_dev_state_free() call, which was
called in xfrm_state_put(to_put) routine.

Instead of open-coded variant of xfrm_dev_state_delete() and
xfrm_dev_state_free(), let's use them directly.

Fixes: f8a70afafc17 ("xfrm: add TX datapath support for IPsec packet offload mode")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
 include/net/xfrm.h    | 1 +
 net/xfrm/xfrm_state.c | 8 ++------
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 151ca95dd08d..363c7d510554 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1984,6 +1984,7 @@ static inline void xfrm_dev_state_free(struct xfrm_state *x)
 		if (dev->xfrmdev_ops->xdo_dev_state_free)
 			dev->xfrmdev_ops->xdo_dev_state_free(x);
 		xso->dev = NULL;
+		xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
 		netdev_put(dev, &xso->dev_tracker);
 	}
 }
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 49e63eea841d..bda5327bf34d 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1324,12 +1324,8 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
 			struct xfrm_dev_offload *xso = &x->xso;
 
 			if (xso->type == XFRM_DEV_OFFLOAD_PACKET) {
-				xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
-				xso->dir = 0;
-				netdev_put(xso->dev, &xso->dev_tracker);
-				xso->dev = NULL;
-				xso->real_dev = NULL;
-				xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
+				xfrm_dev_state_delete(x);
+				xfrm_dev_state_free(x);
 			}
 #endif
 			x->km.state = XFRM_STATE_DEAD;
-- 
2.41.0

Re: [PATCH ipsec-rc 0/2] Two fixes in policy/state offload area

[Steffen Klassert]

On Mon, Jul 31, 2023 at 02:38:25PM +0300, Leon Romanovsky wrote:
> From: Leon Romanovsky <leonro@nvidia.com>
> 
> Hi,
> 
> These two patches fixes leaks of HW objects in IPsec packet offload mode.
> 
> Thanks
> 
> Leon Romanovsky (2):
>   xfrm: delete offloaded policy
>   xfrm: don't skip free of empty state in acquire policy

Applied, thanks Leon!