From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 305CA3F9296; Fri, 15 May 2026 16:07:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778861224; cv=none; b=XublY237A1xsIUryE+avMPQveuqnPWDGtP1Llx6MI8hzBLRccV1n1RStY0VoVhxbSTKkjuJtL5dWvfJqm0UNuOQnqXXRgImCCz4o+DIqlhl7tRQutKkakJdrZSbesTFWC3Di+3vvCZG4tFavwpQSiawUWmr5FE8QF4BIsDmbUjI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778861224; c=relaxed/simple; bh=w3VbJy0rYAOLmtOYmLEM6sBxNX14+k8EmoAxCxObBDA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oCt6khxxGRKTvMvp8G0VdCTfyTLEm2l/k8dI+YK8EuqqvPKq7vthGAPa01QTJ60AboFhACCDk4KrCzpgDO5SklbMlH6QDba4esKpJn/Ik8nuFEnRQB6OvYLkzT8uYE/GDaCFVxvax156mTF4+8PwmVT5l7P1P0Pza08i9X+zI80= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=hfqo1ivZ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="hfqo1ivZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA087C2BCB0; Fri, 15 May 2026 16:07:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778861224; bh=w3VbJy0rYAOLmtOYmLEM6sBxNX14+k8EmoAxCxObBDA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hfqo1ivZK3lMGQXeZisO/9Cd/Ic+l1ckmoTTWo6ToCFaj1c5CHdtgwyRQN1AyT4Pv g5QkIYWcY40F0C7pqk57yYHuMg1Cf984576yhVHe6c4Gg/TSy2wPz/5mqlgvBnuFW1 v0GxBYyVPQpqutiXbJljALi5jrFZhZrLkA58GTBo= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable@kernel.org, Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ruide Cao , Yilin Zhu , Ren Wei , Simon Horman , Steffen Klassert Subject: [PATCH 6.6 204/474] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() Date: Fri, 15 May 2026 17:45:13 +0200 Message-ID: <20260515154719.427722534@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260515154715.053014143@linuxfoundation.org> References: <20260515154715.053014143@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yilin Zhu commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream. xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path. Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") Cc: stable@kernel.org Reported-by: Yifan Wu Reported-by: Juefei Pu Co-developed-by: Yuan Tan Signed-off-by: Yuan Tan Suggested-by: Xin Liu Tested-by: Ruide Cao Signed-off-by: Yilin Zhu Signed-off-by: Ren Wei Reviewed-by: Simon Horman Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/ipv6/xfrm6_protocol.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/ipv6/xfrm6_protocol.c +++ b/net/ipv6/xfrm6_protocol.c @@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, skb, flags); - if (dst->error) + if (dst->error) { + dst_release(dst); goto drop; + } skb_dst_set(skb, dst); }