]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
xfrm: Fix dev use-after-free in xfrm async resumption
authorDong Chenchen <dongchenchen2@huawei.com>
Tue, 9 Jun 2026 09:21:17 +0000 (17:21 +0800)
committerSteffen Klassert <steffen.klassert@secunet.com>
Fri, 12 Jun 2026 06:39:59 +0000 (08:39 +0200)
commit8045c0df98d4f14c54e5cb875f1c9c0ce89fe4ff
tree777479e93eb68965a85a5140e289573b629de389
parentd129c3177d7b1138fd5066fcc63a698b3ba415b0
xfrm: Fix dev use-after-free in xfrm async resumption

xfrm async resumption hold skb->dev refcnt until after transport_finish.
However, xfrm_rcv_cb may modify skb->dev to tunnel dev without taking
device reference, such as vti_rcv_cb. The subsequent async resumption
will decrement the tunnel device's reference count, which lead to uaf
of tunnel dev and refcnt leak of orig dev as below:

unregister_netdevice: waiting for vti1 to become free. Usage count = -2

Stash the original skb->dev to fix refcnt imbalance. The new skb->dev set
by xfrm_rcv_cb can race with device teardown. Extend rcu protection over
xfrm_rcv_cb and transport_finish to prevent races.

Fixes: 1c428b038400 ("xfrm: hold dev ref until after transport_finish NF_HOOK")
Reported-by: Xu Chunxiao <xuchunxiao3@huawei.com>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/ipv4/xfrm4_input.c
net/ipv6/xfrm6_input.c
net/xfrm/xfrm_input.c