From 395cc0111c576d1616daec53f94bed91db03142d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 29 Jul 2025 18:44:00 -0400 Subject: [PATCH] Drop xfrm-delete-x-tunnel-as-we-delete-x.patch Signed-off-by: Sasha Levin --- queue-6.15/series | 1 - .../xfrm-delete-x-tunnel-as-we-delete-x.patch | 196 ------------------ 2 files changed, 197 deletions(-) delete mode 100644 queue-6.15/xfrm-delete-x-tunnel-as-we-delete-x.patch diff --git a/queue-6.15/series b/queue-6.15/series index 19ec8952c3..c5088640d1 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -23,7 +23,6 @@ xfrm-always-initialize-offload-path.patch xfrm-set-transport-header-to-fix-udp-gro-handling.patch xfrm-ipcomp-adjust-transport-header-after-decompress.patch xfrm-interface-fix-use-after-free-after-changing-col.patch -xfrm-delete-x-tunnel-as-we-delete-x.patch asoc-mediatek-mt8365-dai-i2s-pass-correct-size-to-mt.patch net-ti-icssg-prueth-fix-buffer-allocation-for-icssg.patch net-mlx5-fix-memory-leak-in-cmd_exec.patch diff --git a/queue-6.15/xfrm-delete-x-tunnel-as-we-delete-x.patch b/queue-6.15/xfrm-delete-x-tunnel-as-we-delete-x.patch deleted file mode 100644 index cc80b81e44..0000000000 --- a/queue-6.15/xfrm-delete-x-tunnel-as-we-delete-x.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 1e768c16dfda39fd01eba9d4872738753b9e2829 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 4 Jul 2025 16:54:33 +0200 -Subject: xfrm: delete x->tunnel as we delete x - -From: Sabrina Dubroca - -[ Upstream commit b441cf3f8c4b8576639d20c8eb4aa32917602ecd ] - -The ipcomp fallback tunnels currently get deleted (from the various -lists and hashtables) as the last user state that needed that fallback -is destroyed (not deleted). If a reference to that user state still -exists, the fallback state will remain on the hashtables/lists, -triggering the WARN in xfrm_state_fini. Because of those remaining -references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state -synchronously on net exit path") is not complete. - -We recently fixed one such situation in TCP due to defered freeing of -skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we -currently drop dst")). This can also happen due to IP reassembly: skbs -with a secpath remain on the reassembly queue until netns -destruction. If we can't guarantee that the queues are flushed by the -time xfrm_state_fini runs, there may still be references to a (user) -xfrm_state, preventing the timely deletion of the corresponding -fallback state. - -Instead of chasing each instance of skbs holding a secpath one by one, -this patch fixes the issue directly within xfrm, by deleting the -fallback state as soon as the last user state depending on it has been -deleted. Destruction will still happen when the final reference is -dropped. - -A separate lockdep class for the fallback state is required since -we're going to lock x->tunnel while x is locked. - -Fixes: 9d4139c76905 ("netns xfrm: per-netns xfrm_state_all list") -Signed-off-by: Sabrina Dubroca -Signed-off-by: Steffen Klassert -Signed-off-by: Sasha Levin ---- - include/net/xfrm.h | 1 - - net/ipv4/ipcomp.c | 2 ++ - net/ipv6/ipcomp6.c | 2 ++ - net/ipv6/xfrm6_tunnel.c | 2 +- - net/xfrm/xfrm_ipcomp.c | 1 - - net/xfrm/xfrm_state.c | 19 ++++++++----------- - 6 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/include/net/xfrm.h b/include/net/xfrm.h -index 29a0759d5582c..754ba8df33cff 100644 ---- a/include/net/xfrm.h -+++ b/include/net/xfrm.h -@@ -441,7 +441,6 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo); - int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo); - - void xfrm_flush_gc(void); --void xfrm_state_delete_tunnel(struct xfrm_state *x); - - struct xfrm_type { - struct module *owner; -diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c -index 5a4fb2539b08b..9a45aed508d19 100644 ---- a/net/ipv4/ipcomp.c -+++ b/net/ipv4/ipcomp.c -@@ -54,6 +54,7 @@ static int ipcomp4_err(struct sk_buff *skb, u32 info) - } - - /* We always hold one tunnel user reference to indicate a tunnel */ -+static struct lock_class_key xfrm_state_lock_key; - static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -62,6 +63,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x) - t = xfrm_state_alloc(net); - if (!t) - goto out; -+ lockdep_set_class(&t->lock, &xfrm_state_lock_key); - - t->id.proto = IPPROTO_IPIP; - t->id.spi = x->props.saddr.a4; -diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c -index 72d4858dec18a..8607569de34f3 100644 ---- a/net/ipv6/ipcomp6.c -+++ b/net/ipv6/ipcomp6.c -@@ -71,6 +71,7 @@ static int ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, - return 0; - } - -+static struct lock_class_key xfrm_state_lock_key; - static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -79,6 +80,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x) - t = xfrm_state_alloc(net); - if (!t) - goto out; -+ lockdep_set_class(&t->lock, &xfrm_state_lock_key); - - t->id.proto = IPPROTO_IPV6; - t->id.spi = xfrm6_tunnel_alloc_spi(net, (xfrm_address_t *)&x->props.saddr); -diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c -index bf140ef781c1f..7fd8bc08e6eb1 100644 ---- a/net/ipv6/xfrm6_tunnel.c -+++ b/net/ipv6/xfrm6_tunnel.c -@@ -334,8 +334,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net) - struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); - unsigned int i; - -- xfrm_flush_gc(); - xfrm_state_flush(net, 0, false, true); -+ xfrm_flush_gc(); - - for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++) - WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i])); -diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c -index a38545413b801..43fdc6ed8dd17 100644 ---- a/net/xfrm/xfrm_ipcomp.c -+++ b/net/xfrm/xfrm_ipcomp.c -@@ -313,7 +313,6 @@ void ipcomp_destroy(struct xfrm_state *x) - struct ipcomp_data *ipcd = x->data; - if (!ipcd) - return; -- xfrm_state_delete_tunnel(x); - ipcomp_free_data(ipcd); - kfree(ipcd); - } -diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c -index 0cf516b4e6d92..4afa2789bfa1e 100644 ---- a/net/xfrm/xfrm_state.c -+++ b/net/xfrm/xfrm_state.c -@@ -811,6 +811,7 @@ void __xfrm_state_destroy(struct xfrm_state *x, bool sync) - } - EXPORT_SYMBOL(__xfrm_state_destroy); - -+static void xfrm_state_delete_tunnel(struct xfrm_state *x); - int __xfrm_state_delete(struct xfrm_state *x) - { - struct net *net = xs_net(x); -@@ -838,6 +839,8 @@ int __xfrm_state_delete(struct xfrm_state *x) - - xfrm_dev_state_delete(x); - -+ xfrm_state_delete_tunnel(x); -+ - /* All xfrm_state objects are created by xfrm_state_alloc. - * The xfrm_state_alloc call gives a reference, and that - * is what we are dropping here. -@@ -941,10 +944,7 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync) - err = xfrm_state_delete(x); - xfrm_audit_state_delete(x, err ? 0 : 1, - task_valid); -- if (sync) -- xfrm_state_put_sync(x); -- else -- xfrm_state_put(x); -+ xfrm_state_put(x); - if (!err) - cnt++; - -@@ -3060,20 +3060,17 @@ void xfrm_flush_gc(void) - } - EXPORT_SYMBOL(xfrm_flush_gc); - --/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ --void xfrm_state_delete_tunnel(struct xfrm_state *x) -+static void xfrm_state_delete_tunnel(struct xfrm_state *x) - { - if (x->tunnel) { - struct xfrm_state *t = x->tunnel; - -- if (atomic_read(&t->tunnel_users) == 2) -+ if (atomic_dec_return(&t->tunnel_users) == 1) - xfrm_state_delete(t); -- atomic_dec(&t->tunnel_users); -- xfrm_state_put_sync(t); -+ xfrm_state_put(t); - x->tunnel = NULL; - } - } --EXPORT_SYMBOL(xfrm_state_delete_tunnel); - - u32 xfrm_state_mtu(struct xfrm_state *x, int mtu) - { -@@ -3278,8 +3275,8 @@ void xfrm_state_fini(struct net *net) - unsigned int sz; - - flush_work(&net->xfrm.state_hash_work); -- flush_work(&xfrm_state_gc_work); - xfrm_state_flush(net, 0, false, true); -+ flush_work(&xfrm_state_gc_work); - - WARN_ON(!list_empty(&net->xfrm.state_all)); - --- -2.39.5 - -- 2.47.2