git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Qi Tang <tpluszz77@gmail.com>
	Thu, 2 Apr 2026 11:44:01 +0000 (19:44 +0800)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Tue, 7 Apr 2026 08:12:40 +0000 (10:12 +0200)
commit	1c428b03840094410c5fb6a5db30640486bbbfcb
tree	ad0c37b0c150463d8f6ceedbd9a4092a352e7136	tree \| snapshot
parent	069daad4f2ae9c5c108131995529d5f02392c446	commit \| diff

xfrm: hold dev ref until after transport_finish NF_HOOK

After async crypto completes, xfrm_input_resume() calls dev_put()
immediately on re-entry before the skb reaches transport_finish.
The skb->dev pointer is then used inside NF_HOOK and its okfn,
which can race with device teardown.

Remove the dev_put from the async resumption entry and instead
drop the reference after the NF_HOOK call in transport_finish,
using a saved device pointer since NF_HOOK may consume the skb.
This covers NF_DROP, NF_QUEUE and NF_STOLEN paths that skip
the okfn.

For non-transport exits (decaps, gro, drop) and secondary
async return points, release the reference inline when
async is set.

Suggested-by: Florian Westphal <fw@strlen.de>
Fixes: acf568ee859f ("xfrm: Reinject transport-mode packets through tasklet")
Cc: stable@vger.kernel.org
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

net/ipv4/xfrm4_input.c		diff \| blob \| blame \| history
net/ipv6/xfrm6_input.c		diff \| blob \| blame \| history
net/xfrm/xfrm_input.c		diff \| blob \| blame \| history