git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Shaomin Chen <eeesssooo020@gmail.com>
	Wed, 20 May 2026 18:07:23 +0000 (02:07 +0800)
committer	Steffen Klassert <steffen.klassert@secunet.com>
	Tue, 26 May 2026 08:35:28 +0000 (10:35 +0200)
commit	7f83d174073234839aea176f265e517e0d50a1d2
tree	aa4cbf93572584dce7c96c07265060dc692bb122	tree \| snapshot
parent	dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40	commit \| diff

xfrm: iptfs: reset runtime state when cloning SAs

iptfs_clone_state() clones the IPTFS mode data with kmemdup(). This
copies runtime objects which must not be shared with the original SA,
including the embedded sk_buff_head, hrtimers, spinlock, and in-flight
reassembly/reorder state.

If xfrm_state_migrate() fails after clone_state() but before the later
init_state() call has reinitialized those fields, the cloned state can be
destroyed by xfrm_state_gc_task() with list and timer state copied from the
original SA. With queued packets this lets the clone splice and free skbs
owned by the original IPTFS queue, leading to use-after-free and
double-free reports in iptfs_destroy_state() and skb release paths.

Reinitialize the clone's runtime state before publishing it through
x->mode_data. Because clone_state() now publishes a destroyable mode_data
object before init_state(), take the mode callback module reference there.
Avoid taking it again from __iptfs_init_state() for the same object.

Fixes: 0e4fbf013fa5 ("xfrm: iptfs: add user packet (tunnel ingress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>