From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A91F25B301; Mon, 18 Aug 2025 15:40:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531637; cv=none; b=WVn3+WL9PD5URjHVsQajcObjSHNMvkGU1u8nNSR7XJE7c7ZxOhbRCuSgEyqqObttj7bEqSkYK7IHJaTvkyig5pib6YxB/kA74sC3rNWCWbpwOo6wXKQfp9Ex00YjwvqzxtTpCEVWmxrYQv8SBqXoGLe2W+TtOGX4JE8coMmzdy0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531637; c=relaxed/simple; bh=ZxyGscOHeqQ4OoQLuMcftJmNOcrzdMA3DnVbJ/3/Ji4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dGGWFRc3Xb70D5AxR1a1zH/u3Lw4yhXo5Ydajf5wDMEMX+4zCsH9bdGUg+Gvw0qafURoSkRQYgK+MOMWbcIL/2qAX/G5FcB3Q0+sxUNJLyn6v8eYI5AyFFWa86Wb0yu2r0Cw0Bimu9xTdAtqCmNzErb0DYiYs1cl0ha14OaPB3U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-76e2ea6ccb7so3142597b3a.2; Mon, 18 Aug 2025 08:40:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531634; x=1756136434; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4jXoBQiGcML+O5CHFOk8NakzzuxAVed76FZQO5V7Zuo=; b=gJA6VXChO5cqHqitzYn7it9AyYllPa+knrNV91vrjE0A4FrostpS9OwzSyOh3e05PC 0bOLnPKCa5ExAefDD4ShLXL3fQ9XW3VmciHuHyOoaVK6CJqAJMYx+d0Rcm13PMNLe3cP 4IhIHIZWd5OmbJvgHp7Zlwktl+51QRll1+hFvwNlQj/pE0Y9fksqp9FNEVLF4Z8qHfcO zmLCbfFq11QSw0JF121HwfLvfR1cxBbA/+7Tde5pcIw23izp0dMTUvHLrDWKzoTlk12/ 3HggaZMTRIzg8nveq3ImXAcECFYcnf8mWNG3kYUcMoXOZcpFyAcovlFdYYbg/JmY3rrk 5IEg== X-Forwarded-Encrypted: i=1; AJvYcCWFFqrg/apJuTWGsDXBwyMzZez0ZF0WVUrOPQu1YoWHW/fceXKbuPJIG/HIIJH9nxRJt5hoydWIo4DBZYM=@vger.kernel.org, AJvYcCWhMhpww5cYVcL6HLPhIWll1dh7gl88ao2eRh0zIGwPhqvijyZRbic7LYEPfvksoaUrGvvdjq1xMO6cT56LIHrP@vger.kernel.org X-Gm-Message-State: AOJu0YzvJOkEIyXHFUyDZntLiOxbv3KbWKNwmvAq0VIXvlz2Q8dxL2zG h8oLdBRjAHfHJB3Eqk938P935czAQsLzWB4vz1348Jp9xV51o17ZtZH1GQAB X-Gm-Gg: ASbGncv3JAN3n4O6bITfkyQaqS6ep6GafihiLklMMaASKim6qIX8uQ7WQbpBrcvBAf6 Qc//0onGBb4ByqvYlGp2/gGXTTNvZmhZnysVzpFyjszvgn+8o00hp2vv0L5Ez+Ji7+NxS8MRui4 UrOZcKLZmoc4My+DmBWF7cL6nfZz70x9ghrYdwnfc4QwBVHBwAGSRKfo3Kp2nQG30W71nwoaCpw hY+B+tC054uUS8VXOI+pOKWmYkv0NPL6MDLyHAcwQXQ9ZimqVS4xks2u9u+O0FmdscYpu7JEIr7 8Ebx+tPeQY+fk5XBzfZBLK7uab28bJo2v5z5dJSfZAmMIQrFlfkr0H94qocp5vU7/zcO/kOZYmO PDpmCOQUR4EBHopLRiLyayrLmhlKTDkWnCf6sIDqojNTM4gy8HCoqFVysywVLRdCT6spN0Q== X-Google-Smtp-Source: AGHT+IF/N1PLy55109GC/Y7zY4a/TPzsoK+ogpED49iOqmUzUNQ5ofGeFk3sGZ2eemY8kdMbbgxW8A== X-Received: by 2002:a05:6a00:17aa:b0:76b:e16f:ca91 with SMTP id d2e1a72fcca58-76e446adf03mr14527105b3a.1.1755531634478; Mon, 18 Aug 2025 08:40:34 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-76e455ba020sm7502378b3a.109.2025.08.18.08.40.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:34 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 1/7] net: Add skb_dstref_steal and skb_dstref_restore Date: Mon, 18 Aug 2025 08:40:26 -0700 Message-ID: <20250818154032.3173645-2-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Going forward skb_dst_set will assert that skb dst_entry is empty during skb_dst_set to prevent potential leaks. There are few places that still manually manage dst_entry not using the helpers. Convert them to the following new helpers: - skb_dstref_steal that resets dst_entry and returns previous dst_entry value - skb_dstref_restore that restores dst_entry previously reset via skb_dstref_steal Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- include/linux/skbuff.h | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 14b923ddb6df..7538ca507ee9 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -1159,6 +1159,38 @@ static inline struct dst_entry *skb_dst(const struct= sk_buff *skb) return (struct dst_entry *)(skb->_skb_refdst & SKB_DST_PTRMASK); } =20 +/** + * skb_dstref_steal() - return current dst_entry value and clear it + * @skb: buffer + * + * Resets skb dst_entry without adjusting its reference count. Useful in + * cases where dst_entry needs to be temporarily reset and restored. + * Note that the returned value cannot be used directly because it + * might contain SKB_DST_NOREF bit. + * + * When in doubt, prefer skb_dst_drop() over skb_dstref_steal() to correct= ly + * handle dst_entry reference counting. + * + * Returns: original skb dst_entry. + */ +static inline unsigned long skb_dstref_steal(struct sk_buff *skb) +{ + unsigned long refdst =3D skb->_skb_refdst; + + skb->_skb_refdst =3D 0; + return refdst; +} + +/** + * skb_dstref_restore() - restore skb dst_entry removed via skb_dstref_ste= al() + * @skb: buffer + * @refdst: dst entry from a call to skb_dstref_steal() + */ +static inline void skb_dstref_restore(struct sk_buff *skb, unsigned long r= efdst) +{ + skb->_skb_refdst =3D refdst; +} + /** * skb_dst_set - sets skb dst * @skb: buffer --=20 2.50.1 From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57B52271450; Mon, 18 Aug 2025 15:40:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531638; cv=none; b=Rzj42LTD4oHoojIhynSp6g3/sHOHkvl1MCxkP3GuJcQpEMbVLd1sNHh8SrnIT+HHGCmqAhOkMwE1ZM9zIQx3QMOhHks0FqxdKe9SR4NGwl/DefT1b57NZgVSukJbXSXouIQjTg65VmTCrWO7pCZXW239deCs/RIaIYF7sWNWStM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531638; c=relaxed/simple; bh=I1peXe3qUgkdzuAIkR3hXhA4fkcFMtLuLZeroJqdEKg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SYiUKMne89aUqu6EwkOxfKHMywENgxNzSX0EthwgXvI7pYA8Mw8WMqJGF2ZPVPG4JE1vm0u1wRlHa5z7plMvJpR2S56T054YHKgI+5twSibheT9K0FOT4lpWMU0iert/vYqJvaOrbxC71/7bysNxUfYyILwM8e4Fi+1wjpYYWqU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-24458195495so26646585ad.2; Mon, 18 Aug 2025 08:40:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531635; x=1756136435; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NChDRszGwZKbjvVPRDVNu5XZAg/1N+wVz9IydPSYRlA=; b=nZxi7d+Ma9t2z0EkGn2+HtO1fI03Y1wR/0+11DTaTAUJ60062PYeXnAHH7juKa1lAp gIqNaXa4CzKrkxIGsLWdKtJXkAf64++HgA9oun1iAZgB9ZpPtlhgPTJJh6XX2AP0w+Zq PXOwUFIlYVW8NY+q1/OFx5sUussIjf7aHa1HrPb6vTmNUrgoDc+n8jX0NAuhS2eLAhDi JTuXGVRyEs70b17kxgOd2BI4MHTq1XeUrI9Jg6ZFt3srLzYRG3UJ4lKT3VVz+BNc1aXa VwIZH8tNkHU/zHMIisS04Pw3o+5EXxzQUeFJVGzHntasjnovSZNX9qfZ4eARpEJcpg3w BEtg== X-Forwarded-Encrypted: i=1; AJvYcCUil2I+2zWUoFkyVAPQSHF8fD5030tA0qt2TCcoc3b2msnPjB7hkAOIcK2u/Qwi41CDI0uQ7TSIQ1AozII=@vger.kernel.org, AJvYcCUmHPjkWli/mgD9tKkVoyP4D3kqrr2CA3yI0LBx8uUiSLq3vePzzWxBCzv/yH7JEQqlMp83C37BTQo5Rcp3+d2s@vger.kernel.org X-Gm-Message-State: AOJu0Yz48bkEaG84ozRK9rGgFdVjchIEBds6wtWjHI5lY/mA/QLKGTSb F452fWY5zEfgdy9NB2bZsrrp4lGVrxxLHKcj7ejO6JfdAKSE3wWQmPGgdEB/ X-Gm-Gg: ASbGnctoqQYQHI72NKJILANLLbiOcqB2iuSUVQw26WJ40Om2OiP5Fc3359A1igVe3ND 8rLY1PLNMurFL2HOjV3khITBDccvlaNpwBKk8wP8nwpr0tgnxgfmhVGn8xGFXmcl/XUMulYQrm8 aPyh9EIg+cH7ZaMMrU2zwGu5by1AvRjlAI2UPdyXc1T/QQHtKJ5nS+L9F8qtYqGXmniRVjDYHBm Ci3dZqUMGcMYU5w5u7DosVFdx81GvWP1fq5YdtXRHIpRMAcorb/OCk8lu76kUGpbTTeA+pp7gwr EO30b26Du0e/ILu6qx9rNNsrGvRoTvGRV63HTgMK4yuI9sycHSP+6tPGcdDVOy+PbIWfSM+pkaO 3uldMStdXuJUBfPd+XHbOx1jZV68f3/pp8f8yATX1nfGOCrl0DHkOCYhg6onoBDa5FR/ISw== X-Google-Smtp-Source: AGHT+IEESYdvHRoTRRGZrgyh2K1XOh5rovsTZVhdWVRfTeUiYce7Ghr02VcC+TxaQGwyNNdk27cEjw== X-Received: by 2002:a17:902:e848:b0:240:86b2:aecf with SMTP id d9443c01a7336-24478e11024mr143045015ad.12.1755531635368; Mon, 18 Aug 2025 08:40:35 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2446caa3e5bsm84101975ad.33.2025.08.18.08.40.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:35 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 2/7] xfrm: Switch to skb_dstref_steal to clear dst_entry Date: Mon, 18 Aug 2025 08:40:27 -0700 Message-ID: <20250818154032.3173645-3-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Going forward skb_dst_set will assert that skb dst_entry is empty during skb_dst_set. skb_dstref_steal is added to reset existing entry without doing refcnt. Switch to skb_dstref_steal in __xfrm_route_forward and add a comment on why it's safe to skip skb_dstref_restore. Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- net/xfrm/xfrm_policy.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index c5035a9bc3bb..7111184eef59 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3881,12 +3881,18 @@ int __xfrm_route_forward(struct sk_buff *skb, unsig= ned short family) } =20 skb_dst_force(skb); - if (!skb_dst(skb)) { + dst =3D skb_dst(skb); + if (!dst) { XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); return 0; } =20 - dst =3D xfrm_lookup(net, skb_dst(skb), &fl, NULL, XFRM_LOOKUP_QUEUE); + /* ignore return value from skb_dstref_steal, xfrm_lookup takes + * care of dropping the refcnt if needed. + */ + skb_dstref_steal(skb); + + dst =3D xfrm_lookup(net, dst, &fl, NULL, XFRM_LOOKUP_QUEUE); if (IS_ERR(dst)) { res =3D 0; dst =3D NULL; --=20 2.50.1 From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5174C28C849; Mon, 18 Aug 2025 15:40:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531638; cv=none; b=IyEdRq/SwBwMU5+s7S5+Kc9HnPWyrOCmRH+wH2EZCNCOk1SXh2nJ7VCxtB3HS1122TFlsM8lh4+KkvuZx+INsemZHqDoh+QpI/BI/T8hPhuAGy6axwJkP8nG07dGyhlvIv/nwdqUe6VfKTdfC9KsnPcjEneMCGa4dtT5CjoGUvE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531638; c=relaxed/simple; bh=NnZxgiK0M1v0pPT5JWfo6ZgqcA1SxytGePluoUKHR44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZnQe0MyOHYN6cDKtDV7i/teCH21j2T76mUT96vn3+G/b6nyuZS4J/+Z2cZ94kKK016Ol6sPjHeoJcXj631ScVxeEXMVhywvzE2vY6ND2tOsGMGLVbIF+b37fOG+PfZTj7VAzRgEPeCjI5FQ+fVVG6L/FaA1X2gL/z+VskAkmLNw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-24458242b33so39896115ad.3; Mon, 18 Aug 2025 08:40:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531636; x=1756136436; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=inuSpscDtJ2MQ1kOWy8s6V/eMZ9GranbL4RKE5ldQfI=; b=hLAqa5qf1gaMxMRgnepnkwZrMjRdptCe32oCKqro9lcKvFHztVY46MSo4hBwy5iwFz ifOsWqn263+F8Y2/YiNTkkSow+wpeu7BFgVvXUVZV1naeb3vkGFcV35TljxOIP5iqjug bPrwTVZNqWtKDinMsJVu7I+UNFThuZxeqGOapiM6IiE29XRmmSy5RuPvS4eDWDY6dA3x b8sO6r4vHhuBkcgiYjAAt6jC8pamVyrmQjhwLWcN1SBZfvqonaEy+JyZFe/Kknk+kpcn ll9FgV/39H3cWpHo2aYmx+6sqMH/mloFMdR1byvIBs/QKFhIGDnzRhCH/CFZ64QEj2XZ X9gA== X-Forwarded-Encrypted: i=1; AJvYcCVnPDCYNNLYIAHAY6OA3UTFZZHTnjoWaKEAV0yQRjPyLi4qu8T9uBLhnz5E9rSjb9ERISUfSNGY49K4pcnqntmW@vger.kernel.org, AJvYcCW1sBC4qpzHBlQCb413mP9u2IvhgeBh5kvlnhInT8tcIUe0JFYKkQ6+cTt2i3SO8hcFveX56DHPm9kH5E4=@vger.kernel.org X-Gm-Message-State: AOJu0YxGTqpOtE0Mw+a4peTtergti2awqALjMCnE77McXm/r0hjyH32T aX1J3Sizm+sQOoad+7NrQRqU6km0rtbCuqMHMa64c+8i3l60ohP5AhoXeUUt X-Gm-Gg: ASbGncu5zjsg9stRLU6BB+ffoe93IJ4iDKYUmvxXy+1Uk3gIh6PGZdXQiCgHboS8rkP 7vxnoHBGrHdufwKJwBfncHYHZt9ayesNRAhM3b1bwVRALRuVVr7hIM48IdZrYJSJCh9FJh0iU1l 3xo87UdvGr9Cq/yI3bxp9C/X1dz2V/sIfCc+GHQLnAILwzWDZDCAD3AgNIO8Hjk56M3GJ87/4d4 d7NviSeiTmQY6LOUZukrUr6dA7qosT29t3xEFZPDhQt6Jxf5dEyed4k4p9r5p0cEPyXt+aiiD38 Dja1LERXXiMG+5VuHaUzlQZGuAWLloIYEThY0lWm5EHPDOXBIDKgcQlYWmJRDeC+kb8DUX9mkrK 9nThWB/u/uIeg5ErBaZQc5cZZbhCFAqGV9xTXUM3KkLVx+o9aTkf1E7FSkXU= X-Google-Smtp-Source: AGHT+IGZZKT3cVuxFCE+hihe8kxfK+wOP2G53VzTXlLX+ith0209HYVW0thSRSUc4qLH6kV+2C3mvw== X-Received: by 2002:a17:902:f78a:b0:243:43a:fa2b with SMTP id d9443c01a7336-2446d9f30e2mr183864805ad.56.1755531636354; Mon, 18 Aug 2025 08:40:36 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2446d54fe2dsm82947475ad.131.2025.08.18.08.40.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:36 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 3/7] netfilter: Switch to skb_dstref_steal to clear dst_entry Date: Mon, 18 Aug 2025 08:40:28 -0700 Message-ID: <20250818154032.3173645-4-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Going forward skb_dst_set will assert that skb dst_entry is empty during skb_dst_set. skb_dstref_steal is added to reset existing entry without doing refcnt. Switch to skb_dstref_steal in ip[6]_route_me_harder and add a comment on why it's safe to skip skb_dstref_restore. Acked-by: Florian Westphal Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- net/ipv4/netfilter.c | 5 ++++- net/ipv6/netfilter.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index 0565f001120d..e60e54e7945d 100644 --- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c @@ -65,7 +65,10 @@ int ip_route_me_harder(struct net *net, struct sock *sk,= struct sk_buff *skb, un if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) && xfrm_decode_session(net, skb, flowi4_to_flowi(&fl4), AF_INET) =3D=3D = 0) { struct dst_entry *dst =3D skb_dst(skb); - skb_dst_set(skb, NULL); + /* ignore return value from skb_dstref_steal, xfrm_lookup takes + * care of dropping the refcnt if needed. + */ + skb_dstref_steal(skb); dst =3D xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), sk, 0); if (IS_ERR(dst)) return PTR_ERR(dst); diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 45f9105f9ac1..46540a5a4331 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c @@ -63,7 +63,10 @@ int ip6_route_me_harder(struct net *net, struct sock *sk= _partial, struct sk_buff #ifdef CONFIG_XFRM if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && xfrm_decode_session(net, skb, flowi6_to_flowi(&fl6), AF_INET6) =3D=3D= 0) { - skb_dst_set(skb, NULL); + /* ignore return value from skb_dstref_steal, xfrm_lookup takes + * care of dropping the refcnt if needed. + */ + skb_dstref_steal(skb); dst =3D xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0); if (IS_ERR(dst)) return PTR_ERR(dst); --=20 2.50.1 From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A35C2FE07C; Mon, 18 Aug 2025 15:40:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531639; cv=none; b=HVcr/D0V6En5n5/TyTsMr98cnQedU1z8+b5CT9oxFPdeMdooh5aeW1UxQpaOs5R6QedHYIyOjbeioZ/3sOKaTtZTQ+J1vDE6ZDC8mTIs+JxZc0shuu7ePE7u5FXtAI568ARQxtY9+uR1QI9HYZuZYuECQmA8Qp7Z1oOTVCuacxg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531639; c=relaxed/simple; bh=b/DA3hf0cVwROHnJBEhkEAOx5XAE7XNZqUHrKBEfjU8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VFIRyYlH2sKefW5g5HTe9IMt+NntNxl+6VuAsJuXddIB8zstt40kNv4fG3bYmsukOC+ZkmjG5S0ErUGWYSX1n4y16FMf/dQwNNv18CXnLoJvE4YPL9hTrt+jpMKw2GENKoYslm5OGrrBg7uWAcqNjcOew2tbWrkROz8VAsNTXek= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-76e2eb49b83so2624241b3a.3; Mon, 18 Aug 2025 08:40:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531637; x=1756136437; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8GN9S1zXQyMdeN/NDuSaubUJIlHc9oqqxz49+rYEkd8=; b=pWn7frdJXby2KOx6qDE9j7OGqN1ZTHPbDYxFqiNWqoVINKufdLRTvGts759sPL0071 bVA7CtWJ7NMI6ydkX+lSmvdHsqflGcCirn5BaQRzW5u8BcbpncWRUE/0fn3VI+XXYRBb GIsz+65LyxwNyfzEf9SWP0dh9kdz2UwrZ3uGc+hIfU+nT1EBDc/s94pbVu9w/+0LTu3h Pwp3c97dxd30Nc/nr4IvIAbc+ioKOvy8bsO4OqIDy0xXnkIdD5ttN0hWf2X55VRW9YlD eJiaLKcybEbBNcgdLb+gxhT7oyIfh0zbvv1GJ6xHXZlHnO1pRloPEXlm8tdY/RMhbFef aSDA== X-Forwarded-Encrypted: i=1; AJvYcCVR9AC8tJ2D9dY2O6zHt+8IWdrqDSqL0pPCBTVNUHYrMLPRO6xqZoXCn6iKloDWZ1az6s1A7j8ich8ZlRS1Js42@vger.kernel.org, AJvYcCXWpBdOY1j2CY0FE6nZ+YXvMOnILTjREqzr2p2QftJYH/gSFTvmJZEAmDE0zLslsDG4+gMaJuPIztn+O4Q=@vger.kernel.org X-Gm-Message-State: AOJu0YyISCYWTRM6sFXvr+zCm9L28OLksMuGsHNSUbVbNxhQ79Ihmkob GzaQRwfPVM0Z736RgPGdZNqOIoUkBHvq0R22C1GO/F8PcpLbIudLPcLAEuEi X-Gm-Gg: ASbGncvXr2JqGu28xtMOTq6aYPFr4NBUqUAPWLTu5uaX7EpqSS0lICE4Od6Qymm4EBq EmCSXUwamiZvVjXhGdXzr7nwv99hIP3edTXWhB+0x4dWi8VIGbCNaOTMvMcnTZY58BN9Xi2L7/v HXnrw4/uAe1v5BY7AA9R5Xt34ybgbao+MPSjywB6Lfx/gTxmBGqdDfUWv0KbEKrqrlNehMaQ92G t4aUalGXsWD7r2nmKZHE8wCJNiXQk+YXlyrIFXqTVPyvOp9ueh85ui4gGvu2jc49+39k8vODi9o REc2Ims1X9tEG0Ecgt2Q5LXa6kOUJMsZ34TaL//iv2r7LuuTdQb1CyGjb1L//ItTjA5DrK4KqML a2rnYkCDH2AnVASsDyiYhY6DSTO5WAZL1kmJNSrtWOCKa+kN1p666MCn3tRk= X-Google-Smtp-Source: AGHT+IHUbWr0pNMEsgIWzW54IUCJF/L8KUZQxQTwcLqu+QkbVHZsmGBkmSVhRfa/ryj+iyNTFbMzBA== X-Received: by 2002:a05:6a20:918a:b0:235:2cd8:6cd1 with SMTP id adf61e73a8af0-240e636e9d6mr14498211637.34.1755531637220; Mon, 18 Aug 2025 08:40:37 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-76e7d0d1714sm3540b3a.15.2025.08.18.08.40.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:36 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 4/7] net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers Date: Mon, 18 Aug 2025 08:40:29 -0700 Message-ID: <20250818154032.3173645-5-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Going forward skb_dst_set will assert that skb dst_entry is empty during skb_dst_set. skb_dstref_steal is added to reset existing entry without doing refcnt. skb_dstref_restore should be used to restore the previous entry. Convert icmp_route_lookup and ip_options_rcv_srr to these helpers. Add extra call to skb_dstref_reset to icmp_route_lookup to clear the ip_route_input entry. Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- net/ipv4/icmp.c | 7 ++++--- net/ipv4/ip_options.c | 5 ++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 2ffe73ea644f..91765057aa1d 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -544,14 +544,15 @@ static struct rtable *icmp_route_lookup(struct net *n= et, struct flowi4 *fl4, goto relookup_failed; } /* Ugh! */ - orefdst =3D skb_in->_skb_refdst; /* save old refdst */ - skb_dst_set(skb_in, NULL); + orefdst =3D skb_dstref_steal(skb_in); err =3D ip_route_input(skb_in, fl4_dec.daddr, fl4_dec.saddr, dscp, rt2->dst.dev) ? -EINVAL : 0; =20 dst_release(&rt2->dst); rt2 =3D skb_rtable(skb_in); - skb_in->_skb_refdst =3D orefdst; /* restore old refdst */ + /* steal dst entry from skb_in, don't drop refcnt */ + skb_dstref_steal(skb_in); + skb_dstref_restore(skb_in, orefdst); } =20 if (err) diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c index e3321932bec0..be8815ce3ac2 100644 --- a/net/ipv4/ip_options.c +++ b/net/ipv4/ip_options.c @@ -615,14 +615,13 @@ int ip_options_rcv_srr(struct sk_buff *skb, struct ne= t_device *dev) } memcpy(&nexthop, &optptr[srrptr-1], 4); =20 - orefdst =3D skb->_skb_refdst; - skb_dst_set(skb, NULL); + orefdst =3D skb_dstref_steal(skb); err =3D ip_route_input(skb, nexthop, iph->saddr, ip4h_dscp(iph), dev) ? -EINVAL : 0; rt2 =3D skb_rtable(skb); if (err || (rt2->rt_type !=3D RTN_UNICAST && rt2->rt_type !=3D RTN_LOCAL= )) { skb_dst_drop(skb); - skb->_skb_refdst =3D orefdst; + skb_dstref_restore(skb, orefdst); return -EINVAL; } refdst_drop(orefdst); --=20 2.50.1 From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56F1031A078; Mon, 18 Aug 2025 15:40:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531640; cv=none; b=VIVy65uikbTxJieBH6rsDbyPREoDya6lRGPZ52MiK6wDwmn/2y/yNCIWL3XAsXOBCJ7Ir1j9XzZKyyKx6IEM9W8WtIIOcy9tgmZZAZKbUEr6ElWhZFTf7NzFbcHKEeGC65QFwt7zt4vQYj3CnhoepgV5sUQvp9ZsmWYpNboIoVc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531640; c=relaxed/simple; bh=sAFz2z1/ZRQC2qROcdiohLJaaH2BTTS3LygeiT3tr9o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DzANe/x0k9tJsz8LZ472dZuU1CWmDLH4z8FDnhpIE+rDyHxuD364jsvdQddVdwgR2H+74GDsdnCF60kVTigT3puElW87BJ/bBctSKqhwc7hL1KHU13ceQBCnmblD4g7DIFf1VzYV9TOXyJSyswWvBgsgv044g6pZjJoSvoNdn+k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.210.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-76e2ea887f6so3188784b3a.2; Mon, 18 Aug 2025 08:40:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531638; x=1756136438; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=400SjVSUfc5lqYKS9qNytHX8Gj0bax7ac3ijCvpYgEA=; b=UfZ0pVoTk/vh4cXZju7E7Uge31f8uPdrtuWoZ8rhKFxF0iBROLRbyOrh7jfmJrYThY LT/liX2WpX6U2bGTI0Pa5HV2x/MlD9ts/5F6CbQdUyWXkPW0JjjBXYHdqzqiyL8WvF5f mx7aYA5U8URNOScaGoCr45yB1Ego+K8Qg4WTZW44Cx/CW++9Lr1GI+QeXek8o6idW8UJ r7m59f64CIVOxF4tEOfZNYglk6mJwqZYNeTgXVmgknJBc394rhOlNYGbhHTNsklLrrFz QF9t9xtLXQJbpq3o+YDZI0ui2CUnfR1oITirpJd/3uOsTCOJErX7gx+oguEHCpYv/5Ot S/Eg== X-Forwarded-Encrypted: i=1; AJvYcCVdk70CJaLso4iGJixjTFAQ0eCyGn133SNIEvrhokW3Yp0nV1OCgBwTlvHe6WpICFHipA7ARjrDuaLhDkFGR926@vger.kernel.org, AJvYcCXs57evboertzm0SAUJXool+YhE/fUwhij+zNadHSRKY9U3csYj9rjiu52BzCGcjrNIH0VKwy07svKKXcw=@vger.kernel.org X-Gm-Message-State: AOJu0YyIQulTkW1d6Nc9e05Jo8CftC/4qOqcyM7Es2901m8mt7UM3K5R xtysmC4jlEBvYaqIJWQaA+tKo2ojzu/VlWerMUWjghCGy0FV7fjwZ76rGwUf X-Gm-Gg: ASbGncsZaScBnzmvshnaK4TaADkF3EOc6x/LQZDmpmCeq0+m67Mz8Sy3XdXS2BwOvEO 7GpNkLKcfaGc6gXKu04YMcfiHdZIAdtzV/PsNS2LQ6YjiHRtRJK2nFiYhDpYzbpt7qBlrU0o1YX xvb7uqSbcQ9xF4KDErnONnJ9rEGT3C2923j04P6bPwot+EmwbmKum/SZ2p4LkWrNthZU7s5JW7a nw0W9bInDQHdj6WIxwqqLQa/hy7eb64XFQvk4fqlYIlTEjgRNgZaHxiXOPICXlA0N1ymI4KubBN kFgNO8pnXOwAJPStv6Gn9A0bpzquolko+jFDHXhH/ZU3Nlgw1fsjmSmdd3PL/ihRo+LKxCfb3vz N14ozP2GdFPHAkT3UTiNocVBfWphGzIDYfAfC19JhsYADuvtEcI36m4eEinY= X-Google-Smtp-Source: AGHT+IECWwhvmllltH2cL2i4wyPzxSnCX2N0lJL9cMNY5uoidiXvTkAY62nN1JppFj6A7yEoIZc6+g== X-Received: by 2002:a05:6a00:1701:b0:76b:f01c:ff08 with SMTP id d2e1a72fcca58-76e446a7638mr15752658b3a.2.1755531638161; Mon, 18 Aug 2025 08:40:38 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-76e7d10fdb1sm5731b3a.27.2025.08.18.08.40.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:37 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 5/7] staging: octeon: Convert to skb_dst_drop Date: Mon, 18 Aug 2025 08:40:30 -0700 Message-ID: <20250818154032.3173645-6-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of doing dst_release and skb_dst_set, do skb_dst_drop which should do the right thing. Acked-by: Greg Kroah-Hartman Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- drivers/staging/octeon/ethernet-tx.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/= ethernet-tx.c index 261f8dbdc382..0ba240e634a1 100644 --- a/drivers/staging/octeon/ethernet-tx.c +++ b/drivers/staging/octeon/ethernet-tx.c @@ -346,8 +346,7 @@ netdev_tx_t cvm_oct_xmit(struct sk_buff *skb, struct ne= t_device *dev) * The skbuff will be reused without ever being freed. We must * cleanup a bunch of core things. */ - dst_release(skb_dst(skb)); - skb_dst_set(skb, NULL); + skb_dst_drop(skb); skb_ext_reset(skb); nf_reset_ct(skb); skb_reset_redirect(skb); --=20 2.50.1 From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A6D831E115; Mon, 18 Aug 2025 15:40:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531642; cv=none; b=YvoTep2f7kNvvOOuUhxqzdV+RNEvFEiWl3BYfK89aA3cQAVLdRIr58+UbI6iXuTBAUvn31vuTuGUmBWbeOP0hrvMD/xCjZodvbGCcuUM/xkYugLAhPC+pnhxeMNF7bPf2uJVnVMhM07un4CA3XlLkxifTH+qpwMvPJHzIsHjl4Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531642; c=relaxed/simple; bh=SsY5sl/7Ca92dz3Qp7HpP8+SYaQy40ISIcYTwzL6rZY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cKwwnFzlmYUz4C2el5Q8ZmHaN81XrfpRGI6WMfWmjjTGyOneqYHNmC2nZRQL+Mx1c3XPTQDk0+bS0qhx1uQQ0p9rOJBVTHWMlCAooXg8iBHSVP1IVnkHe8TVEGhzoXcUhU9QZpPhPG87UoF4Nr93atEEEfJZWV6igBoRBi9swSM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-244581d9866so35330895ad.2; Mon, 18 Aug 2025 08:40:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531639; x=1756136439; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G7ZlQs5RoXi9haultf5dqnNcftoZY1H3XDCLA/FcF+Q=; b=f+16gxVIQv8LuuSZznzr5I3ksv32gTmhMnnHCk6RWM6tkGvkz9TlWD22MSwIA4igVV WznN/c1HsWSVH1C92G22QcTNFSG3tZdcmanlFuIvM+biBw7hvsXar4wn3cznuv0EZSam bL8CZrWnkhqq2Kid5Dhs5TWovb3GHoo9WZCF06ywxGy0fb2mUMK3taJTBS7+Vhi3g+NL pL/sAxl2OjI2dfTRwxFhW1Wdvy3wve7iy8vCQ4u05bTk0lkzqjr8u3iB8Fy4qwalG4LC LGvOU5zkdJH+9aipCGO7ZiGWW+FqX1vb71JphCzWiV+fV+Dsy4e/06qW5k/7e412E5ve kh3w== X-Forwarded-Encrypted: i=1; AJvYcCVk+raSIwFVvn2fUOHJo6JIG/8dWo8aQRXz278TKsdRkULG1fsegVDY16KtROifWG6mj3uK2lEQeDbYvXI=@vger.kernel.org, AJvYcCWQHSho4AZuRcJ+idobjI2KetjbpGNTB2htSDLNFT+LAkbteXXzQzS3uB8VlbSsYB/FxpQETxgdARnLQjYi4eF3@vger.kernel.org X-Gm-Message-State: AOJu0YzXwSAA0nGDnM/CJTUa6LpMl9lC+RauJPC+P/uXOEfHTTdYRwNo tqUo2nhFafwRj9pxlGqEKdmlM/R4ZR7vtjJzTz0aoHqZDDGr7+8ScfwkyoNi X-Gm-Gg: ASbGncuLic1gBCX/HDQ/mVNobyArLAM2MwDnvRscCg+Cm8w3kuZMdfrG22lAMeh5Ra7 BwV0uO+bL4h7oLdJYep1Ll5q2MfrhDzT20/KhulVLgj6/QmnDn+gv4BaT3eNdstivaFbzVXCZUb ijYwin7X1tRh2zgs4+jqnz++XsmmLIOsoGXK0GZML420l/H4c0ZfuGTY4Bp+eLjUTCPyhE13BPf XHO25Oe7aqPbs5NZKuIjY+6tKJ6HdkW7C834rWStYM7EAz4ANKu5oWxjz0eLphVYfJMVN4oOZzu s9sNYqXORJndgqwrtL6VGLOO2TRg2+hGoDat6ste62qAv51f2uk6JzRKl0oQH86CUqbUMYdCuAs EpyK/a6wp0ny38ZTbuoo/UtyOIBn3EwOuSk3R0GvDBBSxRHhelZTiW5dy6Fk= X-Google-Smtp-Source: AGHT+IHFrVJ2I69jC+NHZzoCi8+QOllriQ0LPquSAPR77h5OF5Qv0KgzG/8bmcIayeieUXiXjPi9Fg== X-Received: by 2002:a17:903:41c8:b0:240:92f9:7b85 with SMTP id d9443c01a7336-2446cb8d3c6mr193477365ad.0.1755531639142; Mon, 18 Aug 2025 08:40:39 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id d9443c01a7336-2446d54f8b9sm84736575ad.130.2025.08.18.08.40.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:38 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 6/7] chtls: Convert to skb_dst_reset Date: Mon, 18 Aug 2025 08:40:31 -0700 Message-ID: <20250818154032.3173645-7-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Going forward skb_dst_set will assert that skb dst_entry is empty during skb_dst_set. skb_dstref_steal is added to reset existing entry without doing refcnt. Chelsio driver is doing extra dst management via skb_dst_set(NULL). Replace these calls with skb_dstref_steal. Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- .../ethernet/chelsio/inline_crypto/chtls/chtls_cm.c | 10 +++++----- .../ethernet/chelsio/inline_crypto/chtls/chtls_cm.h | 4 ++-- .../ethernet/chelsio/inline_crypto/chtls/chtls_io.c | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c b/= drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c index 6f6525983130..2e7c2691a193 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c @@ -171,7 +171,7 @@ static void chtls_purge_receive_queue(struct sock *sk) struct sk_buff *skb; =20 while ((skb =3D __skb_dequeue(&sk->sk_receive_queue)) !=3D NULL) { - skb_dst_set(skb, (void *)NULL); + skb_dstref_steal(skb); kfree_skb(skb); } } @@ -194,7 +194,7 @@ static void chtls_purge_recv_queue(struct sock *sk) struct sk_buff *skb; =20 while ((skb =3D __skb_dequeue(&tlsk->sk_recv_queue)) !=3D NULL) { - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); kfree_skb(skb); } } @@ -1734,7 +1734,7 @@ static int chtls_rx_data(struct chtls_dev *cdev, stru= ct sk_buff *skb) pr_err("can't find conn. for hwtid %u.\n", hwtid); return -EINVAL; } - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); process_cpl_msg(chtls_recv_data, sk, skb); return 0; } @@ -1786,7 +1786,7 @@ static int chtls_rx_pdu(struct chtls_dev *cdev, struc= t sk_buff *skb) pr_err("can't find conn. for hwtid %u.\n", hwtid); return -EINVAL; } - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); process_cpl_msg(chtls_recv_pdu, sk, skb); return 0; } @@ -1855,7 +1855,7 @@ static int chtls_rx_cmp(struct chtls_dev *cdev, struc= t sk_buff *skb) pr_err("can't find conn. for hwtid %u.\n", hwtid); return -EINVAL; } - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); process_cpl_msg(chtls_rx_hdr, sk, skb); =20 return 0; diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h b/= drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h index f61ca657601c..2285cf2df251 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h +++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h @@ -171,14 +171,14 @@ static inline void chtls_set_req_addr(struct request_= sock *oreq, =20 static inline void chtls_free_skb(struct sock *sk, struct sk_buff *skb) { - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); __skb_unlink(skb, &sk->sk_receive_queue); __kfree_skb(skb); } =20 static inline void chtls_kfree_skb(struct sock *sk, struct sk_buff *skb) { - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); __skb_unlink(skb, &sk->sk_receive_queue); kfree_skb(skb); } diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c b/= drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c index 465fa8077964..4036db466e18 100644 --- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c +++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c @@ -1434,7 +1434,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct m= sghdr *msg, size_t len, continue; found_ok_skb: if (!skb->len) { - skb_dst_set(skb, NULL); + skb_dstref_steal(skb); __skb_unlink(skb, &sk->sk_receive_queue); kfree_skb(skb); =20 --=20 2.50.1 From nobody Sat Oct 4 09:39:49 2025 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19D6232145D; Mon, 18 Aug 2025 15:40:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531642; cv=none; b=BdXDAgE40naPeEUBrFk/RgoAjv8QhXoEXcsm5rqhpGMYXJdVvk/Ec592XZbN4A/TgEbvMYY/umE9BIQJQD6s14TfT4J01O6mygn2skLXwZNHezGT3MOA81adelTA2rxFfTq2YQs7e/Iku3DY25u568/vGuAWxzOCJKeJtra4CR8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755531642; c=relaxed/simple; bh=yx4/gncC8/kNv9BYML7mQpQ1qDBOLCtw0VSWH3Enhvg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=smAV+AU1gNTT6Q+2jTTcSmXW+8MsBepISBn8yzqfkqn9WjjGgwGi5ra6JGxhRPzsASzqaYVqpWMJ1omPkB6eCVprU5oc2qdTYQvfEyCzsvWjqVj2WW/HfbmSX83AE76DVd3mTqGtPraCtJ9a6JMLyQG4vRbAf8RI27/zZuedSvU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fomichev.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-32372c05c5dso868668a91.0; Mon, 18 Aug 2025 08:40:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755531640; x=1756136440; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2ZiDhH8lJYpxsMwsOULjJgcF6kHMw4SKOMZiQSRJphw=; b=ZeWC77+SWoV18vnG/7frLcCexKI7pYeXWt6TOU3D99tzssRceHNO1iKNVQBB6IXK8P DBalFx5KgedWYfEKXMNoGOqH/3UtnNIokEBX+J6NdMdadYijgR1pVcD6+fO6qlHsLAmc NCN3TWic61xaE8sPg7ux0suyEoAXmEkEG7ya4/SM1XcGqlj8LzpPZavNCrt6Ikzz3bhP YRJwGNR1UZNi2Z9sJwSejaXoOMd21EzuvFLkGUhFT+WVk+Cc9XZYPoFzSC+QoAE4DEp0 4RxhsZ++uunrCNcw9g+U/iPVwdnzFE9BsAFOWIAXVo2DusGf1qOv7B/NrPEFO9Z1gMpr JODg== X-Forwarded-Encrypted: i=1; AJvYcCWfLTEBxxYSxBPtx1J2j0wcxjXbaFm5z77zdA9WHpN7K0Oqk7rdn9vAEzkBvmKlsB8yaopdh8T05w+8eQASa+O7@vger.kernel.org, AJvYcCXzdQZIb55UlZNHMcu4QOmHC8wvcNpLyS2ysD0Nnp19f1XNhgU/5b7ILlJ2A8qykjxVortUDj0Tcf1Oo24=@vger.kernel.org X-Gm-Message-State: AOJu0Ywusq+ujTsVFpiKauDbI+9vKBq3BvTaGv8wNklP7BHBHEejEuQd 23lSdl8eH0K+0nzdZE7IluZqaX5tw+lcHLlpmf6E2ymHTXI8+o+PW1S4vmol X-Gm-Gg: ASbGncsmCQbvE6qtbrpCA7LV3Stj00j3ySBskgWzp7KwDwUyycsW5lX42/CnIcLARpV mfjlYxA10AJHHvNS+40cy27wwD1Q3BzVaa89+9HrDaR34xjnOa+s09mIUnF55lkAOze2To51fUr MQZVBOkFha24jBzTEW/zoajTutrgzMuszGt4ifetDzvkGjX7t0dYRYuSj04M+EO7sZkYzOqOYbQ ZJcwhLC2Tp8shC9GYjbuGHIqsy4lLNunlDcgnz4J1ecY7LpVL7bWHgb+Lw8UjkV30an+zlIEzp7 Oa5K3C3HFH+saPuX28nMjgYFAeLgKddbHYI8H6qw3PyLZ2GfmK39eeR9gy48KnozfQPpbJaZOXy JTXObj/CBuYx+UkXYtp1mPmqPdiJnISp82z1bIcMp7L4L2DqutReMw4glR80= X-Google-Smtp-Source: AGHT+IFmU512VBEKl8tKUHinnvnnzctYutH9GE6lRXZ0n1MBwajOvk6R1sR7fEQLQmsj+Iy0n1218Q== X-Received: by 2002:a17:90b:52c6:b0:31c:15d9:8ae with SMTP id 98e67ed59e1d1-3234218df88mr19443955a91.33.1755531640116; Mon, 18 Aug 2025 08:40:40 -0700 (PDT) Received: from localhost (c-73-158-218-242.hsd1.ca.comcast.net. [73.158.218.242]) by smtp.gmail.com with UTF8SMTPSA id 41be03b00d2f7-b472d5a7a35sm8507826a12.10.2025.08.18.08.40.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Aug 2025 08:40:39 -0700 (PDT) From: Stanislav Fomichev To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ayush.sawal@chelsio.com, andrew+netdev@lunn.ch, gregkh@linuxfoundation.org, horms@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, steffen.klassert@secunet.com, sdf@fomichev.me, mhal@rbox.co, abhishektamboli9@gmail.com, linux-kernel@vger.kernel.org, linux-staging@lists.linux.dev, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, herbert@gondor.apana.org.au Subject: [PATCH net-next v2 7/7] net: Add skb_dst_check_unset Date: Mon, 18 Aug 2025 08:40:32 -0700 Message-ID: <20250818154032.3173645-8-sdf@fomichev.me> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818154032.3173645-1-sdf@fomichev.me> References: <20250818154032.3173645-1-sdf@fomichev.me> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" To prevent dst_entry leaks, add warning when the non-NULL dst_entry is rewritten. Signed-off-by: Stanislav Fomichev Tested-by: syzbot@syzkaller.appspotmail.com --- include/linux/skbuff.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 7538ca507ee9..ca8be45dd8be 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -1159,6 +1159,12 @@ static inline struct dst_entry *skb_dst(const struct= sk_buff *skb) return (struct dst_entry *)(skb->_skb_refdst & SKB_DST_PTRMASK); } =20 +static inline void skb_dst_check_unset(struct sk_buff *skb) +{ + DEBUG_NET_WARN_ON_ONCE((skb->_skb_refdst & SKB_DST_PTRMASK) && + !(skb->_skb_refdst & SKB_DST_NOREF)); +} + /** * skb_dstref_steal() - return current dst_entry value and clear it * @skb: buffer @@ -1188,6 +1194,7 @@ static inline unsigned long skb_dstref_steal(struct s= k_buff *skb) */ static inline void skb_dstref_restore(struct sk_buff *skb, unsigned long r= efdst) { + skb_dst_check_unset(skb); skb->_skb_refdst =3D refdst; } =20 @@ -1201,6 +1208,7 @@ static inline void skb_dstref_restore(struct sk_buff = *skb, unsigned long refdst) */ static inline void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst) { + skb_dst_check_unset(skb); skb->slow_gro |=3D !!dst; skb->_skb_refdst =3D (unsigned long)dst; } @@ -1217,6 +1225,7 @@ static inline void skb_dst_set(struct sk_buff *skb, s= truct dst_entry *dst) */ static inline void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry= *dst) { + skb_dst_check_unset(skb); WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); skb->slow_gro |=3D !!dst; skb->_skb_refdst =3D (unsigned long)dst | SKB_DST_NOREF; --=20 2.50.1