On Wed, Oct 11, 2023 at 12:57:52PM +0300, Dan Carpenter wrote:
> Hello Steffen Klassert,
>
> The patch 172bf009c18d: "xfrm: Support GRO for IPv4 ESP in UDP
> encapsulation" from Oct 4, 2023 (linux-next), leads to the following
> Smatch static checker warning:
>
> net/ipv6/xfrm6_input.c:174 xfrm6_udp_encap_rcv()
> warn: passing freed memory 'skb'
>
> net/ipv6/xfrm6_input.c
> 168 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> 169 {
> 170 int ret;
> 171
> 172 ret = __xfrm6_udp_encap_rcv(sk, skb, true);
>
> The xfrm4_udp_encap_rcv() function frees skb and returns zero.
>
> 173 if (!ret)
> --> 174 return xfrm6_rcv_encap(skb, IPPROTO_ESP, 0,
> ^^^
> Use after free
>
This generated warnings for the other places that call
__xfrm6_udp_encap_rcv() as well.
net/ipv6/xfrm6_input.c:207 xfrm6_gro_udp_encap_rcv() warn: passing freed memory 'skb'
regards,
dan carpenter
