On Wed, Oct 11, 2023 at 01:16:33PM +0300, Dan Carpenter wrote:
> On Wed, Oct 11, 2023 at 12:57:52PM +0300, Dan Carpenter wrote:
> > Hello Steffen Klassert,
> >
> > The patch 172bf009c18d: "xfrm: Support GRO for IPv4 ESP in UDP
> > encapsulation" from Oct 4, 2023 (linux-next), leads to the following
> > Smatch static checker warning:
> >
> > net/ipv6/xfrm6_input.c:174 xfrm6_udp_encap_rcv()
> > warn: passing freed memory 'skb'
> >
> > net/ipv6/xfrm6_input.c
> > 168 int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> > 169 {
> > 170 int ret;
> > 171
> > 172 ret = __xfrm6_udp_encap_rcv(sk, skb, true);
> >
> > The xfrm4_udp_encap_rcv() function frees skb and returns zero.
> >
> > 173 if (!ret)
> > --> 174 return xfrm6_rcv_encap(skb, IPPROTO_ESP, 0,
> > ^^^
> > Use after free
> >
>
> This generated warnings for the other places that call
> __xfrm6_udp_encap_rcv() as well.
I see what it is. We can't call xfrm4_udp_encap_rcv from
__xfrm6_udp_encap_rcv as we currently do it
I'll send a fix at the beginning of the next week.
Thanks a lot for the report!
