Patch "xfrm: call xfrm_dev_policy_delete when kill policy" has been added to the 6.6-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    xfrm: call xfrm_dev_policy_delete when kill policy

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-call-xfrm_dev_policy_delete-when-kill-policy.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d392914956e21a01547635e6bdcb7be3bbac8462
Author: Jianbo Liu <jianbol@xxxxxxxxxx>
Date:   Mon Jul 8 09:58:12 2024 +0300

    xfrm: call xfrm_dev_policy_delete when kill policy
    
    [ Upstream commit 89a2aefe4b084686c2ffc1ee939585111ea4fc0f ]
    
    xfrm_policy_kill() is called at different places to delete xfrm
    policy. It will call xfrm_pol_put(). But xfrm_dev_policy_delete() is
    not called to free the policy offloaded to hardware.
    
    The three commits cited here are to handle this issue by calling
    xfrm_dev_policy_delete() outside xfrm_get_policy(). But they didn't
    cover all the cases. An example, which is not handled for now, is
    xfrm_policy_insert(). It is called when XFRM_MSG_UPDPOLICY request is
    received. Old policy is replaced by new one, but the offloaded policy
    is not deleted, so driver doesn't have the chance to release hardware
    resources.
    
    To resolve this issue for all cases, move xfrm_dev_policy_delete()
    into xfrm_policy_kill(), so the offloaded policy can be deleted from
    hardware when it is called, which avoids hardware resources leakage.
    
    Fixes: 919e43fad516 ("xfrm: add an interface to offload policy")
    Fixes: bf06fcf4be0f ("xfrm: add missed call to delete offloaded policies")
    Fixes: 982c3aca8bac ("xfrm: delete offloaded policy")
    Signed-off-by: Jianbo Liu <jianbol@xxxxxxxxxx>
    Reviewed-by: Cosmin Ratiu <cratiu@xxxxxxxxxx>
    Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 0dde08e02887d..b699cc2ec35ac 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -436,6 +436,8 @@ EXPORT_SYMBOL(xfrm_policy_destroy);
 
 static void xfrm_policy_kill(struct xfrm_policy *policy)
 {
+	xfrm_dev_policy_delete(policy);
+
 	write_lock_bh(&policy->lock);
 	policy->walk.dead = 1;
 	write_unlock_bh(&policy->lock);
@@ -1834,7 +1836,6 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
 
 		__xfrm_policy_unlink(pol, dir);
 		spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
-		xfrm_dev_policy_delete(pol);
 		cnt++;
 		xfrm_audit_policy_delete(pol, 1, task_valid);
 		xfrm_policy_kill(pol);
@@ -1875,7 +1876,6 @@ int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
 
 		__xfrm_policy_unlink(pol, dir);
 		spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
-		xfrm_dev_policy_delete(pol);
 		cnt++;
 		xfrm_audit_policy_delete(pol, 1, task_valid);
 		xfrm_policy_kill(pol);
@@ -2326,7 +2326,6 @@ int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
 	pol = __xfrm_policy_unlink(pol, dir);
 	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
 	if (pol) {
-		xfrm_dev_policy_delete(pol);
 		xfrm_policy_kill(pol);
 		return 0;
 	}
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 444e58bc3f440..979f23cded401 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2348,7 +2348,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
 					    NETLINK_CB(skb).portid);
 		}
 	} else {
-		xfrm_dev_policy_delete(xp);
 		xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
 
 		if (err != 0)