-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmopbrsACgkQrB3Eaf9P
W7cGkg//ZWSTsofbJTwxfGpS5/bkDplup/5evevcbBBJWXfPVM1ImK+oJ3M/hisF
/Xx7PDwaw13qdDeH/ZCWRnKAWuEPkt8Y5j51R5QDJKhk3V7h8jAG1sRyQtnE2Z9M
JyKmNFJB2cyCYQnpMHfRDW+TMtgCeriKL+rxxRlSB9bbEC/64pLWAeQc9SliSjUj
M6I3jHHEkQVG2PzqzViIk8B2GATSTVEyHZMHlPAVAEgaIfNeTX1TzaIbyuaM2yoP
/hYPPTsNvaTmXS+4kLg7zEoLEeOdYdhSD538L7GWnkijUbSIkyd+dpKSfoNMy8An
/JjY+2GAW1+y2VpS6YbQzE0Q2Bs9ZPU6B5RCETC1drgpxQDBDas5HxwmNA/aKJ/j
brMQDL412K8oZrEls/t3wDuP1sdHDZQNP/Zn2OysJX2Hi2rIObE6Xm/tRTyMkrio
CU2EX+fXHuLsz+2Hh2Pw3X4G+JgNrPmEJhHRn/Bv0Sl5/fzNP6Jp1vQg6oC/7uoa
2h/hxSmeJObBcg79sLmVfrpjzFoJ6fqQ4Z7JIj6qtIxnMvI74DxRJFJHk54XL7Qk
6cLZlwXnea0Eqa71mu18sCO0MAep9Cui+A0+CH5OplHm6sdzufWEuoQx9BpGV7ce
X14GM7KpWzo1LHCXYg4IOcf9JJdV8+YULubWy7SC/9xHjW7ETQY=
=vhay
-----END PGP SIGNATURE-----
Merge tag 'ipsec-2026-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2026-06-10
1) xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
Propagate SKBFL_SHARED_FRAG when paged fragments are moved between
skbs so ESP can decide whether in-place crypto is safe.
2) xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
Replace the unlocked read of xtfs->ra_newskb with a local flag so a
concurrent reassembly can no longer free first_skb between
spin_unlock and the post-loop check.
3) xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Prune the inexact bin under xfrm_policy_lock so a concurrent
xfrm_hash_rebuild() can no longer free it before xfrm_policy_kill()
dereferences it.
4) xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
Move hrtimer_cancel() for the output and drop timers ahead of their
spinlocks, breaking the softirq/lock cycle that could deadlock
against the timer callbacks on SMP.
5) xfrm: espintcp: do not reuse an in-progress partial send
Fail a new send when espintcp_push_msgs() returns with emsg->len
still set, so a blocking caller can no longer overwrite ctx->partial
while a previous transfer still owns it.
6) esp: fix page frag reference leak on skb_to_sgvec failure
Add a flag to esp_ssg_unref() to unconditionally unref the source
scatterlist, releasing the old page references that are otherwise
leaked when the second skb_to_sgvec() in esp_output_tail() fails.
Please pull or let me know if there are problems.
ipsec-2026-06-10
* tag 'ipsec-2026-06-10' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
esp: fix page frag reference leak on skb_to_sgvec failure
xfrm: espintcp: do not reuse an in-progress partial send
xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
====================
Link: https://patch.msgid.link/20260610140800.2562818-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>