CVE-2026-43167

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: always flush state and policy upon NETDEV_UNREGISTER event<br /> <br /> syzbot is reporting that "struct xfrm_state" refcount is leaking.<br /> <br /> unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2<br /> ref_tracker: netdev@ffff888052f24618 has 1/1 users at<br /> __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline]<br /> netdev_tracker_alloc include/linux/netdevice.h:4412 [inline]<br /> xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316<br /> xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline]<br /> xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022<br /> xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507<br /> netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550<br /> xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]<br /> netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344<br /> netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894<br /> sock_sendmsg_nosec net/socket.c:727 [inline]<br /> __sock_sendmsg net/socket.c:742 [inline]<br /> ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592<br /> ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646<br /> __sys_sendmsg+0x16d/0x220 net/socket.c:2678<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware<br /> offloading API") implemented xfrm_dev_unregister() as no-op despite<br /> xfrm_dev_state_add() from xfrm_state_construct() acquires a reference<br /> to "struct net_device".<br /> I guess that that commit expected that NETDEV_DOWN event is fired before<br /> NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add()<br /> is called only if (dev-&gt;features &amp; NETIF_F_HW_ESP) != 0.<br /> <br /> Sabrina Dubroca identified steps to reproduce the same symptoms as below.<br /> <br /> echo 0 &gt; /sys/bus/netdevsim/new_device<br /> dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/)<br /> ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \<br /> spi 0x1000 mode tunnel aead &amp;#39;rfc4106(gcm(aes))&amp;#39; $key 128 \<br /> offload crypto dev $dev dir out<br /> ethtool -K $dev esp-hw-offload off<br /> echo 0 &gt; /sys/bus/netdevsim/del_device<br /> <br /> Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after<br /> xfrm_dev_state_add() acquired a reference to "struct net_device".<br /> Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit<br /> when acquiring a reference to "struct net_device".<br /> <br /> Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device")<br /> re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that<br /> commit for unknown reason chose to share xfrm_dev_down() between the<br /> NETDEV_DOWN event and the NETDEV_UNREGISTER event.<br /> I guess that that commit missed the behavior in the previous paragraph.<br /> <br /> Therefore, we need to re-introduce xfrm_dev_unregister() in order to<br /> release the reference to "struct net_device" by unconditionally flushing<br /> state and policy.