netfilter: Switch to skb_dstref_steal to clear dst_entry

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Going forward skb_dst_set will assert that skb dst_entry
is empty during skb_dst_set. skb_dstref_steal is added to reset
existing entry without doing refcnt. Switch to skb_dstref_steal
in ip[6]_route_me_harder and add a comment on why it's safe
to skip skb_dstref_restore.

Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20250818154032.3173645-4-sdf@fomichev.me
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Stanislav Fomichev and committed by

Jakub Kicinski 7 months ago 15488d4d c829aab2

+8 -2

2 changed files

expand all

net

ipv4

netfilter.c

ipv6

netfilter.c

+4 -1

net/ipv4/netfilter.c

··· 65 65 if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) && 66 66 xfrm_decode_session(net, skb, flowi4_to_flowi(&fl4), AF_INET) == 0) { 67 67 struct dst_entry *dst = skb_dst(skb); 68 - skb_dst_set(skb, NULL); 68 + /* ignore return value from skb_dstref_steal, xfrm_lookup takes 69 + * care of dropping the refcnt if needed. 70 + */ 71 + skb_dstref_steal(skb); 69 72 dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), sk, 0); 70 73 if (IS_ERR(dst)) 71 74 return PTR_ERR(dst);

+4 -1

net/ipv6/netfilter.c

··· 63 63 #ifdef CONFIG_XFRM 64 64 if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) && 65 65 xfrm_decode_session(net, skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) { 66 - skb_dst_set(skb, NULL); 66 + /* ignore return value from skb_dstref_steal, xfrm_lookup takes 67 + * care of dropping the refcnt if needed. 68 + */ 69 + skb_dstref_steal(skb); 67 70 dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0); 68 71 if (IS_ERR(dst)) 69 72 return PTR_ERR(dst);