Thanks for the detailed analysis on v2, Sasha. Here's v3.

v3: Backport b05d42eefac7 ("xfrm: hold device only for the asynchronous
decryption") as a prerequisite, making the tree structurally match mainline so
the fix applies without the lifetime gap Sasha identified in v2, where the
dev_put at resume: dropped the ref before the re-hold could cover it.

v2: Restore unconditional dev_put at resume: and instead take a fresh dev_hold
immediately before transport_finish (when async && !xfrm_gro), avoiding the
reference leak on nested transport-mode that v1's suppressed resume: dev_put
caused. Prerequisite b05d42eefac7 ("xfrm: hold device only for the asynchronous
decryption") was not backported as it restructures the lock ordering and resume:
label semantics of the decryption loop, requiring non-trivial adaptation beyond
what a minimal stable fix warrants.

Jianbo Liu (1):
  xfrm: hold device only for the asynchronous decryption

Qi Tang (1):
  xfrm: hold dev ref until after transport_finish NF_HOOK

 net/ipv4/xfrm4_input.c |  5 ++++-
 net/ipv6/xfrm6_input.c |  5 ++++-
 net/xfrm/xfrm_input.c  | 25 +++++++++++++++++--------
 3 files changed, 25 insertions(+), 10 deletions(-)


base-commit: 1d3a00d3bacff25652c96e1527610c69e91f7c38
-- 
2.50.1




Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597