From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9199A17A586 for ; Sun, 12 Apr 2026 02:08:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775959700; cv=none; b=qACGnCweFcYcxBpH5zofmpSJURk+BE0WgJPwvZC9/KSu6iR2dg/accP8+n9mhJ7Zk/ECEP40/7Om2nzNaWDodbVpQDbgt4mCN2i0ebzEwrFTIL9ObGjhcZHnZwqfQ8K6axuDzsbIiaIKf0pKNTBib9CcnCkMZIO+ixHMZSoLNV0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775959700; c=relaxed/simple; bh=mFrqE7lagXsStiOP0X5yiw/yF1d4Ff2IenPECsOcHyk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mquMRg4fC/eeNr9NHWmFH3GnIG6JApgyUp1xIYDA83V9FFkiM8Stj93NRCoWcWpsed49ybb/sf0qmuSu233u1MX/cZ6WWkFQ2WjrNbEBcUTAQPGlBBwaCEYoahIUSxgNaPrpGqm1GQKYyR5HMCqbves0APcPsjNHTXSo6Tz/pCY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lCcG9hVp; arc=none smtp.client-ip=209.85.215.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lCcG9hVp" Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-c766cf593daso2301498a12.3 for ; Sat, 11 Apr 2026 19:08:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775959699; x=1776564499; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ikzjZv1iNggTetoTHsLYE3t4Vk7xU7GQd3FBLtlxYmA=; b=lCcG9hVpuogR376NiO57mPJmnDX6iEVrchJ8ZVqRYvYb6Gq9VkkAEhQ1nvpLv8R+q9 dUmqGKtc1ibkCnNCCBOTHs4zYSafsvxHzpE4Wvr1rIzuwkLCo0P527oyXHxvGVvkanuW h7REUct16UdBjjAeELkIJUR7bxUYmVExpEZYS8snHLHklO/tQ05+3p2v7NzRMZ2Xo3Xw wF9C+HeOCt36egf14UePQi5rHm3eHwEmYxnCqNYQsxi1cXBJ+sDGraw67OUwfC1HzEVn xbG9+g3+BXk7w6frQNhDje4mCT4tms+Cg3+UPTJkM4v02MG9epNbQ1ANCSf+5o5wrMyS pZ4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775959699; x=1776564499; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ikzjZv1iNggTetoTHsLYE3t4Vk7xU7GQd3FBLtlxYmA=; b=ErwyTIDMETsubiavRsr3ScLx5eurQpxuEswgMZdc+GeYsIolg462CH102OLxWJB3Yt iq4Z9nuq1vwQpbd7OPVralK89r9SoXDhb/IRLT5WfF6oTxPkmLN2Pq7JF5p1L0WEAKXO yHtk+oUWhS7OCx851kRC/16kRKltDW6gv+QuAyxfgxqajEFUAzgVNU97hn/u6L8x65ef 6F5u57iGatYxWHFakMf9j2EtpN3PVqJqEYNLJF5oat1S23HHL7Z+5qviREu2svoGWJhs QxNxvPLlxLjLSvYHoTpgyOKNnBa3O8K+eEwDKm+oTqccnR6ojaNFiuktzb0cY91ctZVp 3Qfg== X-Forwarded-Encrypted: i=1; AJvYcCXT3VYsAsTx3vHloHCQUzzH3VkKQM3a/Oc8t4XKyCwyizpknsvdCkCUSdmUBimV2IJQgnYeaUDlaI+c+2U=@vger.kernel.org X-Gm-Message-State: AOJu0YzkBA8kp6Jm5uenFEOTFg/L7ISUZTku4JL9XQIGqU7lO4Ld6jWp L0172Y+F8jcqMKk+3ywL92tXHJkWkugGREgE5sye1aK3wTeJudIvPFLJ X-Gm-Gg: AeBDiesr2LM0YGZTuTJbXaiai03csmZDfwUNEBmLM/QTms9O44XnVp4XECytapa2nLf +Oq/UGpbpgSa8l1dVuV7gRiLcsN3YryTa6C1/O5Pmcxpphf6mGTWBqoheBH+WJUfbml4VfjreJW zsgwli5FlsEJDeJm9GTBVjYIGZ5PPsOYybh9mxN+JdSl1ZvEOvx3TLPr/vy6ORhxA1GShRTyFGb SZN72aEGco/ymajJLWI5cOPE+V4phGRRHmiel/4PZwa6puUtHUMvVsLLT/ukgY39/W6CjAk46Ec /Svvym6AOnpLt1zhZLy2AHLvlFDAw3b4V+LCKEHV/Ae8vVtq47ElYexva3+vza3+MRhQEBrkclm bSOdJ9GMiDUCijs699RL3aj6gt0NSIe9wKzB5nb+/JVZYeJQWodpv2WCJgZ1a9UYc2qX/s/IS84 pa6F+1K42qqKJ++h4wDNIFcNsUajRHaOi14HJG+pHFYI8GkN4/Yjkglk7Bhj5gItrN9iBLmrT3L GMpJg== X-Received: by 2002:a05:6a20:8d07:b0:398:4a5c:d5a3 with SMTP id adf61e73a8af0-39fe3f4f2ebmr6849021637.34.1775959698904; Sat, 11 Apr 2026 19:08:18 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:eeca:64a:ce77:d090]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c79216ffa87sm5677058a12.5.2026.04.11.19.08.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 19:08:18 -0700 (PDT) From: Deepanshu Kartikey To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org Cc: leon@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+901d48e0b95aed4a2548@syzkaller.appspotmail.com Subject: [PATCH] xfrm: fix memory leak in xfrm_add_policy() Date: Sun, 12 Apr 2026 07:38:09 +0530 Message-ID: <20260412020809.35465-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When xfrm_policy_insert() fails, the error path performs manual cleanup by calling xfrm_dev_policy_free(), security_xfrm_policy_free() and kfree() directly. This is incorrect because xfrm_policy_destroy() already handles all of these, causing a memory leak detected by kmemleak. Replace the open-coded cleanup with xfrm_policy_destroy(), consistent with the error handling in xfrm_policy_construct(). The walk.dead flag must be set before calling xfrm_policy_destroy() as it requires it via BUG_ON(!policy->walk.dead). Fixes: 94b95dfaa814 ("xfrm: release all offloaded policy memory") Reported-by: syzbot+901d48e0b95aed4a2548@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=901d48e0b95aed4a2548 Tested-by: syzbot+901d48e0b95aed4a2548@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey --- net/xfrm/xfrm_user.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index d56450f61669..ae144d1e4a65 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2267,9 +2267,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, if (err) { xfrm_dev_policy_delete(xp); - xfrm_dev_policy_free(xp); - security_xfrm_policy_free(xp->security); - kfree(xp); + xp->walk.dead = 1; + xfrm_policy_destroy(xp); return err; } -- 2.43.0