From: Sabrina Dubroca <sd@queasysnail.net>
To: Zilin Guan <zilin@seu.edu.cn>
Cc: steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, jianhao.xu@seu.edu.cn
Subject: Re: [PATCH] xfrm: fix memory leak in xfrm_add_acquire()
Date: Sat, 8 Nov 2025 11:08:15 +0100 [thread overview]
Message-ID: <aQ8Wj0fIH9KSEKg7@krikkit> (raw)
In-Reply-To: <20251108051054.1259265-1-zilin@seu.edu.cn>
2025-11-08, 05:10:54 +0000, Zilin Guan wrote:
> xfrm_add_acquire() constructs an xfrm_policy by calling
> xfrm_policy_construct(), which allocates the policy structure via
> xfrm_policy_alloc() and initializes its security context.
>
> However, xfrm_add_acquire() currently releases the policy with kfree(),
> which skips the proper cleanup and causes a memory leak.
>
> Fix this by calling xfrm_policy_destroy() instead of kfree() to
> properly release the policy and its associated resources, consistent
> with the cleanup path in xfrm_policy_construct().
>
> Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> ---
> net/xfrm/xfrm_user.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index 010c9e6638c0..23c9bb42bb2a 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -3035,7 +3035,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
> }
>
> xfrm_state_free(x);
> - kfree(xp);
> + xfrm_policy_destroy(xp);
I agree there's something missing here, but that's not the right way
to fix this. You're calling this function:
void xfrm_policy_destroy(struct xfrm_policy *policy)
{
BUG_ON(!policy->walk.dead);
[...]
And xfrm_add_acquire is not setting walk.dead. Have you tested your
patch?
Even if we did set walk.dead before calling xfrm_policy_destroy, we
would still be missing the xfrm_dev_policy_delete call that is done in
xfrm_policy_kill for the normal policy cleanup path.
I think we want something more like what xfrm_add_policy does if
insertion fails. In xfrm_policy_construct (which you mention in the
commit message), we don't have to worry about xfrm_dev_policy_delete
because xfrm_dev_policy_add has either not been called at all, or has
failed and does not need extra cleanup.
--
Sabrina
next prev parent reply other threads:[~2025-11-08 10:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-08 5:10 [PATCH] xfrm: fix memory leak in xfrm_add_acquire() Zilin Guan
2025-11-08 10:08 ` Sabrina Dubroca [this message]
2025-11-09 15:02 ` Zilin Guan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQ8Wj0fIH9KSEKg7@krikkit \
--to=sd@queasysnail.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=jianhao.xu@seu.edu.cn \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).