Re: [PATCH] net/xfrm: fix refcount leak in clone_policy()

Next message: Chun-Yi Lee: "[PATCH] debugfs: Fix lockdown check for mmap_prepare"
Previous message: Joey Lu: "Re: [PATCH 2/2] phy: nuvoton: Add MA35D1 USB2 OTG PHY driver"
In reply to: WenTao Liang: "[PATCH] net/xfrm: fix refcount leak in clone_policy()"
Next in thread: Eric Dumazet: "Re: [PATCH] net/xfrm: fix refcount leak in clone_policy()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Fri Jun 12 2026 - 01:54:50 EST

On Thu, Jun 11, 2026 at 7:09 PM WenTao Liang <vulab@xxxxxxxxxxx> wrote:
>
> In clone_policy(), xfrm_policy_alloc() initializes the refcount to 1
> and sets up the timer. If security_xfrm_policy_clone() fails, the error
> path uses kfree(newp) directly, bypassing the proper release through
> xfrm_pol_put(). This leaves the refcount unbalanced, triggering
> warnings if refcount debugging is enabled, and also skips
> xfrm_policy_destroy() which would clean up the timer.

Can you show us the warning?

>
> Replace the open-coded kfree() with xfrm_pol_put() so that when the
> refcount drops to zero xfrm_policy_destroy() performs the correct
> cleanup and frees the object.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> net/xfrm/xfrm_policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index dd09d2063da2..3074692b4556 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -2421,7 +2421,7 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
> newp->selector = old->selector;
> if (security_xfrm_policy_clone(old->security,
> &newp->security)) {
> - kfree(newp);
> + xfrm_pol_put(newp);
> return NULL; /* ENOMEM */
> }
> newp->lft = old->lft;
> --
> 2.50.1 (Apple Git-155)
>