Re: [PATCH] net/xfrm: fix refcount leak in clone_policy()

Next message: Huang Shijie: "Re: [PATCH v2 1/4] mm: use mapping_mapped to simplify the code"
Previous message: Eric Biggers: "Re: [PATCH] lib/raid/xor: x86: Add AVX-512 optimized xor_gen()"
In reply to: Eric Dumazet: "Re: [PATCH] net/xfrm: fix refcount leak in clone_policy()"
Next in thread: Herbert Xu: "Re: [PATCH] net/xfrm: fix refcount leak in clone_policy()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Fri Jun 12 2026 - 02:03:39 EST

On Thu, Jun 11, 2026 at 10:53 PM Eric Dumazet <edumazet@xxxxxxxxxx> wrote:
>
> On Thu, Jun 11, 2026 at 7:09 PM WenTao Liang <vulab@xxxxxxxxxxx> wrote:
> >
> > In clone_policy(), xfrm_policy_alloc() initializes the refcount to 1
> > and sets up the timer. If security_xfrm_policy_clone() fails, the error
> > path uses kfree(newp) directly, bypassing the proper release through
> > xfrm_pol_put(). This leaves the refcount unbalanced, triggering
> > warnings if refcount debugging is enabled, and also skips
> > xfrm_policy_destroy() which would clean up the timer.
>
> Can you show us the warning?

Having to clear a refcount before kfree() is a new thing for me.

Just curious of why this is needed on a private object (not visible yet)