[PATCH v2] xfrm: fix memory leak in xfrm_add_acquire()

Next message: Tudor Ambarus: "Re: [PATCH 3/4] mtd: spi-nor: micron-st: add mt35xu01gbba support"
Previous message: Al Viro: "Re: [MEH PATCH] fs: move fd_install() slowpath into a dedicated routine and provide commentary"
Next in thread: Sabrina Dubroca: "Re: [PATCH v2] xfrm: fix memory leak in xfrm_add_acquire()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zilin Guan

Date: Mon Nov 10 2025 - 01:42:01 EST

The xfrm_add_acquire() function constructs an xfrm policy by calling
xfrm_policy_construct(). This allocates the policy structure and
potentially associates a security context and a device policy with it.

However, at the end of the function, the policy object is freed using
only kfree() . This skips the necessary cleanup for the security context
and device policy, leading to a memory leak.

To fix this, invoke the proper cleanup functions xfrm_dev_policy_delete(),
xfrm_dev_policy_free(), and security_xfrm_policy_free() before freeing the
policy object. This approach mirrors the error handling path in
xfrm_add_policy(), ensuring that all associated resources are correctly
released.

Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
---
Changes in v2:
- Use the correct cleanup functions as per xfrm_add_policy().
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 010c9e6638c0..441d5fa319f4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3035,6 +3035,9 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
}

xfrm_state_free(x);
+ xfrm_dev_policy_delete(xp);
+ xfrm_dev_policy_free(xp);
+ security_xfrm_policy_free(xp->security);
kfree(xp);

return 0;
--
2.34.1