Re: [PATCH ipsec-next v3] xfrm: cleanup error path in xfrm_add_policy()

[Steffen Klassert]

On Wed, Apr 29, 2026 at 07:31:40AM +0530, Deepanshu Kartikey wrote:
> On Tue, Apr 14, 2026 at 7:39 AM Deepanshu Kartikey
> <kartikey406@xxxxxxxxx> wrote:
> >
> > Replace the open-coded manual cleanup in the error path of
> > xfrm_add_policy() with xfrm_policy_destroy(), which already
> > handles all the necessary cleanup internally. This is consistent
> > with how xfrm_policy_construct() handles its own error paths.
> >
> > The walk.dead flag must be set before calling xfrm_policy_destroy()
> > as required by BUG_ON(!policy->walk.dead).
> >
> > Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
> > ---
> > v3:
> >   - Changed prefix to ipsec-next as this is a cleanup
> >   - Dropped syzbot references as suggested by Sabrina Dubroca
> > v2:
> >   - Reworded commit message to reflect cleanup rather than bugfix
> >     as suggested by Sabrina Dubroca
> >   - Removed incorrect Fixes: and Closes: tags
> >   - Corrected subject prefix to PATCH ipsec
> > ---
> >  net/xfrm/xfrm_user.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> > index d56450f61669..ae144d1e4a65 100644
> > --- a/net/xfrm/xfrm_user.c
> > +++ b/net/xfrm/xfrm_user.c
> > @@ -2267,9 +2267,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
> >
> >         if (err) {
> >                 xfrm_dev_policy_delete(xp);
> > -               xfrm_dev_policy_free(xp);
> > -               security_xfrm_policy_free(xp->security);
> > -               kfree(xp);
> > +               xp->walk.dead = 1;
> > +               xfrm_policy_destroy(xp);
> >                 return err;
> >         }
> >
> > --
> > 2.43.0
> >
> Gentle ping on this patch . Please let me know the status of this patch.
> If anything is required from my side

Your patch was submitted during the merge window. The net-next
and ipsec-next trees don't accept patches during this period.

The merge window ended last Sunday with the release of 7.1-rc1.
I prepared the ipsec-next tree for the new development cycle
yesterday. I'll consider your patch now.