[PATCH] net/xfrm: fix refcount leak in clone_policy()

Next message: Jakub Kicinski: "Re: [PATCH net] netpoll: run NAPI poll in softirq context to avoid rq-&gt;lock self-deadlock"
Previous message: Jiayuan Chen: "Re: [PATCH bpf v2 1/7] bpf, sockmap: reject overflowing copy + len in bpf_msg_push_data()"
Next in thread: Eric Dumazet: "Re: [PATCH] net/xfrm: fix refcount leak in clone_policy()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Thu Jun 11 2026 - 22:10:10 EST

In clone_policy(), xfrm_policy_alloc() initializes the refcount to 1
and sets up the timer. If security_xfrm_policy_clone() fails, the error
path uses kfree(newp) directly, bypassing the proper release through
xfrm_pol_put(). This leaves the refcount unbalanced, triggering
warnings if refcount debugging is enabled, and also skips
xfrm_policy_destroy() which would clean up the timer.

Replace the open-coded kfree() with xfrm_pol_put() so that when the
refcount drops to zero xfrm_policy_destroy() performs the correct
cleanup and frees the object.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
net/xfrm/xfrm_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index dd09d2063da2..3074692b4556 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2421,7 +2421,7 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
newp->selector = old->selector;
if (security_xfrm_policy_clone(old->security,
&newp->security)) {
- kfree(newp);
+ xfrm_pol_put(newp);
return NULL; /* ENOMEM */
}
newp->lft = old->lft;
--
2.50.1 (Apple Git-155)