Commit 5502bc47 authored Oct 16, 2025 by Sabrina Dubroca Committed by Steffen Klassert Oct 21, 2025

xfrm: make state as DEAD before final put when migrate fails



xfrm_state_migrate/xfrm_state_clone_and_setup create a new state, and
call xfrm_state_put to destroy it in case of
failure. __xfrm_state_destroy expects the state to be in
XFRM_STATE_DEAD, but we currently don't do that.

Reported-by:  <syzbot+5cd6299ede4d4f70987b@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=5cd6299ede4d4f70987b


Fixes: 78347c8c ("xfrm: Fix xfrm_state_migrate leak")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 10deb698

net/xfrm/xfrm_state.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2074,6 +2074,7 @@ static struct xfrm_state xfrm_state_clone_and_setup(struct xfrm_state orig,
		return x;

		error:
		x->km.state = XFRM_STATE_DEAD;
		xfrm_state_put(x);
		out:
		return NULL;
		@@ -2163,6 +2164,7 @@ struct xfrm_state xfrm_state_migrate(struct xfrm_state x,

		return xc;
		error:
		xc->km.state = XFRM_STATE_DEAD;
		xfrm_state_put(xc);
		return NULL;
		}