xfrm: make state as DEAD before final put when migrate fails

xfrm_state_migrate/xfrm_state_clone_and_setup create a new state, and call xfrm_state_put to destroy it in case of failure. __xfrm_state_destroy expects the state to be in XFRM_STATE_DEAD, but we currently don't do that. Reported-by: syzbot+5cd6299ede4d4f70987b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5cd6299ede4d4f70987b Fixes: 78347c8c6b2d ("xfrm: Fix xfrm_state_migrate leak") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
author: Sabrina Dubroca <sd@queasysnail.net> 2025-10-16 12:39:14 +0200
committer: Steffen Klassert <steffen.klassert@secunet.com> 2025-10-21 10:42:43 +0200
commit: 5502bc4746e86bfe91ecbe0ed1ad53cb17673920 (patch)
tree: 7b6eef62705e79f23a8d05abec460ff062720d5b /net/xfrm
parent: 10deb69864840ccf96b00ac2ab3a2055c0c04721 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 721ef0f409b5..1ab19ca007de 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2074,6 +2074,7 @@ static struct xfrm_state *xfrm_state_clone_and_setup(struct xfrm_state *orig,
 	return x;
 
  error:
+	x->km.state = XFRM_STATE_DEAD;
 	xfrm_state_put(x);
 out:
 	return NULL;
@@ -2163,6 +2164,7 @@ struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
 
 	return xc;
 error:
+	xc->km.state = XFRM_STATE_DEAD;
 	xfrm_state_put(xc);
 	return NULL;
 }
author	Sabrina Dubroca <sd@queasysnail.net>	2025-10-16 12:39:14 +0200
committer	Steffen Klassert <steffen.klassert@secunet.com>	2025-10-21 10:42:43 +0200
commit	5502bc4746e86bfe91ecbe0ed1ad53cb17673920 (patch)
tree	7b6eef62705e79f23a8d05abec460ff062720d5b /net/xfrm
parent	10deb69864840ccf96b00ac2ab3a2055c0c04721 (diff)