From: Florian Westphal <fw@strlen.de>
Date: Mon, 25 Jun 2018 12:00:07 +0000 (+0200)
Subject: xfrm: free skb if nlsk pointer is NULL
X-Git-Tag: v4.18-rc8~36^2~15^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86126b77dcd551ce223e7293bb55854e3df05646;p=thirdparty%2Fkernel%2Flinux.git

xfrm: free skb if nlsk pointer is NULL

nlmsg_multicast() always frees the skb, so in case we cannot call
it we must do that ourselves.

Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1e50b70ad6680..33878e6e0d0a0 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1025,10 +1025,12 @@ static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
 {
 	struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
 
-	if (nlsk)
-		return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
-	else
-		return -1;
+	if (!nlsk) {
+		kfree_skb(skb);
+		return -EPIPE;
+	}
+
+	return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC);
 }
 
 static inline unsigned int xfrm_spdinfo_msgsize(void)