xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add the state

[ Upstream commit 7f02285764790e0ff1a731b4187fa3e389ed02c7 ]

In case xfrm_state_migrate fails after calling xfrm_dev_state_add, we
directly release the last reference and destroy the new state, without
calling xfrm_dev_state_delete (this only happens in
__xfrm_state_delete, which we're not calling on this path, since the
state was never added).

Call xfrm_dev_state_delete on error when an offload configuration was
provided.

Fixes: ab244a394c7f ("xfrm: Migrate offload configuration")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 721ef0f409b5137f463403045c13f4b2e0f1faba..f8a5837457a35e0783c600ae00b4c9c00114a185 100644 (file)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2158,10 +2158,13 @@ struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
                xfrm_state_insert(xc);
        } else {
                if (xfrm_state_add(xc) < 0)
-                       goto error;
+                       goto error_add;
        }
 
        return xc;
+error_add:
+       if (xuo)
+               xfrm_dev_state_delete(xc);
 error:
        xfrm_state_put(xc);
        return NULL;