]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 86f3dcd)
espintcp: fix skb leaks
authorSabrina Dubroca <sd@queasysnail.net>
Sun, 9 Nov 2025 12:39:15 +0000 (20:39 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 6 Dec 2025 21:12:34 +0000 (06:12 +0900)
[ Upstream commit 63c1f19a3be3169e51a5812d22a6d0c879414076 ]

A few error paths are missing a kfree_skb.

Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[ Minor context change fixed. ]
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/ipv4/esp4.c patch | blob | blame | history
net/ipv6/esp6.c patch | blob | blame | history
net/xfrm/espintcp.c patch | blob | blame | history

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 8f5417ff355d71cae247ad6a437e483193f5b1d4..a40f78a6474c6d469ca0ec8cce9608e7b829f6d1 100644 (file)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -152,8 +152,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb)
 
        sk = esp_find_tcp_sk(x);
        err = PTR_ERR_OR_ZERO(sk);
-       if (err)
+       if (err) {
+               kfree_skb(skb);
                goto out;
+       }
 
        bh_lock_sock(sk);
        if (sock_owned_by_user(sk))
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 085a83b807afd02849b2a81c6ce82598ec7f25f4..48963fc9057bc56023b5fba78ebd37e18abf6c2e 100644 (file)
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -169,8 +169,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb)
 
        sk = esp6_find_tcp_sk(x);
        err = PTR_ERR_OR_ZERO(sk);
-       if (err)
+       if (err) {
+               kfree_skb(skb);
                goto out;
+       }
 
        bh_lock_sock(sk);
        if (sock_owned_by_user(sk))
diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c
index d6fece1ed982dff312469188222235fd5ae293ac..b26fbaead7a55f6db77efcdbc0dc65d559587bfa 100644 (file)
--- a/net/xfrm/espintcp.c
+++ b/net/xfrm/espintcp.c
@@ -168,8 +168,10 @@ int espintcp_queue_out(struct sock *sk, struct sk_buff *skb)
 {
        struct espintcp_ctx *ctx = espintcp_getctx(sk);
 
-       if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog))
+       if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) {
+               kfree_skb(skb);
                return -ENOBUFS;
+       }
 
        __skb_queue_tail(&ctx->out_queue, skb);
 
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git