xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add the state

In case xfrm_state_migrate fails after calling xfrm_dev_state_add, we
directly release the last reference and destroy the new state, without
calling xfrm_dev_state_delete (this only happens in
__xfrm_state_delete, which we're not calling on this path, since the
state was never added).

Call xfrm_dev_state_delete on error when an offload configuration was
provided.

Fixes: ab244a394c7f ("xfrm: Migrate offload configuration")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 1ab19ca007deacb0cce810aa554a16a5cf98a7c2..c3518d1498cd04a8c75792a89f7e623041666905 100644 (file)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2159,10 +2159,13 @@ struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
                xfrm_state_insert(xc);
        } else {
                if (xfrm_state_add(xc) < 0)
-                       goto error;
+                       goto error_add;
        }
 
        return xc;
+error_add:
+       if (xuo)
+               xfrm_dev_state_delete(xc);
 error:
        xc->km.state = XFRM_STATE_DEAD;
        xfrm_state_put(xc);