In the error path, the cloned state is dropped without removing its
hardware offload, leaking the offloaded SA entry.

Fixes: a9d155ea9b44 ("xfrm: add XFRM_MSG_MIGRATE_STATE for single SA migration")
Reported-by: Sashiko <[email protected]>
Signed-off-by: Antony Antony <[email protected]>
---
 net/xfrm/xfrm_user.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 29cbdc836cfc..87ef198993db 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3500,6 +3500,8 @@ static int xfrm_do_migrate_state(struct sk_buff *skb, 
struct nlmsghdr *nlh,
        xfrm_state_put(x);
        return err;
 out_xc:
+       if (m.xuo)
+               xfrm_dev_state_delete(xc);
        xc->km.state = XFRM_STATE_DEAD;
        xfrm_state_put(xc);
        xfrm_state_put(x);

-- 
2.47.3


Reply via email to