lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aWjvUllZ7Clf3pm5@horms.kernel.org>
Date: Thu, 15 Jan 2026 13:44:50 +0000
From: Simon Horman <horms@...nel.org>
To: Antony Antony <antony@...nome.org>
Cc: Antony Antony <antony.antony@...unet.com>,
	Steffen Klassert <steffen.klassert@...unet.com>,
	Herbert Xu <herbert@...dor.apana.org.au>, netdev@...r.kernel.org,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	devel@...ux-ipsec.org
Subject: Re: [devel-ipsec] Re: [PATCH ipsec-next 4/6] xfrm: add
 XFRM_MSG_MIGRATE_STATE for single SA migration

On Wed, Jan 14, 2026 at 05:09:20PM +0100, Antony Antony wrote:

Hi Antony,

> Hi Simon,
> 
> On Tue, Jan 13, 2026 at 02:57:16PM +0000, Simon Horman via Devel wrote:
> > On Fri, Jan 09, 2026 at 02:38:05PM +0100, Antony Antony wrote:

...

> > > +static int xfrm_send_migrate_state(const struct xfrm_user_migrate_state *um,
> > > +				   const struct xfrm_encap_tmpl *encap,
> > > +				   const struct xfrm_user_offload *xuo)
> > > +{
> > > +	int err;
> > > +	struct sk_buff *skb;
> > > +	struct net *net = &init_net;
> > > +
> > > +	skb = nlmsg_new(xfrm_migrate_state_msgsize(!!encap, !!xuo), GFP_ATOMIC);
> > > +	if (!skb)
> > > +		return -ENOMEM;
> > > +
> > > +	err = build_migrate_state(skb, um, encap, xuo);
> > > +	if (err < 0) {
> > > +		WARN_ON(1);
> > > +		return err;
> > 
> > skb seems to be leaked here.
> > 
> > Also flagged by Review Prompts.
> 
> I don't see a skb leak. It also looks similar to the functions above.

xfrm_get_ae() is the previous caller of nlmsg_new() in this file.
It calls BUG_ON() on error, so leaking is not an issue there.

The caller before that is xfrm_get_default() which calls kfree_skb() in
it's error path. Maybe I'm missing something obvious, but I was thinking
that approach is appropriate here too.

...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ