5 files changed, 23 insertions, 20 deletions

diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 250e567ba3d6..44ac85fe2bc9 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -17,7 +17,7 @@
 #include <linux/crypto.h>
 #include <linux/scatterlist.h>
 #include <net/xfrm.h>
-#if defined(CONFIG_INET_ESP) || defined(CONFIG_INET_ESP_MODULE) || defined(CONFIG_INET6_ESP) || defined(CONFIG_INET6_ESP_MODULE)
+#if IS_ENABLED(CONFIG_INET_ESP) || IS_ENABLED(CONFIG_INET6_ESP)
 #include <net/esp.h>
 #endif
 
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 1c4ad477ce93..6e3f0254d8a1 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -207,15 +207,15 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
         family = XFRM_SPI_SKB_CB(skb)->family;
 
         /* if tunnel is present override skb->mark value with tunnel i_key */
-        if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) {
-                switch (family) {
-                case AF_INET:
+        switch (family) {
+        case AF_INET:
+                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
                         mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
-                        break;
-                case AF_INET6:
+                break;
+        case AF_INET6:
+                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
                         mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
-                        break;
-                }
+                break;
         }
 
         /* Allocate new secpath or COW existing one. */
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index f7ce6265961a..fd6986634e6f 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -643,6 +643,10 @@ static void xfrm_hash_rebuild(struct work_struct *work)
 
         /* re-insert all policies by order of creation */
         list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
+                if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+                        /* skip socket policies */
+                        continue;
+                }
                 newpos = NULL;
                 chain = policy_hash_bysel(net, &policy->selector,
                                           policy->family,
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a38fdead38ea..419bf5d463bd 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -350,6 +350,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
 {
         tasklet_hrtimer_cancel(&x->mtimer);
         del_timer_sync(&x->rtimer);
+        kfree(x->aead);
         kfree(x->aalg);
         kfree(x->ealg);
         kfree(x->calg);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d516845e16e3..08892091cfe3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -581,9 +581,12 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
         if (err)
                 goto error;
 
-        if (attrs[XFRMA_SEC_CTX] &&
-            security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
-                goto error;
+        if (attrs[XFRMA_SEC_CTX]) {
+                err = security_xfrm_state_alloc(x,
+                                                nla_data(attrs[XFRMA_SEC_CTX]));
+                if (err)
+                        goto error;
+        }
 
         if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
                                                attrs[XFRMA_REPLAY_ESN_VAL])))
@@ -896,7 +899,8 @@ static int xfrm_dump_sa_done(struct netlink_callback *cb)
         struct sock *sk = cb->skb->sk;
         struct net *net = sock_net(sk);
 
-        xfrm_state_walk_done(walk, net);
+        if (cb->args[0])
+                xfrm_state_walk_done(walk, net);
         return 0;
 }
 
@@ -921,8 +925,6 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
                 u8 proto = 0;
                 int err;
 
-                cb->args[0] = 1;
-
                 err = nlmsg_parse(cb->nlh, 0, attrs, XFRMA_MAX,
                                   xfrma_policy);
                 if (err < 0)
@@ -939,6 +941,7 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
                         proto = nla_get_u8(attrs[XFRMA_PROTO]);
 
                 xfrm_state_walk_init(walk, proto, filter);
+                cb->args[0] = 1;
         }
 
         (void) xfrm_state_walk(net, walk, dump_one_state, &info);
@@ -2051,9 +2054,6 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
         if (up->hard) {
                 xfrm_policy_delete(xp, p->dir);
                 xfrm_audit_policy_delete(xp, 1, true);
-        } else {
-                // reset the timers here?
-                WARN(1, "Don't know what to do with soft policy expire\n");
         }
         km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid);
 
@@ -2117,7 +2117,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
 
         err = verify_newpolicy_info(&ua->policy);
         if (err)
-                goto bad_policy;
+                goto free_state;
 
         /*   build an XP */
         xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
@@ -2149,8 +2149,6 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
 
         return 0;
 
-bad_policy:
-        WARN(1, "BAD policy passed\n");
 free_state:
         kfree(x);
 nomem: