5 files changed, 6 insertions, 9 deletions

diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index ec8de0aa20ec..d76803a3dcae 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -179,10 +179,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
                 err = ah_mac_digest(ahp, skb, ah->auth_data);
                 if (err)
                         goto unlock;
-                if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
-                        xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
+                if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
                         err = -EBADMSG;
-                }
         }
 unlock:
         spin_unlock(&x->lock);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index b334c7619c08..28ea5c77ca23 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -191,7 +191,6 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
                         BUG();
 
                 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
-                        xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
                         err = -EBADMSG;
                         goto unlock;
                 }
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 2d32772c87c3..fb0d07a15e93 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -380,10 +380,8 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
                 err = ah_mac_digest(ahp, skb, ah->auth_data);
                 if (err)
                         goto unlock;
-                if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
-                        xfrm_audit_state_icvfail(x, skb, IPPROTO_AH);
+                if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
                         err = -EBADMSG;
-                }
         }
 unlock:
         spin_unlock(&x->lock);
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index e10f10bfe2c9..5bd5292ad9fa 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -186,7 +186,6 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                         BUG();
 
                 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
-                        xfrm_audit_state_icvfail(x, skb, IPPROTO_ESP);
                         ret = -EBADMSG;
                         goto unlock;
                 }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 1b250f33ad5b..039e7019c48a 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -186,8 +186,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 resume:
                 spin_lock(&x->lock);
                 if (nexthdr <= 0) {
-                        if (nexthdr == -EBADMSG)
+                        if (nexthdr == -EBADMSG) {
+                                xfrm_audit_state_icvfail(x, skb,
+                                                         x->type->proto);
                                 x->stats.integrity_failed++;
+                        }
                         XFRM_INC_STATS(LINUX_MIB_XFRMINSTATEPROTOERROR);
                         goto drop_unlock;
                 }