xfrm: use kfree_sensitive() for SA secret zeroization

JIRA: https://issues.redhat.com/browse/RHEL-115629
Conflict: missing timer_delete_sync conversion (upstream commit 8fa7292)

commit e7a37c9
Author: Zilin Guan <zilin@seu.edu.cn>
Date:   Wed May 14 08:48:39 2025 +0000

    xfrm: use kfree_sensitive() for SA secret zeroization

    High-level copy_to_user_* APIs already redact SA secret fields when
    redaction is enabled, but the state teardown path still freed aead,
    aalg and ealg structs with plain kfree(), which does not clear memory
    before deallocation. This can leave SA keys and other confidential
    data in memory, risking exposure via post-free vulnerabilities.

    Since this path is outside the packet fast path, the cost of zeroization
    is acceptable and prevents any residual key material. This patch
    replaces those kfree() calls unconditionally with kfree_sensitive(),
    which zeroizes the entire buffer before freeing.

    Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>

Author: Sabrina Dubroca

net/xfrm/xfrm_state.c

@@ -535,9 +535,9 @@ static void ___xfrm_state_destroy(struct xfrm_state *x)
 {
 	hrtimer_cancel(&x->mtimer);
 	del_timer_sync(&x->rtimer);
-	kfree(x->aead);
-	kfree(x->aalg);
-	kfree(x->ealg);
+	kfree_sensitive(x->aead);
+	kfree_sensitive(x->aalg);
+	kfree_sensitive(x->ealg);
 	kfree(x->calg);
 	kfree(x->encap);
 	kfree(x->coaddr);