espintcp: fix skb leaks

JIRA: https://issues.redhat.com/browse/RHEL-115629
Conflicts: netdev_max_backlog is not in hotdata (missing commit
    edbc666 ("net: move netdev_max_backlog to net_hotdata"))

commit 63c1f19
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Apr 9 15:59:56 2025 +0200

    espintcp: fix skb leaks

    A few error paths are missing a kfree_skb.

    Fixes: e27cca9 ("xfrm: add espintcp (RFC 8229)")
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>

Author: Sabrina Dubroca

net/ipv4/esp4.c

@@ -199,8 +199,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb)
 
 	sk = esp_find_tcp_sk(x);
 	err = PTR_ERR_OR_ZERO(sk);
-	if (err)
+	if (err) {
+		kfree_skb(skb);
 		goto out;
+	}
 
 	bh_lock_sock(sk);
 	if (sock_owned_by_user(sk))

net/ipv6/esp6.c

@@ -215,8 +215,10 @@ static int esp_output_tcp_finish(struct xfrm_state *x, struct sk_buff *skb)
 
 	sk = esp6_find_tcp_sk(x);
 	err = PTR_ERR_OR_ZERO(sk);
-	if (err)
+	if (err) {
+		kfree_skb(skb);
 		goto out;
+	}
 
 	bh_lock_sock(sk);
 	if (sock_owned_by_user(sk))

net/xfrm/espintcp.c

@@ -171,8 +171,10 @@ int espintcp_queue_out(struct sock *sk, struct sk_buff *skb)
 {
 	struct espintcp_ctx *ctx = espintcp_getctx(sk);
 
-	if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog))
+	if (skb_queue_len(&ctx->out_queue) >= READ_ONCE(netdev_max_backlog)) {
+		kfree_skb(skb);
 		return -ENOBUFS;
+	}
 
 	__skb_queue_tail(&ctx->out_queue, skb);