[PATCH net] xfrm: esp: restore combined single-frag length gate

All of lore.kernel.org
 help / color / mirror / Atom feed

From: tanjingguo <tanjingguo@huawei.com>
To: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Chenzhe <chenzhe@huawei.com>, "malin (R)" <malin89@huawei.com>,
	michenyuan <michenyuan@huawei.com>,
	cenxianlong <cenxianlong@huawei.com>,
	"steffen.klassert@secunet.com" <steffen.klassert@secunet.com>,
	"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
	"davem@davemloft.net" <davem@davemloft.net>,
	"dsahern@kernel.org" <dsahern@kernel.org>,
	"edumazet@google.com" <edumazet@google.com>,
	"kuba@kernel.org" <kuba@kernel.org>,
	"pabeni@redhat.com" <pabeni@redhat.com>,
	"horms@kernel.org" <horms@kernel.org>,
	"sd@queasysnail.net" <sd@queasysnail.net>
Subject: [PATCH net] xfrm: esp: restore combined single-frag length gate
Date: Thu, 21 May 2026 07:52:50 +0000	[thread overview]
Message-ID: <48c8f59972cc407092834fb73e06ff2c@huawei.com> (raw)

From 1e6d45378b272fe2f1fce48ed89d6eaa415c00c2 Mon Sep 17 00:00:00 2001
From: Jingguo Tan <tanjingguo@huawei.com>
Date: Mon, 18 May 2026 17:06:48 +0800
Subject: [PATCH net] xfrm: esp: restore combined single-frag length gate

The ESP out-of-place fast path still consumes the combined post-trailer
skb->data_len as a single destination frag in esp_output_tail()/
esp6_output_tail(). The head-side gate must therefore reject any case
where ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) exceeds PAGE_SIZE,
otherwise skb_page_frag_refill() may fall back to a single page and the
destination sg will overrun it.

Restore a combined-length page gate before entering the page-frag fast
path for both IPv4 and IPv6.

Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
Cc: stable@vger.kernel.org
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
---

 net/ipv4/esp4.c | 5 +++--
 net/ipv6/esp6.c | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 6a5febbdbee49..2d7daca8516c2 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -410,6 +410,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsize;
 
 	/* this is non-NULL only with TCP/UDP Encapsulation */
 	if (x->encap) {
@@ -419,8 +420,8 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 			return err;
 	}
 
-	if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
-	    ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+	allocsize = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsize > PAGE_SIZE)
 		goto cow;
 
 	if (!skb_cloned(skb)) {
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 9c06c5a1419dc..0fad1dc558b84 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -440,6 +440,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsize;
 
 	if (x->encap) {
 		int err = esp6_output_encap(x, skb, esp);
@@ -448,8 +449,8 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 			return err;
 	}
 
-	if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
-	    ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+	allocsize = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsize > PAGE_SIZE)
 		goto cow;
 
 	if (!skb_cloned(skb)) {
-- 
2.43.0

next             reply	other threads:[~2026-05-21  7:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-21  7:52 tanjingguo [this message]
2026-05-21 10:56 ` [PATCH net] xfrm: esp: restore combined single-frag length gate Sabrina Dubroca
  -- strict thread matches above, loose matches on Subject: below --
2026-05-21 12:06 tanjingguo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6a5febbdbee4 dfblob:2d7daca8516c dfblob:9c06c5a1419d
dfblob:0fad1dc558b8 )
 OR (
bs:"xfrm: esp: restore combined single-frag length gate" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48c8f59972cc407092834fb73e06ff2c@huawei.com \
    --to=tanjingguo@huawei.com \
    --cc=cenxianlong@huawei.com \
    --cc=chenzhe@huawei.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=malin89@huawei.com \
    --cc=michenyuan@huawei.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sd@queasysnail.net \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.