Re: [PATCH] esp: fix page frag reference leak on skb_to_sgvec failure

[Steffen Klassert <steffen.klassert@secunet.com>]

On Thu, May 14, 2026 at 11:42:11AM +0200, Alessandro Schino wrote:
> From: e521588 <alessandro.schino@sbb.ch>
> 
> In esp_output_tail(), when esp->inplace is false, the old skb page frags
> are replaced with a new page from the xfrm page_frag cache. The source
> scatterlist (sg) is built from the old frags before the replacement, and
> esp_ssg_unref() is responsible for releasing the old page references
> after the crypto operation completes.
> 
> However, if the second skb_to_sgvec() call (which builds the destination
> scatterlist from the new page) fails, the code jumps to error_free which
> only calls kfree(tmp). The old page frag references captured in the
> source scatterlist are never released:
> 
>   1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
>   2. nr_frags is set to 1 and frag[0] is replaced with the new page
>   3. Second skb_to_sgvec() fails -> goto error_free
>   4. kfree(tmp) frees the sg[] memory but old frags are not unref'd
>   5. kfree_skb() only releases frag[0] (the new page), not the old ones
> 
> Fix this by calling esp_ssg_unref() before the goto error_free when the
> second skb_to_sgvec() fails. At this point, the source scatterlist in
> tmp is fully populated, so esp_ssg_unref() can properly release all old
> page frag references.
> 
> The same issue exists in both esp4 and esp6 as the code is identical.
> 
> Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
> Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
> 
> Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
> ---
>  net/ipv4/esp4.c | 4 +++-
>  net/ipv6/esp6.c | 4 +++-
>  2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> index 6a5febbdbee4..5c4b162c1bb5 100644
> --- a/net/ipv4/esp4.c
> +++ b/net/ipv4/esp4.c
> @@ -569,8 +569,10 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
>  		err = skb_to_sgvec(skb, dsg,
>  			           (unsigned char *)esph - skb->data,
>  			           assoclen + ivlen + esp->clen + alen);
> -		if (unlikely(err < 0))
> +		if (unlikely(err < 0)) {
> +			esp_ssg_unref(x, tmp, skb);

Maybe we need some variant of esp_ssg_unref() that does not
check the src and dst of the crypto request as this is
initialized later in the function.