From: Steffen Klassert <steffen.klassert@secunet.com>
To: Alessandro Schino <7991aleschino@gmail.com>
Cc: <netdev@vger.kernel.org>, <herbert@gondor.apana.org.au>,
<davem@davemloft.net>, <linux-kernel@vger.kernel.org>,
e521588 <alessandro.schino@sbb.ch>
Subject: Re: [PATCH] esp: fix page frag reference leak on skb_to_sgvec failure
Date: Wed, 20 May 2026 09:08:20 +0200 [thread overview]
Message-ID: <ag1d5JwwVZZoncDO@secunet.com> (raw)
In-Reply-To: <20260517111306.1881-1-7991aleschino@gmail.com>
On Sun, May 17, 2026 at 01:13:06PM +0200, Alessandro Schino wrote:
> From: e521588 <alessandro.schino@sbb.ch>
>
> In esp_output_tail(), when esp->inplace is false, the old skb page frags
> are replaced with a new page from the xfrm page_frag cache. The source
> scatterlist (sg) is built from the old frags before the replacement, and
> esp_ssg_unref() is responsible for releasing the old page references
> after the crypto operation completes.
>
> However, if the second skb_to_sgvec() call (which builds the destination
> scatterlist from the new page) fails, the code jumps to error_free which
> only calls kfree(tmp). The old page frag references captured in the
> source scatterlist are never released:
>
> 1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
> 2. nr_frags is set to 1 and frag[0] is replaced with the new page
> 3. Second skb_to_sgvec() fails -> goto error_free
> 4. kfree(tmp) frees the sg[] memory but old frags are not unref'd
> 5. kfree_skb() only releases frag[0] (the new page), not the old ones
>
> Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
> unconditionally unrefs the source scatterlist frags without checking
> req->src and req->dst, since those fields are not yet initialized by
> aead_request_set_crypt() at the point of the error. Existing callers
> pass false to preserve the original behavior.
>
> The same issue exists in both esp4 and esp6 as the code is identical.
>
> Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
> Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Remove this empty line.
> Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
> ---
> net/ipv4/esp4.c | 10 +++++-----
> net/ipv6/esp6.c | 10 +++++-----
> 2 files changed, 10 insertions(+), 10 deletions(-)
Your patch does not appy to the ipsec tree, please rebase.
Also, the subject should be something like
[PATCH ipsec v2] esp: fix page frag reference leak on skb_to_sgvec failure
This clarifies on which tree it should be applied and the version.
next prev parent reply other threads:[~2026-05-20 7:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 11:13 [PATCH] esp: fix page frag reference leak on skb_to_sgvec failure Alessandro Schino
2026-05-20 7:08 ` Steffen Klassert [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-16 9:20 Alessandro Schino
2026-05-16 10:58 ` Steffen Klassert
2026-05-14 9:42 Alessandro Schino
2026-05-16 8:53 ` Steffen Klassert
2026-05-14 8:11 Alessandro Schino
2026-05-14 8:41 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ag1d5JwwVZZoncDO@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=7991aleschino@gmail.com \
--cc=alessandro.schino@sbb.ch \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox