[PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg

Netdev List
 help / color / mirror / Atom feed

* [PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref
@ 2026-05-29  7:18 Alessandro Schino
  2026-06-01  7:14 ` Steffen Klassert
  0 siblings, 1 reply; 2+ messages in thread
From: Alessandro Schino @ 2026-05-29  7:18 UTC (permalink / raw)
  To: netdev
  Cc: steffen.klassert, herbert, davem, pabeni, linux-kernel,
	Alessandro Schino

When esp_ssg_unref() is called with already_unref=true, req->src has
not been initialised yet because aead_request_set_crypt() has not been
called at that point. Use esp_req_sg() to obtain the source scatterlist
directly from the tmp buffer layout instead.

Fixes: 2982e599fff6 ("esp: fix page frag reference leak on skb_to_sgvec failure")
Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
---
 net/ipv4/esp4.c | 2 +-
 net/ipv6/esp6.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5d3a8656687e..2429c7845984 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -114,7 +114,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb,
 	 * Skip the first sg which comes from skb->data.
 	 */
 	if (already_unref || req->src != req->dst)
-		for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+		for (sg = sg_next(already_unref ? esp_req_sg(aead, req) : req->src); sg; sg = sg_next(sg))
 			skb_page_unref(page_to_netmem(sg_page(sg)),
 				       skb->pp_recycle);
 }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index b963b8e72604..50af6ab9b8fc 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -131,7 +131,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb,
 	 * Skip the first sg which comes from skb->data.
 	 */
 	if (already_unref || req->src != req->dst)
-		for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+		for (sg = sg_next(already_unref ? esp_req_sg(aead, req) : req->src); sg; sg = sg_next(sg))
 			skb_page_unref(page_to_netmem(sg_page(sg)),
 				       skb->pp_recycle);
 }
-- 
2.41.0.windows.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref
  2026-05-29  7:18 [PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref Alessandro Schino
@ 2026-06-01  7:14 ` Steffen Klassert
  0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2026-06-01  7:14 UTC (permalink / raw)
  To: Alessandro Schino; +Cc: netdev, herbert, davem, pabeni, linux-kernel

On Fri, May 29, 2026 at 09:18:46AM +0200, Alessandro Schino wrote:
> When esp_ssg_unref() is called with already_unref=true, req->src has
> not been initialised yet because aead_request_set_crypt() has not been
> called at that point. Use esp_req_sg() to obtain the source scatterlist
> directly from the tmp buffer layout instead.
> 
> Fixes: 2982e599fff6 ("esp: fix page frag reference leak on skb_to_sgvec failure")
> Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>

Please resend the full fixed patch on top of the ipsec tree.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-01  7:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-29  7:18 [PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref Alessandro Schino
2026-06-01  7:14 ` Steffen Klassert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox