From: Steffen Klassert <steffen.klassert@secunet.com>
To: Ren Wei <n05ec@lzu.edu.cn>
Cc: <netdev@vger.kernel.org>, <herbert@gondor.apana.org.au>,
<davem@davemloft.net>, <sd@queasysnail.net>,
<yuantan098@gmail.com>, <yifanwucs@gmail.com>,
<tomapufckgml@gmail.com>, <zcliangcn@gmail.com>,
<bird@lzu.edu.cn>, <bronzed_45_vested@icloud.com>
Subject: Re: [PATCH ipsec v2 1/1] xfrm: espintcp: do not reuse an in-progress partial send
Date: Tue, 9 Jun 2026 08:12:38 +0200 [thread overview]
Message-ID: <aieu1s7D1NsMLTEL@secunet.com> (raw)
In-Reply-To: <f45b23780569de7e83d695bf5c439815d4ea4e21.1780377940.git.bronzed_45_vested@icloud.com>
On Wed, Jun 03, 2026 at 12:46:27AM +0800, Ren Wei wrote:
> From: Wyatt Feng <bronzed_45_vested@icloud.com>
>
> espintcp keeps a single in-flight transmit in ctx->partial.
> Before building a new sk_msg, espintcp_sendmsg() first tries to flush
> that state through espintcp_push_msgs().
>
> For blocking callers, espintcp_push_msgs() may return success even when
> the previous partial send is still pending. espintcp_sendmsg() would
> then reinitialize emsg->skmsg and reuse ctx->partial while the old
> transfer still owns that state.
>
> Do not rebuild the send message when ctx->partial is still in progress.
> If espintcp_push_msgs() returns with emsg->len still set, fail the new
> send instead of overwriting the live partial state.
>
> This is a memory-safety fix: reusing the live partial-send state can
> leave a stale offset attached to a new sk_msg and lead to an out-of-
> bounds read in the send path.
>
> tcp_sendmsg_locked() already handles waiting for send buffer memory, so
> the fix here is just to preserve espintcp's one-message-at-a-time
> transmit state.
>
> Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
> Cc: stable@kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Patch appied, thanks a lot!
prev parent reply other threads:[~2026-06-09 6:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-02 16:46 [PATCH ipsec v2 1/1] xfrm: espintcp: do not reuse an in-progress partial send Ren Wei
2026-06-09 6:12 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aieu1s7D1NsMLTEL@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=bird@lzu.edu.cn \
--cc=bronzed_45_vested@icloud.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=n05ec@lzu.edu.cn \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
--cc=zcliangcn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox