From: Steffen Klassert <steffen.klassert@secunet.com>
To: Alessandro Schino <7991aleschino@gmail.com>
Cc: <netdev@vger.kernel.org>, <herbert@gondor.apana.org.au>,
<davem@davemloft.net>, <pabeni@redhat.com>,
<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH ipsec v3] esp: fix page frag reference leak on skb_to_sgvec failure
Date: Wed, 10 Jun 2026 07:37:02 +0200 [thread overview]
Message-ID: <aij3_qm9x7LJUfbG@secunet.com> (raw)
In-Reply-To: <20260605122215.825-1-7991aleschino@gmail.com>
On Fri, Jun 05, 2026 at 02:22:15PM +0200, Alessandro Schino wrote:
> In esp_output_tail(), when esp->inplace is false, the old skb page frags
> are replaced with a new page from the xfrm page_frag cache The source
> scatterlist (sg) is built from the old frags before the replacement, and
> esp_ssg_unref() is responsible for releasing the old page references
> after the crypto operation completes
>
> However, if the second skb_to_sgvec() call (which builds the destination
> scatterlist from the new page) fails, the code jumps to error_free which
> only calls kfree(tmp). The old page frag references captured in the
> source scatterlist are never released:
>
> 1 sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
> 2 nr_frags is set to 1 and frag[0] is replaced with the new page
> 3 Second skb_to_sgvec() fails -> goto error_free
>
> Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
> unconditionally unrefs the source scatterlist frags. Since req->src is
> not yet initialized by aead_request_set_crypt() at the point of the
> error, the source scatterlist is obtained directly via esp_req_sg()
> Existing callers pass false to preserve the original behavior
>
> The same issue exists in both esp4 and esp6 as the code is identical
>
> Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
> Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
> Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
Applied, thanks Alessandro!
next prev parent reply other threads:[~2026-06-10 5:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 12:22 [PATCH ipsec v3] esp: fix page frag reference leak on skb_to_sgvec failure Alessandro Schino
2026-06-10 5:37 ` Steffen Klassert [this message]
2026-06-10 6:11 ` Alessandro Schino
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aij3_qm9x7LJUfbG@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=7991aleschino@gmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox