[PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref

Next message: Dev Jain: "Re: [PATCH 01/13] mm: add softleaf_to_pmd() and convert existing callers"
Previous message: Rosen Penev: "[PATCH] gpio: move ppc4xx gpio driver from arch/powerpc to drivers/gpio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alessandro Schino

Date: Fri May 29 2026 - 03:20:01 EST

When esp_ssg_unref() is called with already_unref=true, req->src has
not been initialised yet because aead_request_set_crypt() has not been
called at that point. Use esp_req_sg() to obtain the source scatterlist
directly from the tmp buffer layout instead.

Fixes: 2982e599fff6 ("esp: fix page frag reference leak on skb_to_sgvec failure")
Signed-off-by: Alessandro Schino <7991aleschino@xxxxxxxxx>
---
net/ipv4/esp4.c | 2 +-
net/ipv6/esp6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5d3a8656687e..2429c7845984 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -114,7 +114,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb,
* Skip the first sg which comes from skb->data.
*/
if (already_unref || req->src != req->dst)
- for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+ for (sg = sg_next(already_unref ? esp_req_sg(aead, req) : req->src); sg; sg = sg_next(sg))
skb_page_unref(page_to_netmem(sg_page(sg)),
skb->pp_recycle);
}
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index b963b8e72604..50af6ab9b8fc 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -131,7 +131,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb,
* Skip the first sg which comes from skb->data.
*/
if (already_unref || req->src != req->dst)
- for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+ for (sg = sg_next(already_unref ? esp_req_sg(aead, req) : req->src); sg; sg = sg_next(sg))
skb_page_unref(page_to_netmem(sg_page(sg)),
skb->pp_recycle);
}
--
2.41.0.windows.3