Re: [PATCH ipsec v3] esp: fix page frag reference leak on skb_to_sgvec failure

[Alessandro Schino]

You're welcome!


Il giorno mer 10 giu 2026 alle ore 07:37 Steffen Klassert
<steffen.klassert@xxxxxxxxxxx> ha scritto:
>
> On Fri, Jun 05, 2026 at 02:22:15PM +0200, Alessandro Schino wrote:
> > In esp_output_tail(), when esp->inplace is false, the old skb page frags
> > are replaced with a new page from the xfrm page_frag cache The source
> > scatterlist (sg) is built from the old frags before the replacement, and
> > esp_ssg_unref() is responsible for releasing the old page references
> > after the crypto operation completes
> >
> > However, if the second skb_to_sgvec() call (which builds the destination
> > scatterlist from the new page) fails, the code jumps to error_free which
> > only calls kfree(tmp). The old page frag references captured in the
> > source scatterlist are never released:
> >
> >   1 sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
> >   2 nr_frags is set to 1 and frag[0] is replaced with the new page
> >   3 Second skb_to_sgvec() fails -> goto error_free
> >
> > Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
> > unconditionally unrefs the source scatterlist frags. Since req->src is
> > not yet initialized by aead_request_set_crypt() at the point of the
> > error, the source scatterlist is obtained directly via esp_req_sg()
> > Existing callers pass false to preserve the original behavior
> >
> > The same issue exists in both esp4 and esp6 as the code is identical
> >
> > Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
> > Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
> > Signed-off-by: Alessandro Schino <7991aleschino@xxxxxxxxx>
>
> Applied, thanks Alessandro!