From: Steffen Klassert <steffen.klassert@secunet•com>
To: Mark Brown <broonie@kernel•org>
Cc: <linux-kernel@vger•kernel.org>, <linux-next@vger•kernel.org>
Subject: Re: Missing signoff in the ipsec tree
Date: Wed, 27 May 2026 07:02:30 +0200 [thread overview]
Message-ID: <ahZ65tqj7eJWbiQF@secunet.com> (raw)
In-Reply-To: <ahWldvORuJNSMRzm@sirena.org.uk>
On Tue, May 26, 2026 at 02:51:50PM +0100, Mark Brown wrote:
> Commit
>
> 2982e599fff6f ("esp: fix page frag reference leak on skb_to_sgvec failure")
>
> is missing a Signed-off-by from its author
The commit message looks like this:
commit 2982e599fff6faa21c8df147d96fc7af6c1a2f24
Author: e521588 <alessandro.schino@sbb•ch>
Date: Wed May 20 09:27:17 2026 +0200
esp: fix page frag reference leak on skb_to_sgvec failure
In esp_output_tail(), when esp->inplace is false, the old skb page frags
are replaced with a new page from the xfrm page_frag cache. The source
scatterlist (sg) is built from the old frags before the replacement, and
esp_ssg_unref() is responsible for releasing the old page references
after the crypto operation completes.
However, if the second skb_to_sgvec() call (which builds the destination
scatterlist from the new page) fails, the code jumps to error_free which
only calls kfree(tmp). The old page frag references captured in the
source scatterlist are never released:
1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
2. nr_frags is set to 1 and frag[0] is replaced with the new page
3. Second skb_to_sgvec() fails -> goto error_free
4. kfree(tmp) frees the sg[] memory but old frags are not unref'd
5. kfree_skb() only releases frag[0] (the new page), not the old ones
Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
unconditionally unrefs the source scatterlist frags without checking
req->src and req->dst, since those fields are not yet initialized by
aead_request_set_crypt() at the point of the error. Existing callers
pass false to preserve the original behavior.
The same issue exists in both esp4 and esp6 as the code is identical.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Alessandro Schino <7991aleschino@gmail•com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet•com>
So 'Author:' and 'Signed-off-by:' have different mail addresses,
but the person should be the same. I did not notice that when
I applied the patch. I hope it is not a problem.
next prev parent reply other threads:[~2026-05-27 5:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 13:51 Missing signoff in the ipsec tree Mark Brown
2026-05-27 5:02 ` Steffen Klassert [this message]
2026-05-27 10:30 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ahZ65tqj7eJWbiQF@secunet.com \
--to=steffen.klassert@secunet$(echo .)com \
--cc=broonie@kernel$(echo .)org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-next@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox