Commit 2982e599 authored by e521588's avatar e521588 Committed by Steffen Klassert
Browse files

esp: fix page frag reference leak on skb_to_sgvec failure 



In esp_output_tail(), when esp->inplace is false, the old skb page frags
are replaced with a new page from the xfrm page_frag cache. The source
scatterlist (sg) is built from the old frags before the replacement, and
esp_ssg_unref() is responsible for releasing the old page references
after the crypto operation completes.

However, if the second skb_to_sgvec() call (which builds the destination
scatterlist from the new page) fails, the code jumps to error_free which
only calls kfree(tmp). The old page frag references captured in the
source scatterlist are never released:

  1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
  2. nr_frags is set to 1 and frag[0] is replaced with the new page
  3. Second skb_to_sgvec() fails -> goto error_free
  4. kfree(tmp) frees the sg[] memory but old frags are not unref'd
  5. kfree_skb() only releases frag[0] (the new page), not the old ones

Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
unconditionally unrefs the source scatterlist frags without checking
req->src and req->dst, since those fields are not yet initialized by
aead_request_set_crypt() at the point of the error. Existing callers
pass false to preserve the original behavior.

The same issue exists in both esp4 and esp6 as the code is identical.

Fixes: cac2661c ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f ("esp6: Avoid skb_cow_data whenever possible")

Signed-off-by: default avatarAlessandro Schino <7991aleschino@gmail.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
parent 79d8be26

net/ipv4/esp4.c

+7 −5
Original line number Diff line number Diff line
@@ -96,7 +96,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead, 
			     __alignof__(struct scatterlist));

}



static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)

static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref)

{

	struct crypto_aead *aead = x->data;

	int extralen = 0;
@@ -113,7 +113,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb) 
	/* Unref skb_frag_pages in the src scatterlist if necessary.

	 * Skip the first sg which comes from skb->data.

	 */

	if (req->src != req->dst)

	if (already_unref || req->src != req->dst)

		for (sg = sg_next(req->src); sg; sg = sg_next(sg))

			skb_page_unref(page_to_netmem(sg_page(sg)),

				       skb->pp_recycle);
@@ -220,7 +220,7 @@ static void esp_output_done(void *data, int err) 
	}



	tmp = ESP_SKB_CB(skb)->tmp;

	esp_ssg_unref(x, tmp, skb);

	esp_ssg_unref(x, tmp, skb, false);

	kfree(tmp);



	if (xo && (xo->flags & XFRM_DEV_RESUME)) {
@@ -569,9 +569,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * 
		err = skb_to_sgvec(skb, dsg,

			           (unsigned char *)esph - skb->data,

			           assoclen + ivlen + esp->clen + alen);

		if (unlikely(err < 0))

		if (unlikely(err < 0)) {

			esp_ssg_unref(x, tmp, skb, true);

			goto error_free;

		}

	}



	if ((x->props.flags & XFRM_STATE_ESN))

		aead_request_set_callback(req, 0, esp_output_done_esn, skb);
@@ -602,7 +604,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * 
	}



	if (sg != dsg)

		esp_ssg_unref(x, tmp, skb);

		esp_ssg_unref(x, tmp, skb, false);



	if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)

		err = esp_output_tail_tcp(x, skb);

net/ipv6/esp6.c

+7 −5
Original line number Diff line number Diff line
@@ -113,7 +113,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead, 
			     __alignof__(struct scatterlist));

}



static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)

static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref)

{

	struct crypto_aead *aead = x->data;

	int extralen = 0;
@@ -130,7 +130,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb) 
	/* Unref skb_frag_pages in the src scatterlist if necessary.

	 * Skip the first sg which comes from skb->data.

	 */

	if (req->src != req->dst)

	if (already_unref || req->src != req->dst)

		for (sg = sg_next(req->src); sg; sg = sg_next(sg))

			skb_page_unref(page_to_netmem(sg_page(sg)),

				       skb->pp_recycle);
@@ -254,7 +254,7 @@ static void esp_output_done(void *data, int err) 
	}



	tmp = ESP_SKB_CB(skb)->tmp;

	esp_ssg_unref(x, tmp, skb);

	esp_ssg_unref(x, tmp, skb, false);

	kfree(tmp);



	esp_output_encap_csum(skb);
@@ -600,9 +600,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info 
		err = skb_to_sgvec(skb, dsg,

			           (unsigned char *)esph - skb->data,

			           assoclen + ivlen + esp->clen + alen);

		if (unlikely(err < 0))

		if (unlikely(err < 0)) {

			esp_ssg_unref(x, tmp, skb, true);

			goto error_free;

		}

	}



	if ((x->props.flags & XFRM_STATE_ESN))

		aead_request_set_callback(req, 0, esp_output_done_esn, skb);
@@ -634,7 +636,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info 
	}



	if (sg != dsg)

		esp_ssg_unref(x, tmp, skb);

		esp_ssg_unref(x, tmp, skb, false);



	if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)

		err = esp_output_tail_tcp(x, skb);