Commit dfa0d7b0 authored May 18, 2026 by Jingguo Tan Committed by Steffen Klassert May 22, 2026

xfrm: esp: restore combined single-frag length gate



The ESP out-of-place fast path appends the trailer in esp_output_head()
before esp_output_tail() allocates the destination page frag. The
head-side gate currently checks skb->data_len and tailen separately, but
the tail code allocates a single destination frag from the combined
post-trailer skb->data_len.

Reject the page-frag fast path when the combined aligned length exceeds a
page. Otherwise skb_page_frag_refill() may fall back to a single page while
the destination sg still spans the combined skb->data_len.

Restore this combined-length page gate for both IPv4 and IPv6.

Fixes: 5bd8baab ("esp: limit skb_page_frag_refill use to a single page")
Cc: stable@vger.kernel.org
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

parent 2982e599

net/ipv4/esp4.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -419,8 +419,8 @@ int esp_output_head(struct xfrm_state x, struct sk_buff skb, struct esp_info *
		return err;
		}

		if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE \|\|
		ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
		if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
		PAGE_SIZE)
		goto cow;

		if (!skb_cloned(skb)) {

net/ipv6/esp6.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -448,8 +448,8 @@ int esp6_output_head(struct xfrm_state x, struct sk_buff skb, struct esp_info
		return err;
		}

		if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE \|\|
		ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
		if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
		PAGE_SIZE)
		goto cow;

		if (!skb_cloned(skb)) {