1. Patchew
  2. linux
  3. View series

[PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref

Alessandro Schino posted 1 patch 1 week, 3 days ago 
net/ipv4/esp4.c | 2 +-
net/ipv6/esp6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
[PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref
Posted by Alessandro Schino 1 week, 3 days ago 
When esp_ssg_unref() is called with already_unref=true, req->src has
not been initialised yet because aead_request_set_crypt() has not been
called at that point. Use esp_req_sg() to obtain the source scatterlist
directly from the tmp buffer layout instead.

Fixes: 2982e599fff6 ("esp: fix page frag reference leak on skb_to_sgvec failure")
Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
---
 net/ipv4/esp4.c | 2 +-
 net/ipv6/esp6.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5d3a8656687e..2429c7845984 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -114,7 +114,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb,
 	 * Skip the first sg which comes from skb->data.
 	 */
 	if (already_unref || req->src != req->dst)
-		for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+		for (sg = sg_next(already_unref ? esp_req_sg(aead, req) : req->src); sg; sg = sg_next(sg))
 			skb_page_unref(page_to_netmem(sg_page(sg)),
 				       skb->pp_recycle);
 }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index b963b8e72604..50af6ab9b8fc 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -131,7 +131,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb,
 	 * Skip the first sg which comes from skb->data.
 	 */
 	if (already_unref || req->src != req->dst)
-		for (sg = sg_next(req->src); sg; sg = sg_next(sg))
+		for (sg = sg_next(already_unref ? esp_req_sg(aead, req) : req->src); sg; sg = sg_next(sg))
 			skb_page_unref(page_to_netmem(sg_page(sg)),
 				       skb->pp_recycle);
 }
-- 
2.41.0.windows.3
Re: [PATCH ipsec] esp: fix uninitialised req->src dereference in esp_ssg_unref
Posted by Steffen Klassert 1 week ago 
On Fri, May 29, 2026 at 09:18:46AM +0200, Alessandro Schino wrote:
> When esp_ssg_unref() is called with already_unref=true, req->src has
> not been initialised yet because aead_request_set_crypt() has not been
> called at that point. Use esp_req_sg() to obtain the source scatterlist
> directly from the tmp buffer layout instead.
> 
> Fixes: 2982e599fff6 ("esp: fix page frag reference leak on skb_to_sgvec failure")
> Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>

Please resend the full fixed patch on top of the ipsec tree.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.