Re: [PATCH net] xfrm: esp: restore combined single-frag length gate

[Sabrina Dubroca]

Hello,

note: patches to xfrm should go through the "ipsec" tree, not "net"
(with the subject prefix [PATCH ipsec]).

2026-05-21, 07:52:50 +0000, tanjingguo wrote:
> From 1e6d45378b272fe2f1fce48ed89d6eaa415c00c2 Mon Sep 17 00:00:00 2001
> From: Jingguo Tan <tanjingguo@xxxxxxxxxx>
> Date: Mon, 18 May 2026 17:06:48 +0800
> Subject: [PATCH net] xfrm: esp: restore combined single-frag length gate
> 
> The ESP out-of-place fast path still consumes the combined post-trailer
> skb->data_len as a single destination frag in esp_output_tail()/
> esp6_output_tail(). The head-side gate must therefore reject any case
> where ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) exceeds PAGE_SIZE,
> otherwise skb_page_frag_refill() may fall back to a single page and the
> destination sg will overrun it.

If I'm following correctly, the issue comes from the
skb_len_add(tailen)? So esp_output_tail() does skb_page_frag_refill()
with [what we checked in esp_output_head() + tailen]?

> Restore a combined-length page gate before entering the page-frag fast
> path for both IPv4 and IPv6.
> 
> Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Lin Ma <malin89@xxxxxxxxxx>
> Signed-off-by: Chenyuan Mi <michenyuan@xxxxxxxxxx>
> Signed-off-by: Jingguo Tan <tanjingguo@xxxxxxxxxx>
> ---
> 
>  net/ipv4/esp4.c | 5 +++--
>  net/ipv6/esp6.c | 5 +++--
>  2 files changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
> index 6a5febbdbee49..2d7daca8516c2 100644
> --- a/net/ipv4/esp4.c
> +++ b/net/ipv4/esp4.c
> @@ -410,6 +410,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
>  	struct page *page;
>  	struct sk_buff *trailer;
>  	int tailen = esp->tailen;
> +	unsigned int allocsize;

nit: there's already an allocsize variable in this function. no
shadowing please.

-- 
Sabrina