esp: fix skb leak with espintcp and async crypto

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When the TX queue for espintcp is full, esp_output_tail_tcp will
return an error and not free the skb, because with synchronous crypto,
the common xfrm output code will drop the packet for us.

With async crypto (esp_output_done), we need to drop the skb when
esp_output_tail_tcp returns an error.

Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

authored by

Sabrina Dubroca and committed by

Steffen Klassert 2 months ago 0c0eef8c 7d2fc41f

+12 -6

2 changed files

expand all

net

ipv4

esp4.c

ipv6

esp6.c

+6 -3

net/ipv4/esp4.c

··· 235 235 xfrm_dev_resume(skb); 236 236 } else { 237 237 if (!err && 238 - x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) 239 - esp_output_tail_tcp(x, skb); 240 - else 238 + x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) { 239 + err = esp_output_tail_tcp(x, skb); 240 + if (err != -EINPROGRESS) 241 + kfree_skb(skb); 242 + } else { 241 243 xfrm_output_resume(skb_to_full_sk(skb), skb, err); 244 + } 242 245 } 243 246 } 244 247

+6 -3

net/ipv6/esp6.c

··· 271 271 xfrm_dev_resume(skb); 272 272 } else { 273 273 if (!err && 274 - x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) 275 - esp_output_tail_tcp(x, skb); 276 - else 274 + x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) { 275 + err = esp_output_tail_tcp(x, skb); 276 + if (err != -EINPROGRESS) 277 + kfree_skb(skb); 278 + } else { 277 279 xfrm_output_resume(skb_to_full_sk(skb), skb, err); 280 + } 278 281 } 279 282 } 280 283

Configure Feed

Configure Feed