esp: Fix possible buffer overflow in ESP transformation

[ Upstream commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 ]

The maximum message size that can be send is bigger than
the  maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.


Avoid get get_order() costs as suggested by Linus Torvalds.

For having the patch build on v5.4, following changes are done:
 - `SKB_FRAG_PAGE_ORDER` declaration is moved from net/core/sock.c to include/net/sock.c.
 - Remove changes introduced due to `xfrm: add support for UDPv6 encapsulation of ESP` in esp6_output_head

RELEASE_NOTE=Fixed possible buffer overflow in ESP transformation.

cos-patch: bug
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <>
Signed-off-by: Steffen Klassert <>
Signed-off-by: Vaibhav Rustagi <>
Change-Id: Ibba7d1063e1e78fe8cecb2d0ae1e94a586101a93
Tested-by: Cusky Presubmit Bot <>
Main-Branch-Verified: Cusky Presubmit Bot <>
Reviewed-by: Oleksandr Tymoshenko <>
5 files changed