]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
espintcp: use sk_msg_free_partial to fix partial send
authorSabrina Dubroca <sd@queasysnail.net>
Fri, 12 Jun 2026 14:11:39 +0000 (16:11 +0200)
committerSteffen Klassert <steffen.klassert@secunet.com>
Wed, 17 Jun 2026 09:17:27 +0000 (11:17 +0200)
sk_msg_free_partial() ensures consistency of the skmsg at every
iteration, without having to manually handle uncharges and offsets.
This simplifies the code, and fixes some bugs in skmsg accounting when
we don't send the full contents.

Cc: stable@vger.kernel.org
Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Reported-by: Aaron Esau <aaron1esau@gmail.com>
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
net/xfrm/espintcp.c

index d9035546375eba5314d64ea33af8660c77523ed1..374e1b96443839da63b4fbc399a3a58c1b85fd8d 100644 (file)
@@ -212,43 +212,23 @@ static int espintcp_sendskmsg_locked(struct sock *sk,
        struct sk_msg *skmsg = &emsg->skmsg;
        bool more = flags & MSG_MORE;
        struct scatterlist *sg;
-       int done = 0;
        int ret;
 
-       sg = &skmsg->sg.data[skmsg->sg.start];
        do {
                struct bio_vec bvec;
-               size_t size = sg->length - emsg->offset;
-               int offset = sg->offset + emsg->offset;
-               struct page *p;
-
-               emsg->offset = 0;
 
+               sg = &skmsg->sg.data[skmsg->sg.start];
                if (sg_is_last(sg) && !more)
                        msghdr.msg_flags &= ~MSG_MORE;
 
-               p = sg_page(sg);
-retry:
-               bvec_set_page(&bvec, p, size, offset);
-               iov_iter_bvec(&msghdr.msg_iter, ITER_SOURCE, &bvec, 1, size);
-               ret = tcp_sendmsg_locked(sk, &msghdr, size);
-               if (ret < 0) {
-                       emsg->offset = offset - sg->offset;
-                       skmsg->sg.start += done;
+               bvec_set_page(&bvec, sg_page(sg), sg->length, sg->offset);
+               iov_iter_bvec(&msghdr.msg_iter, ITER_SOURCE, &bvec, 1, sg->length);
+               ret = tcp_sendmsg_locked(sk, &msghdr, sg->length);
+               if (ret < 0)
                        return ret;
-               }
-
-               if (ret != size) {
-                       offset += ret;
-                       size -= ret;
-                       goto retry;
-               }
 
-               done++;
-               put_page(p);
-               sk_mem_uncharge(sk, sg->length);
-               sg = sg_next(sg);
-       } while (sg);
+               sk_msg_free_partial(sk, skmsg, ret);
+       } while (skmsg->sg.size);
 
        memset(emsg, 0, sizeof(*emsg));