From: sashiko-bot@kernel.org
To: "Jason Xing" <kerneljasonxing@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH net v4 1/8] xsk: reject sw-csum UMEM binding to IFF_TX_SKB_NO_LINEAR devices
Date: Sat, 25 Apr 2026 05:40:31 +0000 [thread overview]
Message-ID: <20260425054032.28A27C2BCB2@smtp.kernel.org> (raw)
In-Reply-To: <20260424053816.27965-2-kerneljasonxing@gmail.com>
Sashiko AI review found 1 potential issue(s):
- [High] The patch incompletely fixes the WARN_ON_ONCE in skb_checksum_help() triggered by pure-fragment SKBs. It successfully prevents the explicit fallback in xsk_skb_metadata() (which wedged the TX ring), but leaves the implicit generic network stack fallback vulnerable. If a user sets XDP_TXMD_FLAGS_CHECKSUM on an IFF_TX_SKB_NO_LINEAR device and the hardware checksum offload is disabled at runtime (e.g., via `ethtool -K eth0 tx off`), the core stack's validate_xmit_skb() takes over. Because NETIF_F_SG is allowed to remain active even without checksum features, skb_needs_linearize() evaluates to false, leaving the SKB unlinearized. The SKB is then passed to skb_csum_hwoffload_help() -> skb_checksum_help(), which hits the exact same WARN_ON_ONCE(offset >= skb_headlen(skb)) because skb_headlen is 0.
--
commit 86ab0a4900aa60bee0c3df7393a2846b5ff74ccb
Author: Jason Xing <kerneljasonxing@gmail.com>
xsk: reject sw-csum UMEM binding to IFF_TX_SKB_NO_LINEAR devices
This commit attempts to fix a warning triggered in skb_checksum_help()
by AF_XDP pure-fragment SKBs. It rejects sw-csum UMEM binding for
drivers advertising IFF_TX_SKB_NO_LINEAR at setup time.
Closes: https://lore.kernel.org/all/20260419045822.843BFC2BCAF@smtp.kernel.org/#t
Fixes: 30c3055f9c0d ("xsk: wrap generic metadata handling onto separate function")
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Jason Xing <kernelxing@tencent.com>
> diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
> index cd7bc50872f6b5..d981cfdd853578 100644
> --- a/net/xdp/xsk_buff_pool.c
> +++ b/net/xdp/xsk_buff_pool.c
> @@ -175,6 +175,9 @@ int xp_assign_dev(struct xsk_buff_pool *pool,
> if (force_zc && force_copy)
> return -EINVAL;
>
> + if (pool->tx_sw_csum && (netdev->priv_flags & IFF_TX_SKB_NO_LINEAR))
> + return -EOPNOTSUPP;
> +
Does this still leave a path for the warning in skb_checksum_help() to
trigger if hardware checksum offloading is disabled at runtime?
If a user sets XDP_TXMD_FLAGS_CHECKSUM on an IFF_TX_SKB_NO_LINEAR device,
and hardware checksum offload is later disabled (e.g., via ethtool -K
eth0 tx off), the core stack's validate_xmit_skb() will take over.
Because NETIF_F_SG can remain active even without checksum features,
skb_needs_linearize() evaluates to false, leaving the SKB unlinearized.
The SKB is then passed to skb_csum_hwoffload_help() which falls back to
skb_checksum_help(). Since the pure-fragment SKB still has a headlen of 0,
won't this hit the exact same WARN_ON_ONCE(offset >= skb_headlen(skb))
warning?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260424053816.27965-1-kerneljasonxing@gmail.com?part=1
next prev parent reply other threads:[~2026-04-25 5:40 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 5:38 [PATCH net v4 0/8] xsk: fix bugs around xsk skb allocation Jason Xing
2026-04-24 5:38 ` [PATCH net v4 1/8] xsk: reject sw-csum UMEM binding to IFF_TX_SKB_NO_LINEAR devices Jason Xing
2026-04-25 5:40 ` sashiko-bot [this message]
2026-04-25 13:53 ` Jason Xing
2026-04-28 13:13 ` Paolo Abeni
2026-05-02 19:04 ` Jason Xing
2026-04-24 5:38 ` [PATCH net v4 2/8] xsk: handle NULL dereference of the skb without frags issue Jason Xing
2026-04-28 11:33 ` Simon Horman
2026-04-29 3:53 ` Jason Xing
2026-04-24 5:38 ` [PATCH net v4 3/8] xsk: fix use-after-free of xs->skb in xsk_build_skb() free_err path Jason Xing
2026-04-24 5:38 ` [PATCH net v4 4/8] xsk: prevent CQ desync when freeing half-built skbs in xsk_build_skb() Jason Xing
2026-04-24 5:38 ` [PATCH net v4 5/8] xsk: avoid skb leak in XDP_TX_METADATA case Jason Xing
2026-04-24 5:38 ` [PATCH net v4 6/8] xsk: free the skb when hitting the upper bound MAX_SKB_FRAGS Jason Xing
2026-04-24 5:38 ` [PATCH net v4 7/8] xsk: fix xsk_addrs slab leak on multi-buffer error path Jason Xing
2026-04-24 5:38 ` [PATCH net v4 8/8] xsk: fix u64 descriptor address truncation on 32-bit architectures Jason Xing
2026-04-28 13:18 ` Paolo Abeni
2026-04-28 23:11 ` Stanislav Fomichev
2026-04-29 3:41 ` Jason Xing
2026-04-29 15:14 ` Stanislav Fomichev
2026-04-29 19:02 ` Jason Xing
2026-05-01 3:29 ` Stanislav Fomichev
2026-05-02 20:10 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260425054032.28A27C2BCB2@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.