From: sashiko-bot@kernel.org
To: "Daniel Machon" <daniel.machon@microchip.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH net-next v2 11/13] net: lan966x: add PCIe FDMA XDP support
Date: Wed, 29 Apr 2026 13:10:07 +0000 [thread overview]
Message-ID: <20260429131008.73DACC19425@smtp.kernel.org> (raw)
In-Reply-To: <20260428-lan966x-pci-fdma-v2-11-d3ec66e06202@microchip.com>
Thank you for your contribution! Sashiko AI review found 6 potential issue(s) to consider:
- [Critical] Time-of-Check to Time-of-Use (TOCTOU) race condition in XDP program execution causes NULL pointer dereference.
- [Critical] Double addition of `XDP_PACKET_HEADROOM` misaligns DMA/virtual pointers, causing buffer overruns and memory corruption.
- [High] Hardware FCS is incorrectly exposed to XDP payload and causes data truncation on XDP_PASS.
- [High] Integer underflow on runt frames leads to out-of-bounds memory accesses.
- [High] Discrepancy in FCS length handling between TX paths causes information leak or payload corruption.
- [Medium] `lan966x_fdma_pci_xmit_xdpf()` fails to pad short frames to minimum Ethernet length.
--
commit 99263814b4c5264a0eb9e0faa0f7f6b6f10d121f
Author: Daniel Machon <daniel.machon@microchip.com>
Subject: net: lan966x: add PCIe FDMA XDP support
Add XDP support for the PCIe FDMA path. The implementation operates on
contiguous ATU-mapped buffers with memcpy-based XDP_TX, unlike the
platform path which uses page_pool.
> diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma_pci.c b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma_pci.c
> index 61a62dbcc313..8d867b7edd39 100644
> --- a/drivers/net/ethernet/microchip/lan966x/lan966x_fdma_pci.c
> +++ b/drivers/net/ethernet/microchip/lan966x/lan966x_fdma_pci.c
[ ... ]
> @@ -15,7 +17,8 @@ static int lan966x_fdma_pci_dataptr_cb(struct fdma *fdma, int dcb, int db,
>
> addr = fdma_dataptr_dma_addr_contiguous(fdma, dcb, db);
>
> - *dataptr = fdma_pci_atu_translate_addr(fdma->atu_region, addr);
> + *dataptr = fdma_pci_atu_translate_addr(fdma->atu_region, addr) +
> + XDP_PACKET_HEADROOM;
Is it possible that XDP_PACKET_HEADROOM is being added twice here? Looking at
fdma_dataptr_dma_addr_contiguous(), the headroom is already implicitly added:
fdma_api.h:fdma_dataptr_dma_addr_contiguous() {
return fdma->dma + ... + XDP_PACKET_HEADROOM;
}
Could this double addition push the pointers past the allocated db_size
boundary for MTU-sized packets and corrupt adjacent memory?
[ ... ]
> +static int lan966x_fdma_pci_xmit_xdpf(struct lan966x_port *port,
> + void *ptr, u32 len)
> +{
[ ... ]
> + virt_addr = fdma_dataptr_virt_addr_contiguous(fdma, next_to_use, 0) +
> + XDP_PACKET_HEADROOM;
Would this also suffer from the same double XDP_PACKET_HEADROOM addition,
since fdma_dataptr_virt_addr_contiguous() likely includes it?
[ ... ]
> + fdma_dcb_add(fdma,
> + next_to_use,
> + 0,
> + FDMA_DCB_STATUS_INTR |
> + FDMA_DCB_STATUS_SOF |
> + FDMA_DCB_STATUS_EOF |
> + FDMA_DCB_STATUS_BLOCKO(0) |
> + FDMA_DCB_STATUS_BLOCKL(IFH_LEN_BYTES + len));
If len from the XDP program is less than ETH_ZLEN, will the hardware drop the
runt frame or transmit it with garbage padding? The standard
lan966x_fdma_pci_xmit() path explicitly pads short frames to ETH_ZLEN.
Also, does ETH_FCS_LEN need to be included in the block length here?
lan966x_fdma_pci_xmit() includes it. If the hardware expects the MAC FCS space
to be included in the block length, could omitting it here cause the MAC to
replace the last 4 bytes of the XDP payload with the FCS?
[ ... ]
> +static int lan966x_fdma_pci_rx_check_frame(struct lan966x_rx *rx, u64 *src_port,
> + void **data, u32 *data_len)
> {
[ ... ]
> virt_addr = fdma_dataptr_virt_addr_contiguous(fdma,
> fdma->dcb_index,
> fdma->db_index);
> + ifh = virt_addr + XDP_PACKET_HEADROOM;
This looks like a third instance of double-adding XDP_PACKET_HEADROOM.
[ ... ]
> + /* Present the Ethernet frame (no IFH); may be overridden by XDP. */
> + *data = ifh + IFH_LEN_BYTES;
> + *data_len = FDMA_DCB_STATUS_BLOCKL(db->status) - IFH_LEN_BYTES;
What happens if the hardware returns a runt or corrupted frame where
FDMA_DCB_STATUS_BLOCKL is less than IFH_LEN_BYTES (28)? Will this unsigned
subtraction underflow to a large value and cause out-of-bounds memory accesses
during XDP processing?
Additionally, if the block length includes the Ethernet FCS, does this pass
the FCS into the XDP program as part of the packet payload?
> + if (!lan966x_xdp_port_present(port))
> + return FDMA_PASS;
> +
> + return lan966x_xdp_pci_run(port, virt_addr, *data_len, data, data_len);
> }
Can a concurrent XDP program detach cause a NULL pointer dereference here?
lan966x_xdp_port_present() checks if port->xdp_prog is set:
lan966x_main.h:lan966x_xdp_port_present() {
return !!port->xdp_prog;
}
If it returns true, lan966x_xdp_pci_run() reads the pointer a second time:
lan966x_fdma_pci.c:lan966x_xdp_pci_run() {
struct bpf_prog *xdp_prog = port->xdp_prog;
...
act = bpf_prog_run_xdp(xdp_prog, &xdp);
}
If lan966x_xdp_setup() detaches the program via xchg(&port->xdp_prog, NULL)
between these two reads, could xdp_prog be NULL when passed to
bpf_prog_run_xdp()? Should the pointer be read exactly once using READ_ONCE()
or rcu_dereference() to ensure it remains valid?
[ ... ]
> static struct sk_buff *lan966x_fdma_pci_rx_get_frame(struct lan966x_rx *rx,
> - u64 src_port)
> + u64 src_port, void *data,
> + u32 data_len)
> {
[ ... ]
> if (likely(!(skb->dev->features & NETIF_F_RXFCS)))
> skb_trim(skb, skb->len - ETH_FCS_LEN);
If the XDP program modifies the packet length (for instance, stripping an
encapsulation header) and returns XDP_PASS, will subtracting a hardcoded
ETH_FCS_LEN from the newly modified length blindly truncate legitimate payload
data?
[ ... ]
> @@ -180,9 +278,10 @@ static int lan966x_fdma_pci_xmit(struct sk_buff *skb, __be32 *ifh,
>
> skb_tx_timestamp(skb);
>
> - virt_addr = fdma_dataptr_virt_addr_contiguous(fdma, next_to_use, 0);
> + virt_addr = fdma_dataptr_virt_addr_contiguous(fdma, next_to_use, 0) +
> + XDP_PACKET_HEADROOM;
This appears to be a fourth instance where XDP_PACKET_HEADROOM is added on top
of a pointer that already includes it.
Also, further down in this function, FDMA_DCB_STATUS_BLOCKL includes
ETH_FCS_LEN, unlike lan966x_fdma_pci_xmit_xdpf(). If the hardware actually
appends the FCS automatically and doesn't expect ETH_FCS_LEN to be part of the
block length space, will adding it here transmit uninitialized buffer memory
over the network?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260428-lan966x-pci-fdma-v2-0-d3ec66e06202@microchip.com?part=11
next prev parent reply other threads:[~2026-04-29 13:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 13:06 [PATCH net-next v2 00/13] net: lan966x: add support for PCIe FDMA Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 01/13] MAINTAINERS: add FDMA library to Sparx5 SoC entry Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 02/13] net: microchip: fdma: rename contiguous dataptr helpers Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 03/13] net: microchip: fdma: add PCIe ATU support Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 04/13] net: lan966x: add FDMA LLP register write helper Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 05/13] net: lan966x: export FDMA helpers for reuse Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 06/13] net: lan966x: add FDMA ops dispatch for PCIe support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 07/13] net: lan966x: clear FDMA interrupt stickies after switch reset Daniel Machon
2026-04-28 13:06 ` [PATCH net-next v2 08/13] net: lan966x: add shutdown callback to stop FDMA on reboot Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 09/13] net: lan966x: add PCIe FDMA support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:06 ` [PATCH net-next v2 10/13] net: lan966x: add PCIe FDMA MTU change support Daniel Machon
2026-04-29 13:10 ` sashiko-bot
2026-04-28 13:07 ` [PATCH net-next v2 11/13] net: lan966x: add PCIe FDMA XDP support Daniel Machon
2026-04-29 13:10 ` sashiko-bot [this message]
2026-04-28 13:07 ` [PATCH net-next v2 12/13] misc: lan966x-pci: dts: extend cpu reg to cover PCIE DBI space Daniel Machon
2026-04-28 13:07 ` [PATCH net-next v2 13/13] misc: lan966x-pci: dts: add fdma interrupt to overlay Daniel Machon
2026-04-28 16:07 ` [PATCH net-next v2 00/13] net: lan966x: add support for PCIe FDMA Herve Codina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260429131008.73DACC19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel.machon@microchip.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.