Re: [PATCH net v4 3/5] xsk: drain continuation descs after overflow in xsk_build_skb()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Invalid TX descriptors cause `drain_cont` state desynchronization, leading to dropped or corrupted packets.
--

commit 964153358c7221b02aafc63e0caa53629df56557
Author: Jason Xing <kerneljasonxing@gmail.com>

xsk: drain continuation descs after overflow in xsk_build_skb()

This commit fixes a bug where leftover continuation descriptors remain
in the TX ring after an -EOVERFLOW drop in xsk_build_skb(). It introduces
a drain_cont flag to process and drop the remaining fragments of an
oversized multi-buffer packet, preventing corruption of the packet stream.

Closes: https://lore.kernel.org/all/20260425041726.85FB3C2BCB2@smtp.kernel.org/
Fixes: cf24f5a5feea ("xsk: add support for AF_XDP multi-buffer on Tx path")

[ ... ]

> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index 0a6203c425766..f4add7be8c935 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c
> @@ -1062,11 +1062,30 @@ static int __xsk_generic_xmit(struct sock *sk)
>  			goto out;
>  		}
>  
> +		if (unlikely(xs->drain_cont)) {
> +			unsigned long flags;
> +			u32 idx;
> +
> +			spin_lock_irqsave(&xs->pool->cq_prod_lock, flags);
> +			idx = xskq_get_prod(xs->pool->cq);
> +			xskq_prod_write_addr(xs->pool->cq, idx, desc.addr);
> +			xskq_prod_submit_n(xs->pool->cq, 1);
> +			spin_unlock_irqrestore(&xs->pool->cq_prod_lock, flags);
> +
> +			xs->tx->invalid_descs++;
> +			xskq_cons_release(xs->tx);
> +			if (!xp_mb_desc(&desc))
> +				xs->drain_cont = false;
> +			continue;
> +		}
> +
>  		skb = xsk_build_skb(xs, &desc);
>  		if (IS_ERR(skb)) {
>  			err = PTR_ERR(skb);
>  			if (err != -EOVERFLOW)
>  				goto out;
> +			if (xp_mb_desc(&desc))
> +				xs->drain_cont = true;
>  			err = 0;
>  			continue;
>  		}

[Severity: High]
Could this leave xs->drain_cont set to true if an invalid descriptor is
encountered?

When xskq_cons_peek_desc() encounters an invalid TX descriptor (like an
out-of-bounds address), it returns false and terminates the while loop
early.

The invalid descriptor is then consumed by xskq_cons_release() outside the
loop:

net/xdp/xsk.c:__xsk_generic_xmit() {
    ...
    while (xskq_cons_peek_desc(xs->tx, &desc, xs->pool)) {
        ...
    }

    if (xskq_has_descs(xs->tx)) {
        if (xs->skb)
            xsk_drop_skb(xs->skb);
        xskq_cons_release(xs->tx);
    }
    ...
}

If xs->drain_cont was true, and this invalid descriptor happens to be the
last fragment of the overflowed packet, the loop exits before evaluating
the XDP_PKT_CONTD flag or clearing xs->drain_cont.

Will this cause a regression where the next valid packet transmitted by the
application is erroneously treated as a drained fragment and dropped because
xs->drain_cont remained true?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260520004244.55663-1-kerneljasonxing@gmail.com?part=3