From: sashiko-bot@kernel.org
To: Siddharth_Cibi <siddharthcibi@icloud.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH 2/2] selftests/bpf: validate rx_queue_index in xdp_metadata
Date: Fri, 19 Jun 2026 20:07:20 +0000 [thread overview]
Message-ID: <20260619200721.07AD51F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260619195759.41254-3-siddharthcibi@icloud.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] ABI / Struct Layout Mismatch on 32-bit platforms
- [Medium] Uninitialized Memory Leak in `xdp_hw_metadata` BPF Program
--
commit 601fd9ffcc49bcd779869ed0a9069b48be1a4a14
Author: Siddharth_Cibi <siddharthcibi@icloud.com>
selftests/bpf: validate rx_queue_index in xdp_metadata
This commit extends the xdp_metadata selftest to validate that
rx_queue_index is preserved after an XDP redirect. It captures the
queue index in the metadata and asserts it matches the expected queue ID.
> diff --git a/tools/testing/selftests/bpf/xdp_metadata.h b/tools/testing/selftests/bpf/xdp_metadata.h
> index 87318ad1117a1..1f0ae4c00091b 100644
> --- a/tools/testing/selftests/bpf/xdp_metadata.h
> +++ b/tools/testing/selftests/bpf/xdp_metadata.h
> @@ -49,4 +49,5 @@ struct xdp_meta {
> __s32 rx_vlan_tag_err;
> };
> enum xdp_meta_field hint_valid;
> + __u32 rx_queue_index;
> };
[Severity: High]
Will adding this 4-byte field without explicit padding cause an ABI layout
mismatch between 64-bit BPF programs and 32-bit user-space test environments?
On 64-bit architectures, the __u64 members force the struct alignment to
8 bytes, causing the compiler to implicitly pad the struct size to 40 bytes.
However, on 32-bit architectures like i386, __u64 only requires 4-byte
alignment, meaning the struct size remains exactly 36 bytes.
When verify_xsk_metadata() calculates the user-space pointer:
meta = data - sizeof(struct xdp_meta);
Could this subtract 36 bytes instead of the 40 bytes reserved by the BPF
program on 32-bit platforms, shifting all metadata fields and causing the
user-space program to read corrupted values?
[Severity: Medium]
Does increasing the size of this struct expose uninitialized memory in
the xdp_hw_metadata BPF program?
Because struct xdp_meta is shared, xdp_hw_metadata.c now allocates more
headroom via bpf_xdp_adjust_meta().
Since xdp_hw_metadata.c wasn't updated to initialize rx_queue_index or
the new implicit padding, does this leave uninitialized packet headroom
memory exposed to user space via the AF_XDP socket?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260619195759.41254-1-siddharthcibi@icloud.com?part=2
next prev parent reply other threads:[~2026-06-19 20:07 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 19:57 Siddharth_Cibi
2026-06-19 19:57 ` [PATCH 1/2] bpf: preserve rx_queue_index across XDP redirects Siddharth_Cibi
2026-06-19 20:14 ` sashiko-bot
2026-06-19 20:50 ` bot+bpf-ci
2026-06-19 19:57 ` [PATCH 2/2] selftests/bpf: validate rx_queue_index in xdp_metadata Siddharth_Cibi
2026-06-19 20:07 ` sashiko-bot [this message]
2026-06-19 20:50 ` bot+bpf-ci
-- strict thread matches above, loose matches on Subject: below --
2026-06-20 12:13 Siddharth C
2026-06-20 12:13 ` [PATCH 2/2] selftests/bpf: validate rx_queue_index in xdp_metadata Siddharth C
2026-06-20 12:36 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619200721.07AD51F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=siddharthcibi@icloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.