Re: [PATCH v3 bpf 1/2] xdp: introduce xdp_convert_skb_to_buff()

[Maciej Fijalkowski <maciej.fijalkowski@intel.com>]

On Fri, Oct 24, 2025 at 11:25:26AM +0200, Toke Høiland-Jørgensen wrote:
> Maciej Fijalkowski <maciej.fijalkowski@intel.com> writes:
> 
> > Currently, generic XDP hook uses xdp_rxq_info from netstack Rx queues
> > which do not have its XDP memory model registered. There is a case when
> > XDP program calls bpf_xdp_adjust_tail() BPF helper, which in turn
> > releases underlying memory. This happens when it consumes enough amount
> > of bytes and when XDP buffer has fragments. For this action the memory
> > model knowledge passed to XDP program is crucial so that core can call
> > suitable function for freeing/recycling the page.
> >
> > For netstack queues it defaults to MEM_TYPE_PAGE_SHARED (0) due to lack
> > of mem model registration. The problem we're fixing here is when kernel
> > copied the skb to new buffer backed by system's page_pool and XDP buffer
> > is built around it. Then when bpf_xdp_adjust_tail() calls
> > __xdp_return(), it acts incorrectly due to mem type not being set to
> > MEM_TYPE_PAGE_POOL and causes a page leak.
> >
> > Pull out the existing code from bpf_prog_run_generic_xdp() that
> > init/prepares xdp_buff onto new helper xdp_convert_skb_to_buff() and
> > embed there rxq's mem_type initialization that is assigned to xdp_buff.
> > Make it agnostic to current skb->data position.
> >
> > This problem was triggered by syzbot as well as AF_XDP test suite which
> > is about to be integrated to BPF CI.
> >
> > Reported-by: syzbot+ff145014d6b0ce64a173@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/netdev/6756c37b.050a0220.a30f1.019a.GAE@google.com/
> > Fixes: e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in generic mode")
> > Tested-by: Ihor Solodrai <ihor.solodrai@linux.dev>
> > Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > Co-developed-by: Octavian Purdila <tavip@google.com>
> > Signed-off-by: Octavian Purdila <tavip@google.com> # whole analysis, testing, initiating a fix
> > Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com> # commit msg and proposed more robust fix
> > ---
> >  include/net/xdp.h | 27 +++++++++++++++++++++++++++
> >  net/core/dev.c    | 25 ++++---------------------
> >  2 files changed, 31 insertions(+), 21 deletions(-)
> >
> > diff --git a/include/net/xdp.h b/include/net/xdp.h
> > index aa742f413c35..cec43f56ae9a 100644
> > --- a/include/net/xdp.h
> > +++ b/include/net/xdp.h
> > @@ -384,6 +384,33 @@ struct sk_buff *xdp_build_skb_from_frame(struct xdp_frame *xdpf,
> >  					 struct net_device *dev);
> >  struct xdp_frame *xdpf_clone(struct xdp_frame *xdpf);
> >  
> > +static inline
> > +void xdp_convert_skb_to_buff(struct sk_buff *skb, struct xdp_buff *xdp,
> > +			     struct xdp_rxq_info *xdp_rxq)
> > +{
> > +	u32 frame_sz, pkt_len;
> > +
> > +	/* SKB "head" area always have tailroom for skb_shared_info */
> > +	frame_sz = skb_end_pointer(skb) - skb->head;
> > +	frame_sz += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
> > +
> > +	DEBUG_NET_WARN_ON_ONCE(!skb_mac_header_was_set(skb));
> > +	pkt_len =  skb->tail - skb->mac_header;
> 
> Should probably just use the helpers here:
> 
> pkt_len = skb_tail_pointer(skb) - skb_mac_header(skb);
> 
> that way you don't have to open-code the WARN_ON_ONCE, and you get the
> right behaviour even when NET_SKBUFF_DATA_USES_OFFSET is set

Exactly, I thought I could just strip out skb->head out of calculation,
but apparently not ;)

> 
> -Toke
>