All of lore.kernel.org
 help / color / mirror / Atom feed
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
To: <sashiko-reviews@lists.linux.dev>
Cc: <bpf@vger.kernel.org>
Subject: Re: [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs
Date: Wed, 15 Jul 2026 20:59:03 +0200	[thread overview]
Message-ID: <alfYdzVgqUQEz/lI@boxer> (raw)
In-Reply-To: <20260715140844.873211F000E9@smtp.kernel.org>

On Wed, Jul 15, 2026 at 02:08:44PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [High] Heap buffer overflow in AF_XDP TX batch processing due to undersized `pool->tx_descs` in shared UMEM configurations.
> --
> 
> --- Patch [3]: [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs ---
> commit 6f635cabf694299ed3f7be4ce0e5f328e6bd90e0
> Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
> 
> xsk: provide sufficient space in pool->tx_descs
> 
> The temporary Tx descriptor array in an XSK buffer pool is currently
> sized from the Tx ring of the socket that creates the pool.
> 
> [ ... ]
> 
> > Size the temporary descriptor array to the larger of the first Tx ring
> > and the device's xdp_zc_max_segs capability. This keeps the array large
> > enough to inspect one maximum-sized valid packet. Larger shared Tx rings
> > do not require further resizing, as they can be processed over multiple
> > batches.
> 
> [Severity: High]
> This is a pre-existing issue, but is the statement that larger shared Tx
> rings do not require further resizing accurate?
> 
> If a secondary socket shares the UMEM and has a much larger TX ring than
> the first socket, pool->tx_descs is not resized, locking its size to
> max(first_socket_nentries, dev->xdp_zc_max_segs).
> 
> However, the batch reading functions don't seem to bound their reads to
> the allocated size of the array. They appear to read up to the driver's
> budget (e.g., 64) and the current socket's available elements. 
> 
> Could this cause a heap buffer overflow when writing into descs?

This is clamped on later patch:

+	nb_pkts = min(nb_pkts, pool->tx_descs_nentries);
+	if (!nb_pkts)
+		goto out;
+
+	umem_shared = !list_is_singular(&pool->xsk_tx_list);
+
+	if (umem_shared && !(pool->umem->flags & XDP_UMEM_SG_FLAG)) {
+		rcu_read_unlock();
+		return xsk_tx_peek_release_fallback(pool, nb_pkts);
+	}

> 
> net/xdp/xsk.c:xsk_tx_peek_release_fallback() {
>     ...
> 	while (nb_pkts < max_entries && xsk_tx_peek_desc(pool, &descs[nb_pkts]))
> 		nb_pkts++;
>     ...
> }
> 
> net/xdp/xsk_queue.h:xskq_cons_read_desc_batch() {
>     ...
> 	while (cached_cons != q->cached_prod && nb_entries < max) {
> 		...
> 		descs[nb_entries] = ring->desc[idx];
> 		cached_cons++;
>     ...
> }
> 
> If a user binds a minimal first socket (e.g. 2 entries) and a large shared
> second socket, the softirq batch process could write past the end of the
> array. Since ring->desc is memory-mapped to userspace, could an attacker
> control the overwritten heap memory?
> 
> > diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> > index 43791647cf182..385a3f4a1b320 100644
> > --- a/net/xdp/xsk.c
> > +++ b/net/xdp/xsk.c
> > @@ -1557,7 +1558,8 @@ static int xsk_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr
> >  			 * utilizes
> >  			 */
> >  			if (xs->tx && !xs->pool->tx_descs) {
> > -				err = xp_alloc_tx_descs(xs->pool, xs);
> > +				err = xp_alloc_tx_descs(xs->pool, xs,
> > +							dev->xdp_zc_max_segs);
> 
> This isn't a bug introduced by this patch, but since tx_descs is not
> reallocated if it already exists, the array size is permanently frozen
> to the first socket's size.
> 
> Should the array be resized to accommodate the largest shared ring, or
> should the batch readers be updated to cap their reads to the array's
> actual size?
> 
> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260714140722.111645-1-maciej.fijalkowski@intel.com?part=3

  reply	other threads:[~2026-07-15 18:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 14:07 [PATCH v3 net 0/6] xsk: fix AF_XDP multi-buffer Tx descriptor reclaim Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 1/6] xsk: fix buffer leak in xsk_drop_skb() for AF_XDP multi-buffer Tx Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 2/6] xsk: drain continuation descs after overflow in xsk_build_skb() Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs Maciej Fijalkowski
2026-07-15 14:08   ` sashiko-bot
2026-07-15 18:59     ` Maciej Fijalkowski [this message]
2026-07-14 14:07 ` [PATCH v3 net 4/6] xsk: reclaim invalid multi-buffer Tx descs in ZC path Maciej Fijalkowski
2026-07-15 14:08   ` sashiko-bot
2026-07-15 19:03     ` Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 5/6] selftests/xsk: fix too-many-frags multi-buffer Tx test Maciej Fijalkowski
2026-07-15 14:08   ` sashiko-bot
2026-07-14 14:07 ` [PATCH v3 net 6/6] selftests/xsk: account invalid multi-buffer Tx descriptors Maciej Fijalkowski
2026-07-15 19:06 ` [PATCH v3 net 0/6] xsk: fix AF_XDP multi-buffer Tx descriptor reclaim Maciej Fijalkowski
2026-07-15 19:47   ` Jason Xing

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alfYdzVgqUQEz/lI@boxer \
    --to=maciej.fijalkowski@intel.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.