From: sashiko-bot@kernel.org
To: "Jason Xing" <kerneljasonxing@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH RFC net-next v4 03/14] xsk: add xsk_alloc_batch_skb() to build skbs in batch
Date: Wed, 15 Apr 2026 09:17:43 +0000 [thread overview]
Message-ID: <20260415091743.97FA1C19424@smtp.kernel.org> (raw)
In-Reply-To: <20260415082654.21026-4-kerneljasonxing@gmail.com>
Sashiko AI review found 2 potential issue(s):
- [High] Pre-allocated SKB and socket memory charge (`sk_wmem_alloc`) are permanently leaked when zerocopy metadata processing fails.
- [High] Double-free and Use-After-Free of `xs->skb` when fragment allocation fails with `-EAGAIN` in copy mode.
--
commit 3ef2c03b6204759327ab337fe34617d9dd8e04ef
Author: Jason Xing <kernelxing@tencent.com>
xsk: add xsk_alloc_batch_skb() to build skbs in batch
This commit introduces xsk_alloc_batch_skb() to support allocating and
building skbs in batch. It reserves skbs, batches the sk_wmem_alloc charge,
and then copies data to complete initialization.
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
[ ... ]
> + /* Phase 3: Build SKBs with packet data */
> + for (j = 0; j < alloc_descs; j++) {
> + if (!xs->skb) {
> + skb = skbs[skb_count - 1 - k];
> + k++;
> + }
> +
> + skb = xsk_build_skb(xs, skb, &descs[j]);
> + if (IS_ERR(skb)) {
> + *err = PTR_ERR(skb);
> + break;
> + }
Can this lead to a double-free and use-after-free of xs->skb if a fragment
allocation fails?
If xsk_build_skb() fails to allocate a page for a subsequent fragment in copy
mode, it frees the partially built skb and returns -EAGAIN. However, it
leaves xs->skb pointing to this freed memory.
When this loop breaks and returns -EAGAIN up the call chain, the caller
__xsk_generic_xmit_batch() checks xs->skb and calls xsk_drop_skb(xs->skb),
which would double-free the skb. Furthermore, any subsequent transmissions
could dereference the dangling pointer. Should xs->skb be explicitly cleared
when handling this error?
> +
> + if (xp_mb_desc(&descs[j])) {
> + xs->skb = skb;
> + continue;
> + }
> +
> + xs->skb = NULL;
> + __skb_queue_tail(&batch->send_queue, skb);
> + }
> +
> + /* Phase 4: Reclaim unused allocated SKBs */
> + while (k < i)
> + kfree_skb(skbs[skb_count - 1 - k++]);
Does this permanently leak the pre-allocated skb and its socket memory charge
if xsk_build_skb() fails?
When xsk_build_skb() encounters an error like a zerocopy metadata processing
failure, it returns an ERR_PTR() without freeing the skb. Because k was
already incremented before the xsk_build_skb() call, the Phase 4 loop starts
reclaiming at the next skb.
The failed skb at index k - 1 is bypassed. Since it is never freed,
sock_wfree is skipped, leaking both the skb and the batched sk_wmem_alloc
charge.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260415082654.21026-1-kerneljasonxing@gmail.com?part=3
next prev parent reply other threads:[~2026-04-15 9:17 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 8:26 [PATCH RFC net-next v4 00/14] xsk: batch xmit in copy mode Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 01/14] xsk: introduce XDP_GENERIC_XMIT_BATCH setsockopt Jason Xing
2026-04-15 8:51 ` sashiko-bot
2026-04-15 12:46 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 02/14] xsk: extend xsk_build_skb() to support passing an already allocated skb Jason Xing
2026-04-15 8:52 ` sashiko-bot
2026-04-15 13:19 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 03/14] xsk: add xsk_alloc_batch_skb() to build skbs in batch Jason Xing
2026-04-15 9:17 ` sashiko-bot [this message]
2026-04-16 1:18 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 04/14] xsk: cache data buffers to avoid frequently calling kmalloc_reserve Jason Xing
2026-04-15 9:38 ` sashiko-bot
2026-04-16 2:45 ` Jason Xing
2026-04-16 12:18 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 05/14] xsk: add direct xmit in batch function Jason Xing
2026-04-15 9:11 ` sashiko-bot
2026-04-16 3:04 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 06/14] xsk: support dynamic xmit.more control for batch xmit Jason Xing
2026-04-15 9:35 ` sashiko-bot
2026-04-16 3:43 ` Jason Xing
2026-04-16 4:50 ` Dmitry Torokhov
2026-04-16 4:51 ` Dmitry Torokhov
2026-04-15 8:26 ` [PATCH RFC net-next v4 07/14] xsk: try to skip validating skb list in xmit path Jason Xing
2026-04-15 9:33 ` sashiko-bot
2026-04-16 5:55 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 08/14] xsk: rename nb_pkts to nb_descs in xsk_tx_peek_release_desc_batch Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 09/14] xsk: extend xskq_cons_read_desc_batch to count nb_pkts Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 10/14] xsk: extend xsk_cq_reserve_locked() to reserve n slots Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 11/14] xsk: support batch xmit main logic Jason Xing
2026-04-15 9:38 ` sashiko-bot
2026-04-16 9:58 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 12/14] xsk: separate read-mostly and write-heavy fields in xsk_buff_pool Jason Xing
2026-04-15 9:20 ` sashiko-bot
2026-04-16 10:09 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 13/14] xsk: retire old xmit path in copy mode Jason Xing
2026-04-15 9:18 ` sashiko-bot
2026-04-16 10:33 ` Jason Xing
2026-04-15 8:26 ` [PATCH RFC net-next v4 14/14] xsk: optimize xsk_build_skb for batch copy-mode fast path Jason Xing
2026-04-15 9:47 ` sashiko-bot
2026-04-16 13:12 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260415091743.97FA1C19424@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox