From: sashiko-bot@kernel.org
To: "Jason Xing" <kerneljasonxing@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH net v2 2/8] xsk: handle NULL dereference of the skb without frags issue
Date: Tue, 21 Apr 2026 09:40:22 +0000 [thread overview]
Message-ID: <20260421094023.69C89C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260420082805.14844-3-kerneljasonxing@gmail.com>
Sashiko AI review found 1 potential issue(s):
- [High] Memory leak of newly allocated skb in `xsk_build_skb_zerocopy()` on error paths for the first descriptor.
--
commit c0083470d60454acdbd801635be8f00a9b79a9eb
Author: Jason Xing <kerneljasonxing@gmail.com>
xsk: handle NULL dereference of the skb without frags issue
This commit addresses a NULL pointer dereference in the error handling
path of xsk_build_skb by explicitly checking if xs->skb is NULL. For the
first-descriptor case, it cancels the CQ slot and tracks the invalid
descriptor instead of dropping the skb.
> In this series, the skb is already freed by kfree_skb() inside
> xsk_build_skb_zerocopy for the first-descriptor case, so we only need
> to do the bookkeeping: cancel the one reserved CQ slot and account for
> the single invalid descriptor.
Is this description accurate regarding the skb being freed?
Looking at xsk_build_skb(), if xsk_build_skb_zerocopy() encounters an
error and returns an error pointer, the local skb variable is set to
NULL before jumping to the free_err label:
skb = xsk_build_skb_zerocopy(xs, desc);
if (IS_ERR(skb)) {
err = PTR_ERR(skb);
skb = NULL;
goto free_err;
}
Since skb is NULL, the cleanup code at free_err is bypassed:
free_err:
if (skb && !skb_shinfo(skb)->nr_frags)
kfree_skb(skb);
Does this code leak the newly allocated skb and its sk_wmem_alloc charge
when xsk_build_skb_zerocopy() fails on the first descriptor?
I see this is addressed later in the series by commit aef1b3344bd95
("xsk: avoid skb leak in XDP_TX_METADATA case") and commit 93315725e1616
("xsk: free the skb when hitting the upper bound MAX_SKB_FRAGS"), but
the commit message here appears to incorrectly assume the free is already
happening.
> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index 887abed254668..54d4895fc11eb 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c
[ ... ]
> @@ -973,9 +973,14 @@ static struct sk_buff *xsk_build_skb(struct xdp_sock *xs,
> kfree_skb(skb);
>
> if (err == -EOVERFLOW) {
> - /* Drop the packet */
> - xsk_inc_num_desc(xs->skb);
> - xsk_drop_skb(xs->skb);
> + if (xs->skb) {
> + /* Drop the packet */
> + xsk_inc_num_desc(xs->skb);
> + xsk_drop_skb(xs->skb);
> + } else {
> + xsk_cq_cancel_locked(xs->pool, 1);
> + xs->tx->invalid_descs++;
> + }
Because the skb wasn't freed as the commit message assumed, can a
malicious application exploit this missing kfree_skb by repeatedly
supplying abnormally large descriptors to exhaust socket buffer memory?
> xskq_cons_release(xs->tx);
> } else {
> /* Let application retry */
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260420082805.14844-1-kerneljasonxing@gmail.com?part=2
next prev parent reply other threads:[~2026-04-21 9:40 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 8:27 [PATCH net v2 0/8] xsk: fix bugs around xsk skb allocation Jason Xing
2026-04-20 8:27 ` [PATCH net v2 1/8] xsk: reject sw-csum UMEM binding to IFF_TX_SKB_NO_LINEAR devices Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-20 23:51 ` Jason Xing
2026-04-21 22:20 ` Stanislav Fomichev
2026-04-21 9:40 ` sashiko-bot
2026-04-21 12:39 ` Jason Xing
2026-04-20 8:27 ` [PATCH net v2 2/8] xsk: handle NULL dereference of the skb without frags issue Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-21 9:40 ` sashiko-bot [this message]
2026-04-21 12:46 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 3/8] xsk: fix use-after-free of xs->skb in xsk_build_skb() free_err path Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-21 0:01 ` Jason Xing
2026-04-21 9:40 ` sashiko-bot
2026-04-21 12:51 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 4/8] xsk: prevent CQ desync when freeing half-built skbs in xsk_build_skb() Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-21 0:51 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 5/8] xsk: avoid skb leak in XDP_TX_METADATA case Jason Xing
2026-04-21 9:40 ` sashiko-bot
2026-04-21 12:58 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 6/8] xsk: free the skb when hitting the upper bound MAX_SKB_FRAGS Jason Xing
2026-04-20 8:28 ` [PATCH net v2 7/8] xsk: fix xsk_addrs slab leak on multi-buffer error path Jason Xing
2026-04-20 19:58 ` Stanislav Fomichev
2026-04-20 8:28 ` [PATCH net v2 8/8] xsk: fix u64 descriptor address truncation on 32-bit architectures Jason Xing
2026-04-20 19:49 ` Stanislav Fomichev
2026-04-21 0:49 ` Jason Xing
2026-04-21 22:23 ` Stanislav Fomichev
2026-04-22 2:54 ` Jason Xing
2026-04-21 9:40 ` sashiko-bot
2026-04-21 13:01 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421094023.69C89C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox