From: sashiko-bot@kernel.org
To: "Jason Xing" <kerneljasonxing@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH net v2 5/8] xsk: avoid skb leak in XDP_TX_METADATA case
Date: Tue, 21 Apr 2026 09:40:24 +0000 [thread overview]
Message-ID: <20260421094025.684A0C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260420082805.14844-6-kerneljasonxing@gmail.com>
Sashiko AI review found 2 potential issue(s):
- [Critical] Time-of-Check to Time-of-Use (TOCTOU) vulnerability in `xsk_skb_metadata` allows unprivileged users to bypass bounds checks and cause out-of-bounds memory accesses.
- [High] Software checksumming calculation fails completely because `skb_checksum_help()` is invoked on an incomplete and non-linear SKB.
--
commit aef1b3344bd952f39b1181e046ab7d9ce77fbc8a
Author: Jason Xing <kerneljasonxing@gmail.com>
xsk: avoid skb leak in XDP_TX_METADATA case
This commit explicitly adds a call to kfree_skb() (via
xsk_drop_untrans_skb) when xsk_skb_metadata() returns an error, preventing
an skb leak if metadata processing fails.
Link: https://lore.kernel.org/all/20260415085204.3F87AC19424@smtp.kernel.org/
> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index 55b448abb8178..fd5432fb807e1 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c
> @@ -829,8 +829,10 @@ static struct sk_buff *xsk_build_skb_zerocopy(struct xdp_sock *xs,
> xsk_skb_init_misc(skb, xs, desc->addr);
> if (desc->options & XDP_TX_METADATA) {
> err = xsk_skb_metadata(skb, buffer, desc, pool, hr);
While looking at this metadata handling, I noticed a couple of pre-existing
regressions.
Will skb_checksum_help() always fail when called here?
xsk_skb_metadata() is called right after allocating the SKB but before any
payload fragments are appended via skb_fill_page_desc() further down in
xsk_build_skb_zerocopy(). This means skb->len and skb_headlen(skb) are 0.
If software checksumming is enabled, xsk_skb_metadata() calls
skb_checksum_help(skb). Since skb_headlen(skb) is 0, won't the check
offset >= skb_headlen(skb) in skb_checksum_help() always evaluate to true,
triggering a warning and causing the packet to be dropped?
Also, can a user-space program modify the checksum metadata concurrently?
In xsk_skb_metadata(), the metadata is read directly from the UMEM buffer,
which is shared memory mapped into user-space:
net/xdp/xsk.c:xsk_skb_metadata() {
...
if (meta->flags & XDP_TXMD_FLAGS_CHECKSUM) {
if (unlikely(meta->request.csum_start +
meta->request.csum_offset +
sizeof(__sum16) > desc->len))
return -EINVAL;
skb->csum_start = hr + meta->request.csum_start;
skb->csum_offset = meta->request.csum_offset;
...
}
The bounds check does not use READ_ONCE(). Could a user-space application
modify meta->request.csum_start and meta->request.csum_offset between the
check and the assignment? If so, it might bypass the bounds check and specify
arbitrarily large offsets, causing out-of-bounds writes when the hardware
inserts the checksum.
> - if (unlikely(err))
> + if (unlikely(err)) {
> + xsk_drop_untrans_skb(skb);
> return ERR_PTR(err);
> + }
> }
> } else {
> struct xsk_addrs *xsk_addr;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260420082805.14844-1-kerneljasonxing@gmail.com?part=5
next prev parent reply other threads:[~2026-04-21 9:40 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 8:27 [PATCH net v2 0/8] xsk: fix bugs around xsk skb allocation Jason Xing
2026-04-20 8:27 ` [PATCH net v2 1/8] xsk: reject sw-csum UMEM binding to IFF_TX_SKB_NO_LINEAR devices Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-20 23:51 ` Jason Xing
2026-04-21 22:20 ` Stanislav Fomichev
2026-04-21 9:40 ` sashiko-bot
2026-04-21 12:39 ` Jason Xing
2026-04-20 8:27 ` [PATCH net v2 2/8] xsk: handle NULL dereference of the skb without frags issue Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-21 9:40 ` sashiko-bot
2026-04-21 12:46 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 3/8] xsk: fix use-after-free of xs->skb in xsk_build_skb() free_err path Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-21 0:01 ` Jason Xing
2026-04-21 9:40 ` sashiko-bot
2026-04-21 12:51 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 4/8] xsk: prevent CQ desync when freeing half-built skbs in xsk_build_skb() Jason Xing
2026-04-20 19:34 ` Stanislav Fomichev
2026-04-21 0:51 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 5/8] xsk: avoid skb leak in XDP_TX_METADATA case Jason Xing
2026-04-21 9:40 ` sashiko-bot [this message]
2026-04-21 12:58 ` Jason Xing
2026-04-20 8:28 ` [PATCH net v2 6/8] xsk: free the skb when hitting the upper bound MAX_SKB_FRAGS Jason Xing
2026-04-20 8:28 ` [PATCH net v2 7/8] xsk: fix xsk_addrs slab leak on multi-buffer error path Jason Xing
2026-04-20 19:58 ` Stanislav Fomichev
2026-04-20 8:28 ` [PATCH net v2 8/8] xsk: fix u64 descriptor address truncation on 32-bit architectures Jason Xing
2026-04-20 19:49 ` Stanislav Fomichev
2026-04-21 0:49 ` Jason Xing
2026-04-21 22:23 ` Stanislav Fomichev
2026-04-22 2:54 ` Jason Xing
2026-04-21 9:40 ` sashiko-bot
2026-04-21 13:01 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260421094025.684A0C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox