[PATCH bpf v4] xskmap: reject TX-only AF_XDP sockets

[PATCH bpf v4] xskmap: reject TX-only AF_XDP sockets

[Linpu Yu]

XSKMAP entries are used as redirect targets for incoming XDP frames.
A TX-only AF_XDP socket lacks an Rx ring and cannot handle redirected
traffic, but xsk_map_update_elem() currently allows such sockets to
be inserted into the map.

Redirecting packets to such a socket on the veth generic-XDP path
causes a kernel crash in xsk_generic_rcv().

This became possible after xsk_is_setup_for_bpf_map() was removed from
the XSKMAP update path, which allowed bound TX-only sockets to be
inserted into the map.

Reject TX-only sockets during XSKMAP updates to avoid the crash.
They remain fully operational for pure Tx purposes outside XSKMAP.

Fixes: 968be23ceaca ("xsk: Fix possible segfault at xskmap entry insertion")
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
Signed-off-by: Linpu Yu <linpu5433@gmail.com>
---
Changes in v4:
- retarget the patch from bpf-next to bpf
- resend after no feedback

 net/xdp/xskmap.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/xdp/xskmap.c b/net/xdp/xskmap.c
index afa457506274..3bff346308d0 100644
--- a/net/xdp/xskmap.c
+++ b/net/xdp/xskmap.c
@@ -184,6 +184,10 @@ static long xsk_map_update_elem(struct bpf_map *map, void *key, void *value,
 	}
 
 	xs = (struct xdp_sock *)sock->sk;
+	if (!READ_ONCE(xs->rx)) {
+		sockfd_put(sock);
+		return -ENOBUFS;
+	}
 
 	map_entry = &m->xsk_map[i];
 	node = xsk_map_node_alloc(m, map_entry);
-- 
2.54.0

Re: [PATCH bpf v4] xskmap: reject TX-only AF_XDP sockets

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Low] Returning -ENOBUFS when rejecting a TX-only AF_XDP socket during map insertion is semantically incorrect and deviates from previous behavior.
--

commit cc939da4429db85f32555fd19f4546a51d44ca3d
Author: Linpu Yu <linpu5433@gmail.com>

xskmap: reject TX-only AF_XDP sockets

This commit rejects TX-only AF_XDP sockets during XSKMAP updates to prevent
a kernel crash in xsk_generic_rcv(). It checks if the socket lacks an Rx
ring and returns an error before inserting it into the map.

> diff --git a/net/xdp/xskmap.c b/net/xdp/xskmap.c
> index afa457506274c..3bff346308d0f 100644
> --- a/net/xdp/xskmap.c
> +++ b/net/xdp/xskmap.c
> @@ -184,6 +184,10 @@ static long xsk_map_update_elem(struct bpf_map *map, void *key, void *value,
>  	}
>  
>  	xs = (struct xdp_sock *)sock->sk;
> +	if (!READ_ONCE(xs->rx)) {
> +		sockfd_put(sock);
> +		return -ENOBUFS;

Should this return -EOPNOTSUPP or -EINVAL instead?

Earlier in this same function, -EOPNOTSUPP is returned when the socket
family is not PF_XDP. Returning -ENOBUFS might be semantically misleading
for userspace since the socket intentionally lacks an Rx ring by design,
rather than experiencing a temporary buffer shortage.

> +	}
>  
>  	map_entry = &m->xsk_map[i];
>  	node = xsk_map_node_alloc(m, map_entry);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260508144344.694-1-linpu5433@gmail.com?part=1

Re: [PATCH bpf v4] xskmap: reject TX-only AF_XDP sockets

[Jason Xing]

On Fri, May 8, 2026 at 10:43 PM Linpu Yu <linpu5433@gmail.com> wrote:
>
> XSKMAP entries are used as redirect targets for incoming XDP frames.
> A TX-only AF_XDP socket lacks an Rx ring and cannot handle redirected
> traffic, but xsk_map_update_elem() currently allows such sockets to
> be inserted into the map.
>
> Redirecting packets to such a socket on the veth generic-XDP path
> causes a kernel crash in xsk_generic_rcv().
>
> This became possible after xsk_is_setup_for_bpf_map() was removed from
> the XSKMAP update path, which allowed bound TX-only sockets to be
> inserted into the map.
>
> Reject TX-only sockets during XSKMAP updates to avoid the crash.
> They remain fully operational for pure Tx purposes outside XSKMAP.
>
> Fixes: 968be23ceaca ("xsk: Fix possible segfault at xskmap entry insertion")
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Yifan Wu <yifanwucs@gmail.com>
> Signed-off-by: Linpu Yu <linpu5433@gmail.com>

Even though AI suggested using EOPNOTSUPP instead, prior to this
thread, I pointed out ENOBUFS makes more sense because it is identical
to how xsk_recvmsg() detects the failure of the rx ring. If needed, we
can cook a follow-up patch to replace that in __xsk_recvmsg().

It looks good to me:
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>

Thanks,
Jason

> ---
> Changes in v4:
> - retarget the patch from bpf-next to bpf
> - resend after no feedback
>
>  net/xdp/xskmap.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/net/xdp/xskmap.c b/net/xdp/xskmap.c
> index afa457506274..3bff346308d0 100644
> --- a/net/xdp/xskmap.c
> +++ b/net/xdp/xskmap.c
> @@ -184,6 +184,10 @@ static long xsk_map_update_elem(struct bpf_map *map, void *key, void *value,
>         }
>
>         xs = (struct xdp_sock *)sock->sk;
> +       if (!READ_ONCE(xs->rx)) {
> +               sockfd_put(sock);
> +               return -ENOBUFS;
> +       }
>
>         map_entry = &m->xsk_map[i];
>         node = xsk_map_node_alloc(m, map_entry);
> --
> 2.54.0

Re: [PATCH bpf v4] xskmap: reject TX-only AF_XDP sockets

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Fri,  8 May 2026 22:43:43 +0800 you wrote:
> XSKMAP entries are used as redirect targets for incoming XDP frames.
> A TX-only AF_XDP socket lacks an Rx ring and cannot handle redirected
> traffic, but xsk_map_update_elem() currently allows such sockets to
> be inserted into the map.
> 
> Redirecting packets to such a socket on the veth generic-XDP path
> causes a kernel crash in xsk_generic_rcv().
> 
> [...]

Here is the summary with links:
  - [bpf,v4] xskmap: reject TX-only AF_XDP sockets
    https://git.kernel.org/bpf/bpf/c/bf6d507f7e3c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html