From: sashiko-bot@kernel.org
To: "Maciej Fijalkowski" <maciej.fijalkowski@intel.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs
Date: Wed, 15 Jul 2026 14:08:44 +0000 [thread overview]
Message-ID: <20260715140844.873211F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714140722.111645-4-maciej.fijalkowski@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Heap buffer overflow in AF_XDP TX batch processing due to undersized `pool->tx_descs` in shared UMEM configurations.
--
--- Patch [3]: [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs ---
commit 6f635cabf694299ed3f7be4ce0e5f328e6bd90e0
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
xsk: provide sufficient space in pool->tx_descs
The temporary Tx descriptor array in an XSK buffer pool is currently
sized from the Tx ring of the socket that creates the pool.
[ ... ]
> Size the temporary descriptor array to the larger of the first Tx ring
> and the device's xdp_zc_max_segs capability. This keeps the array large
> enough to inspect one maximum-sized valid packet. Larger shared Tx rings
> do not require further resizing, as they can be processed over multiple
> batches.
[Severity: High]
This is a pre-existing issue, but is the statement that larger shared Tx
rings do not require further resizing accurate?
If a secondary socket shares the UMEM and has a much larger TX ring than
the first socket, pool->tx_descs is not resized, locking its size to
max(first_socket_nentries, dev->xdp_zc_max_segs).
However, the batch reading functions don't seem to bound their reads to
the allocated size of the array. They appear to read up to the driver's
budget (e.g., 64) and the current socket's available elements.
Could this cause a heap buffer overflow when writing into descs?
net/xdp/xsk.c:xsk_tx_peek_release_fallback() {
...
while (nb_pkts < max_entries && xsk_tx_peek_desc(pool, &descs[nb_pkts]))
nb_pkts++;
...
}
net/xdp/xsk_queue.h:xskq_cons_read_desc_batch() {
...
while (cached_cons != q->cached_prod && nb_entries < max) {
...
descs[nb_entries] = ring->desc[idx];
cached_cons++;
...
}
If a user binds a minimal first socket (e.g. 2 entries) and a large shared
second socket, the softirq batch process could write past the end of the
array. Since ring->desc is memory-mapped to userspace, could an attacker
control the overwritten heap memory?
> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index 43791647cf182..385a3f4a1b320 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c
> @@ -1557,7 +1558,8 @@ static int xsk_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr
> * utilizes
> */
> if (xs->tx && !xs->pool->tx_descs) {
> - err = xp_alloc_tx_descs(xs->pool, xs);
> + err = xp_alloc_tx_descs(xs->pool, xs,
> + dev->xdp_zc_max_segs);
This isn't a bug introduced by this patch, but since tx_descs is not
reallocated if it already exists, the array size is permanently frozen
to the first socket's size.
Should the array be resized to accommodate the largest shared ring, or
should the batch readers be updated to cap their reads to the array's
actual size?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260714140722.111645-1-maciej.fijalkowski@intel.com?part=3
next prev parent reply other threads:[~2026-07-15 14:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 14:07 [PATCH v3 net 0/6] xsk: fix AF_XDP multi-buffer Tx descriptor reclaim Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 1/6] xsk: fix buffer leak in xsk_drop_skb() for AF_XDP multi-buffer Tx Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 2/6] xsk: drain continuation descs after overflow in xsk_build_skb() Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs Maciej Fijalkowski
2026-07-15 14:08 ` sashiko-bot [this message]
2026-07-15 18:59 ` Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 4/6] xsk: reclaim invalid multi-buffer Tx descs in ZC path Maciej Fijalkowski
2026-07-15 14:08 ` sashiko-bot
2026-07-15 19:03 ` Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 5/6] selftests/xsk: fix too-many-frags multi-buffer Tx test Maciej Fijalkowski
2026-07-15 14:08 ` sashiko-bot
2026-07-14 14:07 ` [PATCH v3 net 6/6] selftests/xsk: account invalid multi-buffer Tx descriptors Maciej Fijalkowski
2026-07-15 19:06 ` [PATCH v3 net 0/6] xsk: fix AF_XDP multi-buffer Tx descriptor reclaim Maciej Fijalkowski
2026-07-15 19:47 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260715140844.873211F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=maciej.fijalkowski@intel.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox