BPF List
 help / color / mirror / Atom feed
From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
To: <sashiko-reviews@lists.linux.dev>
Cc: <bpf@vger.kernel.org>
Subject: Re: [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs
Date: Wed, 15 Jul 2026 20:59:03 +0200	[thread overview]
Message-ID: <alfYdzVgqUQEz/lI@boxer> (raw)
In-Reply-To: <20260715140844.873211F000E9@smtp.kernel.org>

On Wed, Jul 15, 2026 at 02:08:44PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [High] Heap buffer overflow in AF_XDP TX batch processing due to undersized `pool->tx_descs` in shared UMEM configurations.
> --
> 
> --- Patch [3]: [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs ---
> commit 6f635cabf694299ed3f7be4ce0e5f328e6bd90e0
> Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
> 
> xsk: provide sufficient space in pool->tx_descs
> 
> The temporary Tx descriptor array in an XSK buffer pool is currently
> sized from the Tx ring of the socket that creates the pool.
> 
> [ ... ]
> 
> > Size the temporary descriptor array to the larger of the first Tx ring
> > and the device's xdp_zc_max_segs capability. This keeps the array large
> > enough to inspect one maximum-sized valid packet. Larger shared Tx rings
> > do not require further resizing, as they can be processed over multiple
> > batches.
> 
> [Severity: High]
> This is a pre-existing issue, but is the statement that larger shared Tx
> rings do not require further resizing accurate?
> 
> If a secondary socket shares the UMEM and has a much larger TX ring than
> the first socket, pool->tx_descs is not resized, locking its size to
> max(first_socket_nentries, dev->xdp_zc_max_segs).
> 
> However, the batch reading functions don't seem to bound their reads to
> the allocated size of the array. They appear to read up to the driver's
> budget (e.g., 64) and the current socket's available elements. 
> 
> Could this cause a heap buffer overflow when writing into descs?

This is clamped on later patch:

+	nb_pkts = min(nb_pkts, pool->tx_descs_nentries);
+	if (!nb_pkts)
+		goto out;
+
+	umem_shared = !list_is_singular(&pool->xsk_tx_list);
+
+	if (umem_shared && !(pool->umem->flags & XDP_UMEM_SG_FLAG)) {
+		rcu_read_unlock();
+		return xsk_tx_peek_release_fallback(pool, nb_pkts);
+	}

> 
> net/xdp/xsk.c:xsk_tx_peek_release_fallback() {
>     ...
> 	while (nb_pkts < max_entries && xsk_tx_peek_desc(pool, &descs[nb_pkts]))
> 		nb_pkts++;
>     ...
> }
> 
> net/xdp/xsk_queue.h:xskq_cons_read_desc_batch() {
>     ...
> 	while (cached_cons != q->cached_prod && nb_entries < max) {
> 		...
> 		descs[nb_entries] = ring->desc[idx];
> 		cached_cons++;
>     ...
> }
> 
> If a user binds a minimal first socket (e.g. 2 entries) and a large shared
> second socket, the softirq batch process could write past the end of the
> array. Since ring->desc is memory-mapped to userspace, could an attacker
> control the overwritten heap memory?
> 
> > diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> > index 43791647cf182..385a3f4a1b320 100644
> > --- a/net/xdp/xsk.c
> > +++ b/net/xdp/xsk.c
> > @@ -1557,7 +1558,8 @@ static int xsk_bind(struct socket *sock, struct sockaddr_unsized *addr, int addr
> >  			 * utilizes
> >  			 */
> >  			if (xs->tx && !xs->pool->tx_descs) {
> > -				err = xp_alloc_tx_descs(xs->pool, xs);
> > +				err = xp_alloc_tx_descs(xs->pool, xs,
> > +							dev->xdp_zc_max_segs);
> 
> This isn't a bug introduced by this patch, but since tx_descs is not
> reallocated if it already exists, the array size is permanently frozen
> to the first socket's size.
> 
> Should the array be resized to accommodate the largest shared ring, or
> should the batch readers be updated to cap their reads to the array's
> actual size?
> 
> -- 
> Sashiko AI review · https://sashiko.dev/#/patchset/20260714140722.111645-1-maciej.fijalkowski@intel.com?part=3

  reply	other threads:[~2026-07-15 18:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-14 14:07 [PATCH v3 net 0/6] xsk: fix AF_XDP multi-buffer Tx descriptor reclaim Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 1/6] xsk: fix buffer leak in xsk_drop_skb() for AF_XDP multi-buffer Tx Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 2/6] xsk: drain continuation descs after overflow in xsk_build_skb() Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 3/6] xsk: provide sufficient space in pool->tx_descs Maciej Fijalkowski
2026-07-15 14:08   ` sashiko-bot
2026-07-15 18:59     ` Maciej Fijalkowski [this message]
2026-07-14 14:07 ` [PATCH v3 net 4/6] xsk: reclaim invalid multi-buffer Tx descs in ZC path Maciej Fijalkowski
2026-07-15 14:08   ` sashiko-bot
2026-07-15 19:03     ` Maciej Fijalkowski
2026-07-14 14:07 ` [PATCH v3 net 5/6] selftests/xsk: fix too-many-frags multi-buffer Tx test Maciej Fijalkowski
2026-07-15 14:08   ` sashiko-bot
2026-07-14 14:07 ` [PATCH v3 net 6/6] selftests/xsk: account invalid multi-buffer Tx descriptors Maciej Fijalkowski
2026-07-15 19:06 ` [PATCH v3 net 0/6] xsk: fix AF_XDP multi-buffer Tx descriptor reclaim Maciej Fijalkowski
2026-07-15 19:47   ` Jason Xing

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alfYdzVgqUQEz/lI@boxer \
    --to=maciej.fijalkowski@intel.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox