lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <e15de586e958d118e15c59026406ca4df756ccd9075fdcedd458639685b661a9@mail.kernel.org>
Date: Sun,  4 Jan 2026 03:39:45 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: kerneljasonxing@...il.com,davem@...emloft.net,edumazet@...gle.com,kuba@...nel.org,pabeni@...hat.com,bjorn@...nel.org,magnus.karlsson@...el.com,maciej.fijalkowski@...el.com,jonathan.lemon@...il.com,sdf@...ichev.me,ast@...nel.org,daniel@...earbox.net,hawk@...nel.org,john.fastabend@...il.com
Cc: bpf@...r.kernel.org,netdev@...r.kernel.org,kernelxing@...cent.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v3 2/2] xsk: introduce a dedicated local completion queue for each xsk

> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index f41e0b480aa4..0a724cf20fcb 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c

[ ... ]

> +static void xsk_cq_write_addr(struct sk_buff *skb, u32 desc_processed)
> +{
> +	struct xsk_buff_pool *pool = xdp_sk(skb->sk)->pool;
> +	u32 idx, addr, pos = xsk_get_start_addr(skb);
             ^^^^

Should addr be u64 here? The lcq->desc[] array stores u64 values
(descriptor addresses), and xskq_prod_write_addr() expects a u64 parameter.
Declaring addr as u32 truncates the upper 32 bits when reading from
lcq->desc[].

For reference, struct local_cq in include/net/xdp_sock.h declares:

    u64 desc[] ____cacheline_aligned_in_smp;

And xskq_prod_write_addr() in net/xdp/xsk_queue.h has signature:

    static inline void xskq_prod_write_addr(struct xsk_queue *q, u32 idx, u64 addr)

If a umem is large enough that descriptor offsets exceed 4GB, this would
silently write incorrect addresses to the completion queue, causing user
space to receive corrupted descriptor addresses.

> +	struct xdp_sock *xs = xdp_sk(skb->sk);
> +
> +	idx = xskq_get_prod(pool->cq) + desc_processed;
> +	addr = xs->lcq->desc[(pos + desc_processed) & xs->lcq->ring_mask];
> +	xskq_prod_write_addr(pool->cq, idx, addr);
> +}


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20686964750

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ