lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID:
 <PAXPR04MB851042D1E3A2C8F9340611C9889BA@PAXPR04MB8510.eurprd04.prod.outlook.com>
Date: Tue, 3 Feb 2026 02:04:06 +0000
From: Wei Fang <wei.fang@....com>
To: Simon Horman <horms@...nel.org>
CC: "john.fastabend@...il.com" <john.fastabend@...il.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"sdf@...ichev.me" <sdf@...ichev.me>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, Clark Wang <xiaoning.wang@....com>,
	"pabeni@...hat.com" <pabeni@...hat.com>, "andrew+netdev@...n.ch"
	<andrew+netdev@...n.ch>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
	"imx@...ts.linux.dev" <imx@...ts.linux.dev>, "ast@...nel.org"
	<ast@...nel.org>, Frank Li <frank.li@....com>, Shenwei Wang
	<shenwei.wang@....com>, "edumazet@...gle.com" <edumazet@...gle.com>,
	"kuba@...nel.org" <kuba@...nel.org>, "hawk@...nel.org" <hawk@...nel.org>,
	"davem@...emloft.net" <davem@...emloft.net>, "daniel@...earbox.net"
	<daniel@...earbox.net>
Subject: RE: [v5,net-next,06/15] net: fec: add fec_enet_rx_queue_xdp() for XDP
 path

> > +static int fec_enet_rx_queue_xdp(struct fec_enet_private *fep, int queue,
> > +				 int budget, struct bpf_prog *prog)
> > +{
> 
> [ ... ]
> 
> > +		switch (act) {
> > +		case XDP_PASS:
> > +			rxq->stats[RX_XDP_PASS]++;
> > +			/* The packet length includes FCS, but we don't want to
> > +			 * include that when passing upstream as it messes up
> > +			 * bridging applications.
> > +			 */
> > +			skb = fec_build_skb(fep, rxq, bdp, page, pkt_len);
> > +			if (!skb) {
> > +				fec_xdp_drop(rxq, &xdp, sync);
> > +				trace_xdp_exception(ndev, prog, XDP_PASS);
> > +			} else {
> > +				napi_gro_receive(&fep->napi, skb);
> > +			}
> > +			break;
> 
> When fec_build_skb() fails, it already returns the page to the page pool
> via page_pool_recycle_direct():
> 
>     static struct sk_buff *fec_build_skb(...)
>     {
>         skb = build_skb(page_address(page), ...);
>         if (unlikely(!skb)) {
>             page_pool_recycle_direct(rxq->page_pool, page);
>             ...
>             return NULL;
>         }
>         ...
>     }
> 
> Calling fec_xdp_drop() after fec_build_skb() returns NULL will return
> the same page to the pool a second time. Can this cause page pool
> corruption under memory pressure when build_skb() fails?
> 

Thanks for pointing this potential issue, I will fix it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ