Google Git
Sign in
cos / third_party / kernel / 97e2b5284efaa0c1d58fe37dd438d4f1e64a835f
commit97e2b5284efaa0c1d58fe37dd438d4f1e64a835f[log] [tgz]
authorAmery Hung <ameryhung@gmail.com>Thu Oct 16 22:55:40 2025 +0300
committerDaniel Velasquez <rdvelasquez@google.com>Sun Jan 11 23:23:26 2026 -0800
tree553d2f6e729d9ddf568d0a96993a797263d7db7c
parent6f76ce25f1052510cf94c343f42a194dc7699d10 [diff]
net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ

[ Upstream commit 87bcef158ac1faca1bd7e0104588e8e2956d10be ]

XDP programs can change the layout of an xdp_buff through
bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver
cannot assume the size of the linear data area nor fragments. Fix the
bug in mlx5 by generating skb according to xdp_buff after XDP programs
run.

Currently, when handling multi-buf XDP, the mlx5 driver assumes the
layout of an xdp_buff to be unchanged. That is, the linear data area
continues to be empty and fragments remain the same. This may cause
the driver to generate erroneous skb or triggering a kernel
warning. When an XDP program added linear data through
bpf_xdp_adjust_head(), the linear data will be ignored as
mlx5e_build_linear_skb() builds an skb without linear data and then
pull data from fragments to fill the linear data area. When an XDP
program has shrunk the non-linear data through bpf_xdp_adjust_tail(),
the delta passed to __pskb_pull_tail() may exceed the actual nonlinear
data size and trigger the BUG_ON in it.

To fix the issue, first record the original number of fragments. If the
number of fragments changes after the XDP program runs, rewind the end
fragment pointer by the difference and recalculate the truesize. Then,
build the skb with the linear data area matching the xdp_buff. Finally,
only pull data in if there is non-linear data and fill the linear part
up to 256 bytes.

BUG=b/469704838
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2025-40350 in the Linux kernel.

cos-patch: security-moderate
Fixes: f52ac7028bec ("net/mlx5e: RX, Add XDP multi-buffer support in Striding RQ")
Link: https://patch.msgid.link/1760644540-899148-3-git-send-email-tariqt@nvidia.com
Change-Id: I2bf209a82db8d1ef31ef4158f8d28c7cc74d56c4
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/124488
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Angel Adetula <angeladetula@google.com>
1 file changed
tree: 553d2f6e729d9ddf568d0a96993a797263d7db7c
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. rust/
  19. samples/
  20. scripts/
  21. security/
  22. sound/
  23. tools/
  24. usr/
  25. virt/
  26. .clang-format
  27. .cocciconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. .rustfmt.toml
  33. COPYING
  34. CREDITS
  35. Kbuild
  36. Kconfig
  37. MAINTAINERS
  38. Makefile
  39. PRESUBMIT.cfg
  40. README