On 2/3/26 2:53 AM, Larysa Zaremba wrote:
The issue can be fixed in all in-tree drivers, but we cannot just trust OOT drivers to not do this. Therefore, make tailroom a signed int and produce a warning when it is negative to prevent such mistakes in the future. Fixes: bf25146a5595 ("bpf: add frags support to the bpf_xdp_adjust_tail() API") Reviewed-by: Aleksandr Loktionov<[email protected]> Signed-off-by: Larysa Zaremba<[email protected]> --- net/core/filter.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/core/filter.c b/net/core/filter.c index 616e0520a0bb..9715d957e3c5 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4149,12 +4149,13 @@ static int bpf_xdp_frags_increase_tail(struct xdp_buff *xdp, int offset) struct skb_shared_info *sinfo = xdp_get_shared_info_from_buff(xdp); skb_frag_t *frag = &sinfo->frags[sinfo->nr_frags - 1]; struct xdp_rxq_info *rxq = xdp->rxq; - unsigned int tailroom; + int tailroom;if (!rxq->frag_size || rxq->frag_size > xdp->frame_sz)return -EOPNOTSUPP;tailroom = rxq->frag_size - skb_frag_size(frag) - skb_frag_off(frag);+ WARN_ON_ONCE(tailroom < 0); if (unlikely(offset > tailroom)) return -EINVAL;
Acked-by: Martin KaFai Lau <[email protected]>
