If combining xdp_adjust_head and xdp_adjust_meta, then it is possible to make data_meta overlap with area used by xdp_frame. And another invocation of xdp_adjust_head can then clear that area, due to clearing of xdp_frame area.
The easiest solution I found was to simply not allow xdp_buff->data_meta to overlap with area used by xdp_frame. Fixes: 6dfb970d3dbd ("xdp: avoid leaking info stored in frame data on page reuse") Signed-off-by: Jesper Dangaard Brouer <bro...@redhat.com> --- net/core/filter.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 15e9b5477360..e3623e741181 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2701,6 +2701,11 @@ BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_buff *, xdp, int, offset) data > xdp->data_end - ETH_HLEN)) return -EINVAL; + /* Disallow data_meta to use xdp_frame area */ + if (metalen > 0 && + unlikely((data - metalen) < xdp_frame_end)) + return -EINVAL; + /* Avoid info leak, when reusing area prev used by xdp_frame */ if (data < xdp_frame_end) { unsigned long clearlen = xdp_frame_end - data; @@ -2734,6 +2739,7 @@ static const struct bpf_func_proto bpf_xdp_adjust_head_proto = { BPF_CALL_2(bpf_xdp_adjust_meta, struct xdp_buff *, xdp, int, offset) { + void *xdp_frame_end = xdp->data_hard_start + sizeof(struct xdp_frame); void *meta = xdp->data_meta + offset; unsigned long metalen = xdp->data - meta; @@ -2742,6 +2748,11 @@ BPF_CALL_2(bpf_xdp_adjust_meta, struct xdp_buff *, xdp, int, offset) if (unlikely(meta < xdp->data_hard_start || meta > xdp->data)) return -EINVAL; + + /* Disallow data_meta to use xdp_frame area */ + if (unlikely(meta < xdp_frame_end)) + return -EINVAL; + if (unlikely((metalen & (sizeof(__u32) - 1)) || (metalen > 32))) return -EACCES;