Avoid clearing xdp_frame area if this was already done by prevous invocations of bpf_xdp_adjust_head.
The xdp_adjust_head helper can be called multiple times by the bpf_prog. If increasing the packet header size (with a negative offset), kernel must assume bpf_prog store valuable information here, and not clear this information. In case of extending header into xdp_frame area the kernel clear this area to avoid any info leaking. The bug in the current implementation is that if existing xdp->data pointer have already been moved into xdp_frame area, then memory is cleared between new-data pointer and xdp_frame-end, which covers an area that might contain information store by BPF-prog (as curr xdp->data lays between those pointers). Fixes: 6dfb970d3dbd ("xdp: avoid leaking info stored in frame data on page reuse") Signed-off-by: Jesper Dangaard Brouer <bro...@redhat.com> --- net/core/filter.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index a374b8560bc4..15e9b5477360 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2705,6 +2705,13 @@ BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_buff *, xdp, int, offset) if (data < xdp_frame_end) { unsigned long clearlen = xdp_frame_end - data; + /* Handle if prev call adjusted xdp->data into xdp_frame area */ + if (unlikely(xdp->data < xdp_frame_end)) { + if (data < xdp->data) + clearlen = xdp->data - data; + else + clearlen = 0; + } memset(data, 0, clearlen); }