From nobody Sat Feb  7 19:08:10 2026
Received: from mail-dl1-f48.google.com (mail-dl1-f48.google.com
 [74.125.82.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B40032F4A19
	for <linux-kernel@vger.kernel.org>; Fri,  9 Jan 2026 10:04:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767953094; cv=none;
 b=RDNJtRQ/fsPIMA7ntxi0j6jTqKWdGh0XhtUwp81rlHjfq3W+qfFTTEzv1OlnDrOxveEJeoIHcDnltnE5UqLsNGZ7dsro301/y8RN0mh73h9RGikv0LxwbMI56nsgZfzQwnJk32rJJ+Z5CtFr3IFxTkGFlZEB/rkQ5n4kGNKRX+A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767953094; c=relaxed/simple;
	bh=5jrWyB4XCBVBz8ho+oQz/OHpCGaaHiVH2B1jpdtutqY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=dLNjqz7vWqXmBMHMdbBz/LEvPE3C4mi60ZojJ6tDnIVmktvnHbhA7NpSQpSfK+TIY7cxChxCBm7HhgbJhEXLN35fKHDfDLU5LKneR67qv7p9z5wNCNs/+ILkKK90wgAL/jtpCoQLFV82UH5qgrxczEWw+Bzb0UiTJvq3LCDWw1o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ErAySkM8; arc=none smtp.client-ip=74.125.82.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ErAySkM8"
Received: by mail-dl1-f48.google.com with SMTP id
 a92af1059eb24-11f3a10dcbbso3352394c88.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 09 Jan 2026 02:04:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767953092; x=1768557892;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=Ug9UXruECokBl2MPfxQMo1D+f+1ql2Retnj+DiiH+DY=;
        b=ErAySkM8BKnthtcpMjJ0dL565BjnYt4vwBhSp2uQSYlhpk/u4gOvM5bR8MXwsrriD0
         imStvU5oHJh9G/+68LCuu0jjPTPEpyOwOJPtu7+PW19F/mcSmmBcZ2OPfsMQTLxReIeL
         DYNtSua3MT+rq0pcgnX/ifj++XTCRq+TmmqJL7uiyPwZqDIw2i4iUij1ZK7q5FUFO0wr
         Prtu/Efl8a2+BUW2tIKXMx+4qtw/RgdEj+H17xpsCdgn7G5NTkN/2b+LMFaAR4RJYMRQ
         MGOzvsRabqQ2UEDyt/znFdXx/LnrRkwmpmzO0S9npozLw0shuaMSPCnNq+3fpeiDUoqd
         Kifw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767953092; x=1768557892;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Ug9UXruECokBl2MPfxQMo1D+f+1ql2Retnj+DiiH+DY=;
        b=wuj3bj1q6Rnuym5umBEao5nnCVyucQYtJvL1mMSKSC8wp+hkMAan1xhWL5qrGQlgkA
         jn8Yhnf/0I6yH7dTBpb/bYQR4yl9LCJqlLIfRXMagWhJqKooGfGYkA0P647nZ2Ivt4Pv
         OPVnOM95rOg1LciY/LKe9VzX5eU91PiLxd4SqYXWhfO/GfnrVgNKwvSKmfb7PidYiXbk
         DQHJEnftSXzYTCVWqvxWv+uloaa9xUCg2p6raKEgyoXTz3coqMDvfVu0YvMRv+O7BUK8
         t4OZbmFbwqWcCvQglsrD/iWFBh5kNbWKPfPq5y8+V3WqWU5Gvnt69HVD3VlEcFkb5e36
         6p7g==
X-Gm-Message-State: AOJu0YzxDdyE6qCMcPyU4m1osVvYW3Y0FZJAyJm1iX+7nXKCP44vAxzL
	JozVG62HCz701RmpuiM6FfOLUoNigkHvQ93DVcvYU+ZCo0VDXhGvALw=
X-Gm-Gg: AY/fxX7qVi3zb4evps+Bo6od2fQAXVsQk9MGQ1FwBrPPOKMgGLwZlMPUJbcHzMzL8ZS
	m3damxkgY7t8Iy2ygWaplDUCMu5C4PGD8PYQYhfWPZFgYuE5DmRBy2GnJcUFokYDtVw6pXzsgDc
	2ywTRlevZBDcvMwSkxCCTWgcog8nU9oHF8qzlDgn2IIKnk63eF8PtAtzxmKXBT68xjL7TYKbgkB
	MPHz4oyE83c1xiqjIturoncW0b0gma6SyCOG/1fNGnuBB69YWzRo9PhKazA/OCy7o9Y1EohgryK
	YDCUg1pZFNBkRZO0oyujxyW0UoRPJPyvvjCWijC1WeidqA3vvkGmbQARA9pSqfuOjBO2tBx8mdq
	DkA3OSpPsxCWiNmUBJaej+UXK0WmTnILcw93IXNo6LYwN8R/cZXsVOCIsF3uQVh6uDFMnGJdrdn
	HYhfx/BkmCII2OQow=
X-Google-Smtp-Source: 
 AGHT+IEuXoXtHTnUokSTkV/047cQ2XVT2pT27RHEC/fHpKbJH7+a13ZDPg9quvun7MxRLm7ESuhhCQ==
X-Received: by 2002:a05:7022:48d:b0:11b:ceee:a49f with SMTP id
 a92af1059eb24-121f8afbcd2mr7993025c88.8.1767953091595;
        Fri, 09 Jan 2026 02:04:51 -0800 (PST)
Received: from DESKTOP-BKIPFGN ([209.141.36.37])
        by smtp.gmail.com with ESMTPSA id
 a92af1059eb24-121f243f6c7sm12742527c88.7.2026.01.09.02.04.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 Jan 2026 02:04:50 -0800 (PST)
From: Kery Qi <qikeyu2017@gmail.com>
To: bpf@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	bjorn@kernel.org,
	hawk@kernel.org,
	pabeni@redhat.com,
	magnus.karlsson@intel.com,
	daniel@iogearbox.net,
	maciej.fijalkowski@intel.com,
	kuba@kernel.org,
	edumazet@google.com,
	horms@kernel.org,
	ast@kernel.org,
	sdf@fomichev.me,
	john.fastabend@gmail.com,
	Kery Qi <qikeyu2017@gmail.com>
Subject: [PATCH bpf] xsk: fix init race causing NPD/UAF in xsk_create()
Date: Fri,  9 Jan 2026 18:04:20 +0800
Message-ID: <20260109100420.1967-2-qikeyu2017@gmail.com>
X-Mailer: git-send-email 2.50.1.windows.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

xsk_init() previously registered the PF_XDP socket family before the
per-net subsystem and other prerequisites (netdevice notifier, caches)
were fully initialized.

This exposed .create =3D xsk_create() to user space while per-netns
state (net->xdp.lock/list) was still uninitialized. A task with
CAP_NET_RAW could trigger this during boot/module load by calling
socket(PF_XDP, SOCK_RAW, 0) concurrently with xsk_init(), leading
to a NULL pointer dereference or use-after-free in the list manipulation.

To fix this, move sock_register() to the end of the initialization
sequence, ensuring that all required kernel structures are ready before
exposing the AF_XDP interface to userspace.

Accordingly, reorder the error unwind path to ensure proper cleanup
in reverse order of initialization. Also, explicitly add
kmem_cache_destroy() in the error path to prevent leaking
xsk_tx_generic_cache if the registration fails.

Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 net/xdp/xsk.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index f093c3453f64..58e9c61c29e0 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -23,6 +23,7 @@
 #include <linux/netdevice.h>
 #include <linux/rculist.h>
 #include <linux/vmalloc.h>
+#include <linux/slab.h>
 #include <net/xdp_sock_drv.h>
 #include <net/busy_poll.h>
 #include <net/netdev_lock.h>
@@ -1922,10 +1923,6 @@ static int __init xsk_init(void)
 	if (err)
 		goto out;
=20
-	err =3D sock_register(&xsk_family_ops);
-	if (err)
-		goto out_proto;
-
 	err =3D register_pernet_subsys(&xsk_net_ops);
 	if (err)
 		goto out_sk;
@@ -1942,16 +1939,21 @@ static int __init xsk_init(void)
 		goto out_unreg_notif;
 	}
=20
+	err =3D sock_register(&xsk_family_ops);
+	if (err)
+		goto out_proto;
+
 	return 0;
=20
+out_proto:
+	proto_unregister(&xsk_proto);
+	kmem_cache_destroy(xsk_tx_generic_cache);
 out_unreg_notif:
 	unregister_netdevice_notifier(&xsk_netdev_notifier);
 out_pernet:
 	unregister_pernet_subsys(&xsk_net_ops);
 out_sk:
 	sock_unregister(PF_XDP);
-out_proto:
-	proto_unregister(&xsk_proto);
 out:
 	return err;
 }
--=20
2.34.1