From nobody Sat Feb  7 19:08:13 2026
Received: from mail-dy1-f173.google.com (mail-dy1-f173.google.com
 [74.125.82.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 367983382E4
	for <linux-kernel@vger.kernel.org>; Fri,  9 Jan 2026 10:47:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.173
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767955630; cv=none;
 b=Rkyb3qpMnKEH6+nef1+7d2J8ClzYsi7fOZQEG3r8lbfOdtAa76oyZL4I6V0jzGUgjvHaFyjPzvTLA5F2O+4l4C1jFIVmgK877bw+tjv7cOeYueHiOv293QwlDD4ndk7ca7chrHYzfUIAIMaDLzUnme1iDsgwVNCMFxYZU+7POlc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767955630; c=relaxed/simple;
	bh=n9M11tBs8r2SrFxtYr5Ez/2oL4MzSjaOy5sEeftcY74=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=jguKcyfLZtND3T2aViCE90oWntcj1RLQwFqGG8s/vyVm2dlZVa0jhYwPF4u55RccY90sZQYtGiHL7sZp+P33Jok92hYrMYRZc3Uj9cb69t3HHtEQWTzrXF4FnJ0i56/kIPS/v8I3UsrpT25YfsCJCgU1mjCDxDeKOISYB+6TnaE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=XwZyxbcr; arc=none smtp.client-ip=74.125.82.173
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="XwZyxbcr"
Received: by mail-dy1-f173.google.com with SMTP id
 5a478bee46e88-2b04fb5c7a7so3634581eec.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 09 Jan 2026 02:47:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767955628; x=1768560428;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=eHxiKPDxb+EGlvCWb1cuF8PeWUOAx5k4hd0veXvmtEk=;
        b=XwZyxbcrdeToN+zCzvK1xCE5b1g1kXGCMRJbYLaPZ36WXbMzCkmP+p9ibz4nFeKL8D
         O3lKftYZrJ+T7x2sbbgpN0NyV5xenkt3DssvYJKUucp45G6REgqHFplTeVCXZ6ab1ZDj
         SDxx9gyFsXbV9jiF6nFcr33P5JcfECr8eZ/EKwwgVpIULetrSJyORtsRmM1zMLEVjea5
         i0XwMeSpdXgggWJUXEW46OmskZ33dI3RPiud0toqHeuCjLow09+wDpXCgGrHJCUCzZOD
         trf+gVAjnU68wcLD+8gFwZtf2DQgCs9uWdykbM2kqVp8ros0aLm8nRR3nd65wd8znEbT
         rDuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767955628; x=1768560428;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=eHxiKPDxb+EGlvCWb1cuF8PeWUOAx5k4hd0veXvmtEk=;
        b=cpjUj+D+mWenweHTxeYm9cPsPWLi5zGwOzJ1EmEAnjCT4KO2iOzG+KJJUHF0BLDR0+
         5bCgys3WjPrsUB3X4WMowWCBJkuq+BnTq2Vwp5Whir8nBL+inxrQQJbzELqVjb18SHaH
         l8VLWsfUFuBkgsLJjlYGOg/slflkpyyTQG5hfrhCDDfmsHXMRT/e/WfhXkkMWx0BEWFe
         qXK8pMv+GXE/FB/jgDCVTw8ONMeZ8UCMMBPDklsvQaD1Ym8NrPqf81nzbVIsTNoZRT3W
         fWJr9gQH21u0vgDMT4qtZq5EGwxcJUsCaPfizV8R49QnICcV2TPnlDfsl16CybM7BKCO
         OS0g==
X-Gm-Message-State: AOJu0YzfcaIvehYAMKZanHsgFST2mnBTtwM1vlOLEFXGXQo4z8f/y43c
	FHhObsH8Y12WViQ+UOg8pvjQv6WCRPlq790SB2mlzzW5TewVUMNCe0Y=
X-Gm-Gg: AY/fxX4AE6MpkFbHvhnT8rf1NZ9qyKRSOACGywYCkPVL1AonLrCUc40wC8k6cUuuxKc
	anCZKo/JtK0xzsouxulIckwH3Hyyu3rMSu8+uuXJ8c6eSxKpzKttHOoeoBsgDPA++bvz6xDRONW
	ljDdcdZPvd7Vq2nq/nRrMOtL7WcWzewLiW+hWw2zRWTpMsD7YcIl1n08G+MiVGJUyIhhpOdut6l
	6PSXbCmQp2ezipS4NAKdSpJCIEN4Vk+glZlabBo9SCQ8ftntLU0v0JM9koR6BqJHcjHn33tXXpi
	Dc9TjNDUqINLtFet2pm5m8BcFYFV4/zm9xeCJyPQibXoyuY6cf6TsL4HNOiB8YOB1SthJw/NFXl
	ObBS/Aithc40J4hBEGdFZhMfs61QMr7kE9dF536VCFFgJUS7IxvgibtCN6llgAiS+MEWREvguXX
	lLYUnNyYVj4z4hLiA=
X-Google-Smtp-Source: 
 AGHT+IHGZZvre9Q0sLUGFl2WViHF679c3kOLK8MwcJYpsokl7wywksfV3DWgiCiy59cqiv6zQtjEXA==
X-Received: by 2002:a05:7300:b28a:b0:2a4:61d1:f433 with SMTP id
 5a478bee46e88-2b17d2525eamr4881696eec.16.1767955628094;
        Fri, 09 Jan 2026 02:47:08 -0800 (PST)
Received: from DESKTOP-BKIPFGN ([209.141.36.37])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2b17078dd8fsm12814933eec.20.2026.01.09.02.47.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 Jan 2026 02:47:07 -0800 (PST)
From: Kery Qi <qikeyu2017@gmail.com>
To: bpf@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	bjorn@kernel.org,
	hawk@kernel.org,
	pabeni@redhat.com,
	magnus.karlsson@intel.com,
	daniel@iogearbox.net,
	maciej.fijalkowski@intel.com,
	kuba@kernel.org,
	edumazet@google.com,
	horms@kernel.org,
	ast@kernel.org,
	sdf@fomichev.me,
	john.fastabend@gmail.com,
	Kery Qi <qikeyu2017@gmail.com>
Subject: [PATCH bpf] xsk: fix init race causing NPD/UAF in xsk_create()
Date: Fri,  9 Jan 2026 18:46:44 +0800
Message-ID: <20260109104643.1988-2-qikeyu2017@gmail.com>
X-Mailer: git-send-email 2.50.1.windows.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

xsk_init() previously registered the PF_XDP socket family before the
per-net subsystem and other prerequisites (netdevice notifier, caches)
were fully initialized.

This exposed .create =3D xsk_create() to user space while per-netns
state (net->xdp.lock/list) was still uninitialized. A task with
CAP_NET_RAW could trigger this during boot/module load by calling
socket(PF_XDP, SOCK_RAW, 0) concurrently with xsk_init(), leading
to a NULL pointer dereference or use-after-free in the list manipulation.

To fix this, move sock_register() to the end of the initialization
sequence, ensuring that all required kernel structures are ready before
exposing the AF_XDP interface to userspace.

Accordingly, reorder the error unwind path to ensure proper cleanup
in reverse order of initialization. Also, explicitly add
kmem_cache_destroy() in the error path to prevent leaking
xsk_tx_generic_cache if the registration fails.

Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
 net/xdp/xsk.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index f093c3453f64..d402f23dfd8e 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -23,6 +23,7 @@
 #include <linux/netdevice.h>
 #include <linux/rculist.h>
 #include <linux/vmalloc.h>
+#include <linux/slab.h>
 #include <net/xdp_sock_drv.h>
 #include <net/busy_poll.h>
 #include <net/netdev_lock.h>
@@ -1922,13 +1923,9 @@ static int __init xsk_init(void)
 	if (err)
 		goto out;
=20
-	err =3D sock_register(&xsk_family_ops);
-	if (err)
-		goto out_proto;
-
 	err =3D register_pernet_subsys(&xsk_net_ops);
 	if (err)
-		goto out_sk;
+		goto out_proto;
=20
 	err =3D register_netdevice_notifier(&xsk_netdev_notifier);
 	if (err)
@@ -1939,17 +1936,21 @@ static int __init xsk_init(void)
 						 0, SLAB_HWCACHE_ALIGN, NULL);
 	if (!xsk_tx_generic_cache) {
 		err =3D -ENOMEM;
-		goto out_unreg_notif;
+		goto out_notifier;
 	}
=20
+	err =3D sock_register(&xsk_family_ops);
+	if (err)
+		goto out_cache;
+
 	return 0;
=20
-out_unreg_notif:
+out_cache:
+	kmem_cache_destroy(xsk_tx_generic_cache);
+out_notifier:
 	unregister_netdevice_notifier(&xsk_netdev_notifier);
 out_pernet:
 	unregister_pernet_subsys(&xsk_net_ops);
-out_sk:
-	sock_unregister(PF_XDP);
 out_proto:
 	proto_unregister(&xsk_proto);
 out:
--=20
2.34.1