Commit 8c2cff50 authored May 02, 2026 by Jason Xing Committed by Jakub Kicinski May 05, 2026

xsk: avoid skb leak in XDP_TX_METADATA case

Fix it by explicitly adding kfree_skb() before returning back to its
caller.

How to reproduce it in virtio_net:
1. the current skb is the first one (which means no frag and xs->skb is
   NULL) and users enable metadata feature.
2. xsk_skb_metadata() returns a error code.
3. the caller xsk_build_skb() clears skb by using 'skb = NULL;'.
4. there is no chance to free this skb anymore.

Closes: https://lore.kernel.org/all/20260415085204.3F87AC19424@smtp.kernel.org/


Fixes: 30c3055f ("xsk: wrap generic metadata handling onto separate function")
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260502200722.53960-7-kerneljasonxing@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 3dec153a

net/xdp/xsk.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -821,9 +821,11 @@ static struct sk_buff xsk_build_skb_zerocopy(struct xdp_sock xs,
		skb_reserve(skb, hr);
		if (desc->options & XDP_TX_METADATA) {
		err = xsk_skb_metadata(skb, buffer, desc, pool, hr);
		if (unlikely(err))
		if (unlikely(err)) {
		kfree_skb(skb);
		return ERR_PTR(err);
		}
		}
		} else {
		struct xsk_addrs *xsk_addr;