Re: [PATCH bpf] xsk: fix init race causing NPD/UAF in xsk_create()
From: bot+bpf-ci
Date: Thu Jan 08 2026 - 07:25:17 EST
> diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
> index f093c3453f64..63b48e4b8b65 100644
> --- a/net/xdp/xsk.c
> +++ b/net/xdp/xsk.c
> @@ -1942,16 +1938,20 @@ static int __init xsk_init(void)
> goto out_unreg_notif;
> }
>
> + err = sock_register(&xsk_family_ops);
> + if (err)
> + goto out_proto;
If sock_register() fails here, does xsk_tx_generic_cache get leaked?
The kmem_cache was successfully created just above this, but the error
path at out_proto does not appear to call kmem_cache_destroy().
Looking at the error unwind below:
> +
> return 0;
>
> out_unreg_notif:
> unregister_netdevice_notifier(&xsk_netdev_notifier);
> out_pernet:
> unregister_pernet_subsys(&xsk_net_ops);
> -out_sk:
> - sock_unregister(PF_XDP);
> out_proto:
> proto_unregister(&xsk_proto);
The path from sock_register() failure goes to out_proto, which only calls
proto_unregister() before falling through. There is no kmem_cache_destroy()
for xsk_tx_generic_cache in this error path.
Should there be a new label between out_unreg_notif and out_pernet that
destroys the kmem_cache, and should out_proto jump there instead?
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20815690741