xsk: avoid skb leak in XDP_TX_METADATA case

Fix it by explicitly adding kfree_skb() before returning back to its caller. How to reproduce it in virtio_net: 1. the current skb is the first one (which means no frag and xs->skb is NULL) and users enable metadata feature. 2. xsk_skb_metadata() returns a error code. 3. the caller xsk_build_skb() clears skb by using 'skb = NULL;'. 4. there is no chance to free this skb anymore. Closes: https://lore.kernel.org/all/20260415085204.3F87AC19424@smtp.kernel.org/ Fixes: 30c3055f9c0d ("xsk: wrap generic metadata handling onto separate function") Acked-by: Stanislav Fomichev <sdf@fomichev.me> Signed-off-by: Jason Xing <kernelxing@tencent.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com> Link: https://patch.msgid.link/20260502200722.53960-7-kerneljasonxing@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Jason Xing <kernelxing@tencent.com> 2026-05-02 23:07:20 +0300
committer: Jakub Kicinski <kuba@kernel.org> 2026-05-05 19:27:50 -0700
commit: 8c2cff50afdd2b53c7cc2ca2297301c0ffd3e802 (patch)
tree: be02987c00f1fd7c7a7737dc6f7da6c470dbf5d7
parent: 3dec153ae484e3b2ddac841156e197ba54c8df94 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index af3c5752bb63..770ba4695a9d 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -821,8 +821,10 @@ static struct sk_buff *xsk_build_skb_zerocopy(struct xdp_sock *xs,
 		skb_reserve(skb, hr);
 		if (desc->options & XDP_TX_METADATA) {
 			err = xsk_skb_metadata(skb, buffer, desc, pool, hr);
-			if (unlikely(err))
+			if (unlikely(err)) {
+				kfree_skb(skb);
 				return ERR_PTR(err);
+			}
 		}
 	} else {
 		struct xsk_addrs *xsk_addr;
author	Jason Xing <kernelxing@tencent.com>	2026-05-02 23:07:20 +0300
committer	Jakub Kicinski <kuba@kernel.org>	2026-05-05 19:27:50 -0700
commit	8c2cff50afdd2b53c7cc2ca2297301c0ffd3e802 (patch)
tree	be02987c00f1fd7c7a7737dc6f7da6c470dbf5d7
parent	3dec153ae484e3b2ddac841156e197ba54c8df94 (diff)