From: Jason Xing When the TX loop in __xsk_generic_xmit() encounters an invalid descriptor mid-packet (e.g. an out-of-bounds address), the partial skb is dropped and the offending descriptor is released. However, remaining continuation descriptors belonging to the same multi-buffer packet still sit in the TX ring. Since xs->skb becomes NULL after the drop, the next iteration treats the leftover continuation fragment as a brand-new packet, corrupting the packet stream. Fix this by setting the drain_cont flag when the released descriptor has XDP_PKT_CONTD set. On the next call to __xsk_generic_xmit(), the drain logic introduced in the previous patch handles the remaining fragments with normal CQ backpressure. There is one subtle case: if a subsequent continuation descriptor also has an invalid address, xskq_cons_peek_desc() rejects it and the while loop is never entered, so the in-loop drain path cannot clear drain_cont. The post-loop code already handles this: it sees xskq_has_descs() is true (the failed descriptor was read but not released by peek), releases it, and checks its XDP_PKT_CONTD flag. Add an else branch so that when the released descriptor is the last fragment (no XDP_PKT_CONTD), drain_cont is cleared. This prevents the next valid packet from being incorrectly drained. Fixes: cf24f5a5feea ("xsk: add support for AF_XDP multi-buffer on Tx path") Signed-off-by: Jason Xing --- net/xdp/xsk.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index f4add7be8c93..de953f38b9e2 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -1122,6 +1122,7 @@ static int __xsk_generic_xmit(struct sock *sk) if (xs->skb) xsk_drop_skb(xs->skb); xskq_cons_release(xs->tx); + xs->drain_cont = xp_mb_desc(&desc); } out: -- 2.43.7