Re: [PATCH 5.15.y] xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()

[Greg KH]

On Fri, Mar 27, 2026 at 01:59:50PM +0800, Johnny Hao wrote:
> From: Alexey Nepomnyashih <sdl@xxxxxxxx>
> 
> [ Upstream commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 ]
> 
> The function xdp_convert_buff_to_frame() may return NULL if it fails
> to correctly convert the XDP buffer into an XDP frame due to memory
> constraints, internal errors, or invalid data. Failing to check for NULL
> may lead to a NULL pointer dereference if the result is used later in
> processing, potentially causing crashes, data corruption, or undefined
> behavior.
> 
> On XDP redirect failure, the associated page must be released explicitly
> if it was previously retained via get_page(). Failing to do so may result
> in a memory leak, as the pages reference count is not decremented.
> 
> Cc: stable@xxxxxxxxxxxxxxx # v5.9+
> Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
> Signed-off-by: Alexey Nepomnyashih <sdl@xxxxxxxx>
> Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@xxxxxxxx
> Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
> Signed-off-by: Johnny Hao <johnny_haocn@xxxxxxxx>
> ---
>  drivers/net/xen-netfront.c | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
> index 4b19d54fa2e2..310bc1f7d404 100644
> --- a/drivers/net/xen-netfront.c
> +++ b/drivers/net/xen-netfront.c
> @@ -982,20 +982,27 @@ static u32 xennet_run_xdp(struct netfront_queue *queue, struct page *pdata,
>  	act = bpf_prog_run_xdp(prog, xdp);
>  	switch (act) {
>  	case XDP_TX:
> -		get_page(pdata);
>  		xdpf = xdp_convert_buff_to_frame(xdp);
> +		if (unlikely(!xdpf)) {
> +			trace_xdp_exception(queue->info->netdev, prog, act);
> +			break;
> +		}
> +		get_page(pdata);
>  		err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0);
> -		if (unlikely(!err))
> +		if (unlikely(err <= 0)) {
> +			if (err < 0)
> +				trace_xdp_exception(queue->info->netdev, prog, act);
>  			xdp_return_frame_rx_napi(xdpf);
> -		else if (unlikely(err < 0))
> -			trace_xdp_exception(queue->info->netdev, prog, act);
> +		}
>  		break;
>  	case XDP_REDIRECT:
>  		get_page(pdata);
>  		err = xdp_do_redirect(queue->info->netdev, xdp, prog);
>  		*need_xdp_flush = true;
> -		if (unlikely(err))
> +		if (unlikely(err)) {
>  			trace_xdp_exception(queue->info->netdev, prog, act);
> +			xdp_return_buff(xdp);
> +		}
>  		break;
>  	case XDP_PASS:
>  	case XDP_DROP:
> -- 
> 2.34.1
> 

Breaks the build:
	ERROR: modpost: "xdp_return_buff" [drivers/net/xen-netfront.ko] undefined!