From nobody Fri Oct 31 16:19:11 2025 Received: from mail.nppct.ru (mail.nppct.ru [195.133.245.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EBDE182B4 for ; Thu, 17 Apr 2025 12:21:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.133.245.4 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744892509; cv=none; b=pk1CkhG8OAcWb0YiOI2vB6BYtJ4Bn/KovpUU6G9247F5R9qmb3Xd0oMMx67R0i+lKahmlNKnVzheHlRvH7Uzw7EQ4lHBIA1XBNlkhxGmeFFwmOzi+b6JhltpTUrWhqkTHb4Spxfz8X2GakaplcBEwwFryfzLduAaSiXkjz4opQw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1744892509; c=relaxed/simple; bh=yim53aUfLmVou/JvqKYODc4xwB/wJ3VFd3Zy7HjYysY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FRaVjnR+g/Y4nbYA2X73NWdzeuGiWven3MsCwRLIpwJjLDVw+jCJcuzcyXPj+rzpf3shyRbrNW4BiptFIj1/Gzhm2WREpeabSJwzoWUf5HMKtbzwA4pVbEMtdaNE2dDLNhOb43XVMX8u7GiZ4976XqTUxPE8j8Nx5wgzNdXsGMg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru; spf=pass smtp.mailfrom=nppct.ru; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b=XOc9N1kG; arc=none smtp.client-ip=195.133.245.4 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=nppct.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nppct.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=nppct.ru header.i=@nppct.ru header.b="XOc9N1kG" Received: from mail.nppct.ru (localhost [127.0.0.1]) by mail.nppct.ru (Postfix) with ESMTP id 36F551C0E84 for ; Thu, 17 Apr 2025 15:21:39 +0300 (MSK) Authentication-Results: mail.nppct.ru (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=nppct.ru DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nppct.ru; h= content-transfer-encoding:mime-version:x-mailer:message-id:date :date:subject:subject:to:from:from; s=dkim; t=1744892498; x= 1745756499; bh=yim53aUfLmVou/JvqKYODc4xwB/wJ3VFd3Zy7HjYysY=; b=X Oc9N1kG+w3/vx99U9s8X5y6758ClWEjdx19507zYFz9q2Do3Y8vk+aqtdbjqvuO0 gaYW9Hv7+/VfmiJBmrptxC76ElMdYVcSwt9UQvZErnFNwBoihJsgLDLU5GK2Dz0p tfywXE5fd0bSHBjAhK6xZV+AXrqxCVgNTbgDDGPFBM= X-Virus-Scanned: Debian amavisd-new at mail.nppct.ru Received: from mail.nppct.ru ([127.0.0.1]) by mail.nppct.ru (mail.nppct.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bujqojlHZP2W for ; Thu, 17 Apr 2025 15:21:38 +0300 (MSK) Received: from localhost.localdomain (unknown [87.249.24.51]) by mail.nppct.ru (Postfix) with ESMTPSA id B90721C08D8; Thu, 17 Apr 2025 15:21:30 +0300 (MSK) From: Alexey Nepomnyashih To: Juergen Gross Cc: Alexey Nepomnyashih , Stefano Stabellini , Oleksandr Tyshchenko , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , xen-devel@lists.xenproject.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, lvc-project@linuxtesting.org, stable@vger.kernel.org Subject: [PATCH v2] xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() Date: Thu, 17 Apr 2025 12:21:17 +0000 Message-ID: <20250417122118.1009824-1-sdl@nppct.ru> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL pointer dereference if the result is used later in processing, potentially causing crashes, data corruption, or undefined behavior. On XDP redirect failure, the associated page must be released explicitly if it was previously retained via get_page(). Failing to do so may result in a memory leak, as the pages reference count is not decremented. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable@vger.kernel.org # v5.9+ Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfron= t") Signed-off-by: Alexey Nepomnyashih --- drivers/net/xen-netfront.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c index 63fe51d0e64d..1d3ff57a6125 100644 --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfront_queue *queu= e, struct page *pdata, act =3D bpf_prog_run_xdp(prog, xdp); switch (act) { case XDP_TX: - get_page(pdata); xdpf =3D xdp_convert_buff_to_frame(xdp); - err =3D xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); - if (unlikely(!err)) - xdp_return_frame_rx_napi(xdpf); - else if (unlikely(err < 0)) + if (unlikely(!xdpf)) { trace_xdp_exception(queue->info->netdev, prog, act); + break; + } + get_page(pdata); + err =3D xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); + if (unlikely(err <=3D 0)) { + if (err < 0) + trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_frame_rx_napi(xdpf); + } break; case XDP_REDIRECT: get_page(pdata); err =3D xdp_do_redirect(queue->info->netdev, xdp, prog); *need_xdp_flush =3D true; - if (unlikely(err)) + if (unlikely(err)) { trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_buff(xdp); + } break; case XDP_PASS: case XDP_DROP: --=20 2.43.0