diff mbox series

[net] net: openvswitch: release vport resources on failure

Message ID 20221220212717.526780-1-aconole@redhat.com (mailing list archive)
State Accepted
Commit 95637d91fefdb94d6e7389222ba9ddab0e9f5abe
Delegated to: Netdev Maintainers
Headers show
Series [net] net: openvswitch: release vport resources on failure | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 26 this patch: 26
netdev/cc_maintainers success CCed 9 of 9 maintainers
netdev/build_clang success Errors and warnings before: 5 this patch: 5
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 24 this patch: 24
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 32 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Aaron Conole Dec. 20, 2022, 9:27 p.m. UTC 
A recent commit introducing upcall packet accounting failed to properly
release the vport object when the per-cpu stats struct couldn't be
allocated.  This can cause dangling pointers to dp objects long after
they've been released.

Cc: Eelco Chaudron <echaudro@redhat.com>
Cc: wangchuanlei <wangchuanlei@inspur.com>
Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets")
Reported-by: syzbot+8f4e2dcfcb3209ac35f9@syzkaller.appspotmail.com
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 net/openvswitch/datapath.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Eelco Chaudron Dec. 21, 2022, 9:48 a.m. UTC | #1 
On 20 Dec 2022, at 22:27, Aaron Conole wrote:

> A recent commit introducing upcall packet accounting failed to properly
> release the vport object when the per-cpu stats struct couldn't be
> allocated.  This can cause dangling pointers to dp objects long after
> they've been released.
>
> Cc: Eelco Chaudron <echaudro@redhat.com>
> Cc: wangchuanlei <wangchuanlei@inspur.com>
> Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets")
> Reported-by: syzbot+8f4e2dcfcb3209ac35f9@syzkaller.appspotmail.com
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---

Thanks for finding and fixing this! The changes look good to me.

Acked-by: Eelco Chaudron <echaudro@redhat.com>


>  net/openvswitch/datapath.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
> index 932bcf766d63..6774baf9e212 100644
> --- a/net/openvswitch/datapath.c
> +++ b/net/openvswitch/datapath.c
> @@ -1854,7 +1854,7 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info)
>  	vport->upcall_stats = netdev_alloc_pcpu_stats(struct vport_upcall_stats_percpu);
>  	if (!vport->upcall_stats) {
>  		err = -ENOMEM;
> -		goto err_destroy_portids;
> +		goto err_destroy_vport;
>  	}
>
>  	err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid,
> @@ -1869,6 +1869,8 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info)
>  	ovs_notify(&dp_datapath_genl_family, reply, info);
>  	return 0;
>
> +err_destroy_vport:
> +	ovs_dp_detach_port(vport);
>  err_destroy_portids:
>  	kfree(rcu_dereference_raw(dp->upcall_portids));
>  err_unlock_and_destroy_meters:
> @@ -2316,7 +2318,7 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info)
>  	vport->upcall_stats = netdev_alloc_pcpu_stats(struct vport_upcall_stats_percpu);
>  	if (!vport->upcall_stats) {
>  		err = -ENOMEM;
> -		goto exit_unlock_free;
> +		goto exit_unlock_free_vport;
>  	}
>
>  	err = ovs_vport_cmd_fill_info(vport, reply, genl_info_net(info),
> @@ -2336,6 +2338,8 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info)
>  	ovs_notify(&dp_vport_genl_family, reply, info);
>  	return 0;
>
> +exit_unlock_free_vport:
> +	ovs_dp_detach_port(vport);
>  exit_unlock_free:
>  	ovs_unlock();
>  	kfree_skb(reply);
> -- 
> 2.31.1
Michal Swiatkowski Dec. 21, 2022, 10:11 a.m. UTC | #2 
On Tue, Dec 20, 2022 at 04:27:17PM -0500, Aaron Conole wrote:
> A recent commit introducing upcall packet accounting failed to properly
> release the vport object when the per-cpu stats struct couldn't be
> allocated.  This can cause dangling pointers to dp objects long after
> they've been released.
> 
> Cc: Eelco Chaudron <echaudro@redhat.com>
> Cc: wangchuanlei <wangchuanlei@inspur.com>
> Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets")
> Reported-by: syzbot+8f4e2dcfcb3209ac35f9@syzkaller.appspotmail.com
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---
Looks good, thanks

Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
> -- 
> 2.31.1
>
patchwork-bot+netdevbpf@kernel.org Dec. 22, 2022, 1:50 a.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 20 Dec 2022 16:27:17 -0500 you wrote:
> A recent commit introducing upcall packet accounting failed to properly
> release the vport object when the per-cpu stats struct couldn't be
> allocated.  This can cause dangling pointers to dp objects long after
> they've been released.
> 
> Cc: Eelco Chaudron <echaudro@redhat.com>
> Cc: wangchuanlei <wangchuanlei@inspur.com>
> Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets")
> Reported-by: syzbot+8f4e2dcfcb3209ac35f9@syzkaller.appspotmail.com
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> 
> [...]

Here is the summary with links:
  - [net] net: openvswitch: release vport resources on failure
    https://git.kernel.org/netdev/net/c/95637d91fefd

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 932bcf766d63..6774baf9e212 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1854,7 +1854,7 @@  static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info)
 	vport->upcall_stats = netdev_alloc_pcpu_stats(struct vport_upcall_stats_percpu);
 	if (!vport->upcall_stats) {
 		err = -ENOMEM;
-		goto err_destroy_portids;
+		goto err_destroy_vport;
 	}
 
 	err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid,
@@ -1869,6 +1869,8 @@  static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info)
 	ovs_notify(&dp_datapath_genl_family, reply, info);
 	return 0;
 
+err_destroy_vport:
+	ovs_dp_detach_port(vport);
 err_destroy_portids:
 	kfree(rcu_dereference_raw(dp->upcall_portids));
 err_unlock_and_destroy_meters:
@@ -2316,7 +2318,7 @@  static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info)
 	vport->upcall_stats = netdev_alloc_pcpu_stats(struct vport_upcall_stats_percpu);
 	if (!vport->upcall_stats) {
 		err = -ENOMEM;
-		goto exit_unlock_free;
+		goto exit_unlock_free_vport;
 	}
 
 	err = ovs_vport_cmd_fill_info(vport, reply, genl_info_net(info),
@@ -2336,6 +2338,8 @@  static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info)
 	ovs_notify(&dp_vport_genl_family, reply, info);
 	return 0;
 
+exit_unlock_free_vport:
+	ovs_dp_detach_port(vport);
 exit_unlock_free:
 	ovs_unlock();
 	kfree_skb(reply);