lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Dec 2022 10:48:37 +0100 From: Eelco Chaudron <echaudro@...hat.com> To: Aaron Conole <aconole@...hat.com> Cc: netdev@...r.kernel.org, Pravin B Shelar <pshelar@....org>, Jakub Kicinski <kuba@...nel.org>, "David S. Miller" <davem@...emloft.net>, Paolo Abeni <pabeni@...hat.com>, Eric Dumazet <edumazet@...gle.com>, Thomas Graf <tgraf@...g.ch>, dev@...nvswitch.org, Ilya Maximets <i.maximets@....org>, wangchuanlei <wangchuanlei@...pur.com>, linux-kernel@...r.kernel.org Subject: Re: [PATCH net] net: openvswitch: release vport resources on failure On 20 Dec 2022, at 22:27, Aaron Conole wrote: > A recent commit introducing upcall packet accounting failed to properly > release the vport object when the per-cpu stats struct couldn't be > allocated. This can cause dangling pointers to dp objects long after > they've been released. > > Cc: Eelco Chaudron <echaudro@...hat.com> > Cc: wangchuanlei <wangchuanlei@...pur.com> > Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets") > Reported-by: syzbot+8f4e2dcfcb3209ac35f9@...kaller.appspotmail.com > Signed-off-by: Aaron Conole <aconole@...hat.com> > --- Thanks for finding and fixing this! The changes look good to me. Acked-by: Eelco Chaudron <echaudro@...hat.com> > net/openvswitch/datapath.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c > index 932bcf766d63..6774baf9e212 100644 > --- a/net/openvswitch/datapath.c > +++ b/net/openvswitch/datapath.c > @@ -1854,7 +1854,7 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info) > vport->upcall_stats = netdev_alloc_pcpu_stats(struct vport_upcall_stats_percpu); > if (!vport->upcall_stats) { > err = -ENOMEM; > - goto err_destroy_portids; > + goto err_destroy_vport; > } > > err = ovs_dp_cmd_fill_info(dp, reply, info->snd_portid, > @@ -1869,6 +1869,8 @@ static int ovs_dp_cmd_new(struct sk_buff *skb, struct genl_info *info) > ovs_notify(&dp_datapath_genl_family, reply, info); > return 0; > > +err_destroy_vport: > + ovs_dp_detach_port(vport); > err_destroy_portids: > kfree(rcu_dereference_raw(dp->upcall_portids)); > err_unlock_and_destroy_meters: > @@ -2316,7 +2318,7 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info) > vport->upcall_stats = netdev_alloc_pcpu_stats(struct vport_upcall_stats_percpu); > if (!vport->upcall_stats) { > err = -ENOMEM; > - goto exit_unlock_free; > + goto exit_unlock_free_vport; > } > > err = ovs_vport_cmd_fill_info(vport, reply, genl_info_net(info), > @@ -2336,6 +2338,8 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, struct genl_info *info) > ovs_notify(&dp_vport_genl_family, reply, info); > return 0; > > +exit_unlock_free_vport: > + ovs_dp_detach_port(vport); > exit_unlock_free: > ovs_unlock(); > kfree_skb(reply); > -- > 2.31.1
Powered by blists - more mailing lists