Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2223517,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/2223517/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/openvswitch/patch/20260415125121.110874-2-bestswngs@gmail.com/",
    "project": {
        "id": 47,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/47/?format=api",
        "name": "Open vSwitch",
        "link_name": "openvswitch",
        "list_id": "ovs-dev.openvswitch.org",
        "list_email": "ovs-dev@openvswitch.org",
        "web_url": "http://openvswitch.org/",
        "scm_url": "git@github.com:openvswitch/ovs.git",
        "webscm_url": "https://github.com/openvswitch/ovs",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260415125121.110874-2-bestswngs@gmail.com>",
    "list_archive_url": null,
    "date": "2026-04-15T12:51:22",
    "name": "[ovs-dev,net,v4] openvswitch: cap upcall PID array size and pre-size vport replies",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "dbab9e87198b2a13c6812204f5a2db84fb80ab68",
    "submitter": {
        "id": 92941,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/92941/?format=api",
        "name": "Weiming Shi",
        "email": "bestswngs@gmail.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/openvswitch/patch/20260415125121.110874-2-bestswngs@gmail.com/mbox/",
    "series": [
        {
            "id": 499987,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/499987/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/openvswitch/list/?series=499987",
            "date": "2026-04-15T12:51:22",
            "name": "[ovs-dev,net,v4] openvswitch: cap upcall PID array size and pre-size vport replies",
            "version": 4,
            "mbox": "http://patchwork.ozlabs.org/series/499987/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2223517/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2223517/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<ovs-dev-bounces@openvswitch.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "dev@openvswitch.org"
        ],
        "Delivered-To": [
            "patchwork-incoming@legolas.ozlabs.org",
            "ovs-dev@lists.linuxfoundation.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=XjVY726T;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)",
            "smtp2.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=XjVY726T",
            "smtp3.osuosl.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com",
            "smtp3.osuosl.org;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.a=rsa-sha256 header.s=20251104 header.b=XjVY726T"
        ],
        "Received": [
            "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwgyF4q18z1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 15 Apr 2026 22:51:49 +1000 (AEST)",
            "from localhost (localhost [127.0.0.1])\n\tby smtp2.osuosl.org (Postfix) with ESMTP id 1F06D40832;\n\tWed, 15 Apr 2026 12:51:48 +0000 (UTC)",
            "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id F5_xvveBEyCK; Wed, 15 Apr 2026 12:51:47 +0000 (UTC)",
            "from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp2.osuosl.org (Postfix) with ESMTPS id 0BDAF40261;\n\tWed, 15 Apr 2026 12:51:47 +0000 (UTC)",
            "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id DC171C054A;\n\tWed, 15 Apr 2026 12:51:46 +0000 (UTC)",
            "from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 1F168C0549\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 12:51:46 +0000 (UTC)",
            "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 10B7B608AA\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 12:51:46 +0000 (UTC)",
            "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id F3LxDnSu7JRd for <dev@openvswitch.org>;\n Wed, 15 Apr 2026 12:51:45 +0000 (UTC)",
            "from mail-dy1-x132a.google.com (mail-dy1-x132a.google.com\n [IPv6:2607:f8b0:4864:20::132a])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 55C5E605F5\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 12:51:44 +0000 (UTC)",
            "by mail-dy1-x132a.google.com with SMTP id\n 5a478bee46e88-2d52c7f92b1so5963962eec.0\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 05:51:44 -0700 (PDT)",
            "from 6cb30d4270db.tailc0aff1.ts.net ([206.206.192.132])\n by smtp.gmail.com with ESMTPSA id\n 5a478bee46e88-2de8c90cd7esm3012690eec.13.2026.04.15.05.51.42\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 15 Apr 2026 05:51:42 -0700 (PDT)"
        ],
        "X-Virus-Scanned": [
            "amavis at osuosl.org",
            "amavis at osuosl.org"
        ],
        "X-Comment": "SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ",
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0BDAF40261",
            "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 55C5E605F5"
        ],
        "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2607:f8b0:4864:20::132a; helo=mail-dy1-x132a.google.com;\n envelope-from=bestswngs@gmail.com; receiver=<UNKNOWN>",
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org 55C5E605F5",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776257504; x=1776862304; darn=openvswitch.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=yNVtghdFDqTr06npTeuHS9vtArWDTpcLIvYINogqhXM=;\n b=XjVY726TI4sP9I8HiUSq7YgW1u4B0deuBuI1EK7GP8UCSVb0dWdDPmAssBSmr1xWB4\n wR0dAURgtUwsFEYJaEO50RtWqy5L5QKmelmCYuLAjzgB1zwYl7Ff/aXDWjzioKzzONqr\n 2oXkIqGCiaqxv1GifIqs65+5yxUGJSry3CwbIDxRG+Zf7GFv1inEi1qYu62nNZeP1RRw\n uwonx1f+zmqA7OcnFUqRZeexOfxqOKR3r1tNS4GmF6fhBWvZlvKx+gmYL/4+KYezfOTX\n 7XwBc/Gt9GhKTJzuJg8xpLzPwUPpMzA8EYEG0bHuxG3Kjso8nF4F+r1a+2zfUQj/PxMs\n D2ug==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776257504; x=1776862304;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=yNVtghdFDqTr06npTeuHS9vtArWDTpcLIvYINogqhXM=;\n b=tUePzbYcAvpawo74zv/5X6MJtyOYbJL+3CPMVtf7S+QIcljzNAE+ThH8AXd2Fb0kVr\n gnXY7whvVLgwQo5rYfMQfnFn+T3jEeqHFxjJH4MM/Us+Z168J13gVk88ukLB2L/sMYuF\n 1PCe9geH7E9W9YPMw7wSm7eynSBBueWhEnCwfgEuFX+hTnOLWJU+t+JpwqNX7l2KtWLN\n rwIBNpI8uTGbVw9ROYDEDtvDvvYT2S8WEHkgZJ4Vf3XFlA35u3SDC1dL/zsSEIvCOA7w\n LHYrHzJsGuf/ls/YDnuhl4evNBVoqyqpjM3QUN7hxbQF1OdMUpHhKtuBXZXAHO3iMyWf\n 3zHA==",
        "X-Forwarded-Encrypted": "i=1;\n AFNElJ/TSJcAtontcwQW6mcaqxHasiKRIRDbWrDbF97u7eaQZMVkuFI6lyhq2sByVGc744ocHes=@openvswitch.org",
        "X-Gm-Message-State": "AOJu0YyHmnLOlCaReGrqc2KQYidMPA0liRH9jSOlupVXiure+/Bs8CNd\n WnD+/NXjR45dclT0FIt6BvLM1vIlAR/1s3q50+nu4QBXNw7ThbCHb6Dv",
        "X-Gm-Gg": "AeBDietjqkr2+NP+8hb4TbsrLmmbndR5dkTiu9KuavxhF7TFhv7A9W6TdXnmGijXIgq\n 8J7SxCeYqgaeZQhDhskjcYuBaucKE9o4HFJHiOMY1q4LuDkLYZeHdDTLCEoY54XxJuTYIq783ev\n Pd4XSz4MfVN6enXWYazU9ab5g7Aksn6VxYnAt4e3bu6USHWaC6IOX+msOrVpafUoLEZBxto/jIM\n u99+8OdhafQsMlxy4q+9yCQXDscTphwfEmZSoTNT1KjUcgXG94Fm0zDOF2aJoWF7O0LF4Rp0t6r\n uolCA9rDsgIF0IKDm99c/ASGHtzgRMeGK69rQuaD4JwWkJfTg5f+P8bq7dcsQRPP4/6EfAx91kx\n gFSRRxy8UNQSutvf5HZYCE4+3q7rXnAGDSq48w2Xzblb0x37AZsLaStRLnP7cp8Qrkin4pnbYuf\n KI5KzSc0kQp+Y+ue9wGm6NdS+luHunqMLNVxh+30w8Ib+83nD1arY1ZVvI4eFCWGMTpvnCQk7Pd\n EIv7L4LkA==",
        "X-Received": "by 2002:a05:7300:7249:b0:2d9:89c8:8893 with SMTP id\n 5a478bee46e88-2d989c8be4bmr6380645eec.3.1776257503732;\n Wed, 15 Apr 2026 05:51:43 -0700 (PDT)",
        "From": "Weiming Shi <bestswngs@gmail.com>",
        "To": "Aaron Conole <aconole@redhat.com>, Eelco Chaudron <echaudro@redhat.com>,\n Ilya Maximets <i.maximets@ovn.org>,\n \"David S . Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>",
        "Cc": "Simon Horman <horms@kernel.org>, Pravin B Shelar <pshelar@nicira.com>,\n Alex Wang <alexw@nicira.com>, Thomas Graf <tgraf@redhat.com>,\n netdev@vger.kernel.org, dev@openvswitch.org, Xiang Mei <xmei5@asu.edu>,\n Weiming Shi <bestswngs@gmail.com>",
        "Date": "Wed, 15 Apr 2026 05:51:22 -0700",
        "Message-ID": "<20260415125121.110874-2-bestswngs@gmail.com>",
        "X-Mailer": "git-send-email 2.43.0",
        "MIME-Version": "1.0",
        "Subject": "[ovs-dev] [PATCH net v4] openvswitch: cap upcall PID array size and\n pre-size vport replies",
        "X-BeenThere": "ovs-dev@openvswitch.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "<ovs-dev.openvswitch.org>",
        "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>",
        "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>",
        "List-Post": "<mailto:ovs-dev@openvswitch.org>",
        "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>",
        "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "ovs-dev-bounces@openvswitch.org",
        "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>"
    },
    "content": "The vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids().  Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n  <TASK>\n  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n  genl_rcv_msg (net/netlink/genetlink.c:1194)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  genl_rcv (net/netlink/genetlink.c:1219)\n  netlink_unicast (net/netlink/af_netlink.c:1344)\n  netlink_sendmsg (net/netlink/af_netlink.c:1894)\n  __sys_sendto (net/socket.c:2206)\n  __x64_sys_sendto (net/socket.c:2209)\n  do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n  </TASK>\n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent.\n\nFixes: 5cd667b0a456 (\"openvswitch: Allow each vport to have an array of 'port_id's.\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Weiming Shi <bestswngs@gmail.com>\n---\nv4 (per Ilya):\n- Use nr_cpu_ids instead of num_possible_cpus() for consistency with\n  the per-CPU dispatch on the datapath side.\n- Annotate ovs_vport_cmd_msg_size() per-attribute; split nested sums.\nv3: Cap at num_possible_cpus(); add ovs_vport_cmd_msg_size(); keep\n    BUG_ON(); fix Fixes tag.\nv2: Dynamically size reply skb; drop WARN_ON_ONCE, return plain errors.\n---\n net/openvswitch/datapath.c | 33 +++++++++++++++++++++++++++++++--\n net/openvswitch/vport.c    |  3 +++\n 2 files changed, 34 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c\nindex e209099218b4..35e67e51b0d2 100644\n--- a/net/openvswitch/datapath.c\n+++ b/net/openvswitch/datapath.c\n@@ -2184,9 +2184,38 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,\n \treturn err;\n }\n \n+static size_t ovs_vport_cmd_msg_size(void)\n+{\n+\tsize_t msgsize = NLMSG_ALIGN(sizeof(struct ovs_header));\n+\n+\tmsgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_PORT_NO */\n+\tmsgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_TYPE */\n+\tmsgsize += nla_total_size(IFNAMSIZ);    /* OVS_VPORT_ATTR_NAME */\n+\tmsgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_IFINDEX */\n+\tmsgsize += nla_total_size(sizeof(s32)); /* OVS_VPORT_ATTR_NETNSID */\n+\t/* OVS_VPORT_ATTR_STATS */\n+\tmsgsize += nla_total_size_64bit(sizeof(struct ovs_vport_stats));\n+\t/* OVS_VPORT_ATTR_UPCALL_STATS(OVS_VPORT_UPCALL_ATTR_SUCCESS +\n+\t *                             OVS_VPORT_UPCALL_ATTR_FAIL)\n+\t */\n+\tmsgsize += nla_total_size(nla_total_size_64bit(sizeof(u64)) +\n+\t\t\t\t  nla_total_size_64bit(sizeof(u64)));\n+\t/* OVS_VPORT_ATTR_UPCALL_PID (capped at nr_cpu_ids by\n+\t * ovs_vport_set_upcall_portids())\n+\t */\n+\tmsgsize += nla_total_size(nr_cpu_ids * sizeof(u32));\n+\t/* OVS_VPORT_ATTR_OPTIONS(OVS_TUNNEL_ATTR_DST_PORT +\n+\t *                        OVS_TUNNEL_ATTR_EXTENSION(OVS_VXLAN_EXT_GBP))\n+\t */\n+\tmsgsize += nla_total_size(nla_total_size(sizeof(u16)) +\n+\t\t\t\t  nla_total_size(nla_total_size(0)));\n+\n+\treturn msgsize;\n+}\n+\n static struct sk_buff *ovs_vport_cmd_alloc_info(void)\n {\n-\treturn nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);\n+\treturn genlmsg_new(ovs_vport_cmd_msg_size(), GFP_KERNEL);\n }\n \n /* Called with ovs_mutex, only via ovs_dp_notify_wq(). */\n@@ -2196,7 +2225,7 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport *vport, struct net *net,\n \tstruct sk_buff *skb;\n \tint retval;\n \n-\tskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);\n+\tskb = ovs_vport_cmd_alloc_info();\n \tif (!skb)\n \t\treturn ERR_PTR(-ENOMEM);\n \ndiff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c\nindex 23f629e94a36..56b2e2d1a749 100644\n--- a/net/openvswitch/vport.c\n+++ b/net/openvswitch/vport.c\n@@ -406,6 +406,9 @@ int ovs_vport_set_upcall_portids(struct vport *vport, const struct nlattr *ids)\n \tif (!nla_len(ids) || nla_len(ids) % sizeof(u32))\n \t\treturn -EINVAL;\n \n+\tif (nla_len(ids) / sizeof(u32) > nr_cpu_ids)\n+\t\treturn -EINVAL;\n+\n \told = ovsl_dereference(vport->upcall_portids);\n \n \tvport_portids = kmalloc(sizeof(*vport_portids) + nla_len(ids),\n",
    "prefixes": [
        "ovs-dev",
        "net",
        "v4"
    ]
}