{"id":2223731,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2223731/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/patch/20260416024653.153456-2-bestswngs@gmail.com/","project":{"id":47,"url":"http://patchwork.ozlabs.org/api/1.1/projects/47/?format=json","name":"Open vSwitch","link_name":"openvswitch","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"git@github.com:openvswitch/ovs.git","webscm_url":"https://github.com/openvswitch/ovs"},"msgid":"<20260416024653.153456-2-bestswngs@gmail.com>","date":"2026-04-16T02:46:54","name":"[ovs-dev,net,v5] openvswitch: cap upcall PID array size and pre-size vport replies","commit_ref":null,"pull_url":null,"state":"handled-elsewhere","archived":false,"hash":"0cbc0bceb32ff1af384ace6172a12ea4bcc41d09","submitter":{"id":92941,"url":"http://patchwork.ozlabs.org/api/1.1/people/92941/?format=json","name":"Weiming Shi","email":"bestswngs@gmail.com"},"delegate":{"id":57772,"url":"http://patchwork.ozlabs.org/api/1.1/users/57772/?format=json","username":"imaximets","first_name":"Ilya","last_name":"Maximets","email":"i.maximets@samsung.com"},"mbox":"http://patchwork.ozlabs.org/project/openvswitch/patch/20260416024653.153456-2-bestswngs@gmail.com/mbox/","series":[{"id":500071,"url":"http://patchwork.ozlabs.org/api/1.1/series/500071/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/list/?series=500071","date":"2026-04-16T02:46:54","name":"[ovs-dev,net,v5] openvswitch: cap upcall PID array size and pre-size vport replies","version":5,"mbox":"http://patchwork.ozlabs.org/series/500071/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223731/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223731/checks/","tags":{},"headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=Wto48ip8;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp4.osuosl.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=Wto48ip8","smtp3.osuosl.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp3.osuosl.org; dkim=pass (2048-bit key,\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=Wto48ip8"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fx2XZ5Q2Hz1yG9\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 12:49:18 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 67F7C407C1;\n\tThu, 16 Apr 2026 02:49:16 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id CqrGQOJsyTk8; Thu, 16 Apr 2026 02:49:15 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp4.osuosl.org (Postfix) with ESMTPS id 7077840343;\n\tThu, 16 Apr 2026 02:49:15 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 25F4FC054A;\n\tThu, 16 Apr 2026 02:49:15 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 0F13EC0549\n for <dev@openvswitch.org>; Thu, 16 Apr 2026 02:49:14 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 0372F606AE\n for <dev@openvswitch.org>; Thu, 16 Apr 2026 02:49:14 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id uA4WW9FpNYpd for <dev@openvswitch.org>;\n Thu, 16 Apr 2026 02:49:13 +0000 (UTC)","from mail-dy1-x132f.google.com (mail-dy1-x132f.google.com\n [IPv6:2607:f8b0:4864:20::132f])\n by smtp3.osuosl.org (Postfix) with ESMTPS id E6F1C60689\n for <dev@openvswitch.org>; Thu, 16 Apr 2026 02:49:12 +0000 (UTC)","by mail-dy1-x132f.google.com with SMTP id\n 5a478bee46e88-2d96243c91fso691393eec.1\n for <dev@openvswitch.org>; Wed, 15 Apr 2026 19:49:12 -0700 (PDT)","from 6cb30d4270db.tailc0aff1.ts.net ([206.206.192.132])\n by smtp.gmail.com with ESMTPSA id\n 5a478bee46e88-2de8f569f4bsm5266419eec.21.2026.04.15.19.49.10\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 15 Apr 2026 19:49:11 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections -\n client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7077840343","OpenDKIM Filter v2.11.0 smtp3.osuosl.org E6F1C60689"],"Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2607:f8b0:4864:20::132f; helo=mail-dy1-x132f.google.com;\n envelope-from=bestswngs@gmail.com; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org E6F1C60689","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776307752; x=1776912552; darn=openvswitch.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=X0dSZtRvfdiC9Z6UENOGRIm8HsjE/DxYzuK7m+Xz0Kc=;\n b=Wto48ip8KMiepE49ludCtPSp3vTPGL+FDu6KPGHGPoW/23b7mOUtG1EPHgO50ldiKt\n VON2qjHomI3uK8XDCCroVLmumq6XmLfnv5VQ+91YMsVlRyywyUiTJIPkbmdGBqjcaXsY\n aR+YY+azRKP/S4au+e+6R7aJ7H0R3QlUVF7Ehs7gIs5IUfvjrMJD7mNVZH3NcTizmygZ\n s309JsTHzaPeoSnpkyPKy0ZUou4eohP42/vm/h6QQ/T9wSzCy0SV9qf1eEPP0DmMrlwR\n xpAvT+Etksf17Rh/ZPr7/6X/SKn+KOKvGKQI1t5qr2en2bzur0IWTN+ym7q+BqdN7WP5\n qH7w==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776307752; x=1776912552;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=X0dSZtRvfdiC9Z6UENOGRIm8HsjE/DxYzuK7m+Xz0Kc=;\n b=lBZkJax6Gy8mLt8H9LSU2tjQ/XcL7mZGiHLDjME626vCun3fjzw0quG8/+pn7cJDGm\n /DtfC2tvxoG0YKggAVwnY5y8zviJJBYo8HQhZqdbznn1GYgZkdMZUaD2riT6eXX1He1w\n 1tM6uFqyQ0w+FoNXgeIVQdmJA8jb5tbFbb5DM1ZWNP1u08pdpSqrOAsGYE1fVDgfQjjC\n Nfl2kgVXBApYshLYk42Q++YOryrfAxEcdp2cC40ppijBqhZ7G3E8Xid/TfOdLQok+S0E\n m3WJ5UA350/oAXYLvmE3aYeZXlebvz86Yf1OkIevEYrg5uY6rnAvF6bywQUOrFgYS6gF\n Ndgw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+YJWjxRp8BJKN58Kz0n5ab6rDZ52cNPPFDYzoBMqMh+hOaXB9NnlWELPba0/qABtdDZPg=@openvswitch.org","X-Gm-Message-State":"AOJu0YxoqkCJGAzR4dTyZ88UIwHT3n7yB9GqWqt5jGBid6fIrpZFwGRo\n yXsol3FoOFj/INIbbnghd/phILWYT8UK1zduhS5Og3b9LwgHLDqOlu5j","X-Gm-Gg":"AeBDieseOxJrnMznuvg0Ke9IwxgIVkdVPfGfIHzG4KbIXEHvd0Yj0eNEk9XPpte5WT7\n UCCLA0Imr4PhxJhlffgLifVWKCnxJdJ66q6XxHTxLYbhO5paaT5ujTHrSGOiej4Mf6c2R3W4j4L\n +jubQm/r7T0L0yQN0WoS5YVNl0nt6y/GNXOV9j/+Cra6RV7IBr3fhruImbM/QxjJMR4+U/OGf8z\n 40tJtO43arKcjtid3wsz8KFfyiVJmeom0/Yws3/Cp2+Pkqi9oRquXYw6mBOoeDRECdcxEz6YoPL\n VlBfymLDQaM2QhChRDcfDWXqYZwUcQLsXUB4ZNdcrVIa1B0xi72dRLY9dAMnRDIsKxodK1/2CbP\n p9botaklsZEpwwhXEJzd4yusBQoKQsaIgg2iEcB48ZURAJbZM5KW9NvZNuj0QZ8F8mZ8gf1F3iX\n hMwlJ9O/jNV3w+z89NU/QM3PObq+Or78sNEzyyL+js10w4WE5haVZRRFkeC7iSI5Dfsc3XJ3ib0\n S88pzRC4Q==","X-Received":"by 2002:a05:7301:1003:b0:2c5:50fe:c795 with SMTP id\n 5a478bee46e88-2d58a788298mr15531877eec.29.1776307751678;\n Wed, 15 Apr 2026 19:49:11 -0700 (PDT)","From":"Weiming Shi <bestswngs@gmail.com>","To":"Aaron Conole <aconole@redhat.com>, Eelco Chaudron <echaudro@redhat.com>,\n Ilya Maximets <i.maximets@ovn.org>,\n \"David S . Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>","Cc":"Simon Horman <horms@kernel.org>, Pravin B Shelar <pshelar@nicira.com>,\n Thomas Graf <tgraf@redhat.com>, Alex Wang <alexw@nicira.com>,\n netdev@vger.kernel.org, dev@openvswitch.org, Xiang Mei <xmei5@asu.edu>,\n Weiming Shi <bestswngs@gmail.com>","Date":"Wed, 15 Apr 2026 19:46:54 -0700","Message-ID":"<20260416024653.153456-2-bestswngs@gmail.com>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","Subject":"[ovs-dev] [PATCH net v5] openvswitch: cap upcall PID array size and\n pre-size vport replies","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" <ovs-dev-bounces@openvswitch.org>"},"content":"The vport netlink reply helpers allocate a fixed-size skb with\nnlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID\narray via ovs_vport_get_upcall_portids().  Since\novs_vport_set_upcall_portids() accepts any non-zero multiple of\nsizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID\narray large enough to overflow the reply buffer, causing nla_put() to\nfail with -EMSGSIZE and hitting BUG_ON(err < 0).  On systems with\nunprivileged user namespaces enabled (e.g., Ubuntu default), this is\nreachable via unshare -Urn since OVS vport mutation operations use\nGENL_UNS_ADMIN_PERM.\n\n kernel BUG at net/openvswitch/datapath.c:2414!\n Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\n CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1\n RIP: 0010:ovs_vport_cmd_set+0x34c/0x400\n Call Trace:\n  <TASK>\n  genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116)\n  genl_rcv_msg (net/netlink/genetlink.c:1194)\n  netlink_rcv_skb (net/netlink/af_netlink.c:2550)\n  genl_rcv (net/netlink/genetlink.c:1219)\n  netlink_unicast (net/netlink/af_netlink.c:1344)\n  netlink_sendmsg (net/netlink/af_netlink.c:1894)\n  __sys_sendto (net/socket.c:2206)\n  __x64_sys_sendto (net/socket.c:2209)\n  do_syscall_64 (arch/x86/entry/syscall_64.c:63)\n  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n  </TASK>\n Kernel panic - not syncing: Fatal exception\n\nReject attempts to set more PIDs than nr_cpu_ids in\novs_vport_set_upcall_portids(), and pre-compute the worst-case reply\nsize in ovs_vport_cmd_msg_size() based on that bound, similar to the\nexisting ovs_dp_cmd_msg_size().  nr_cpu_ids matches the cap already\nused by the per-CPU dispatch configuration on the datapath side\n(ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the\ntwo sides stay consistent.\n\nFixes: 5cd667b0a456 (\"openvswitch: Allow each vport to have an array of 'port_id's.\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nAssisted-by: Claude:claude-opus-4-6\nSigned-off-by: Weiming Shi <bestswngs@gmail.com>\n---\nv5 (per Ilya):\n- Add blank lines before multi-line comment blocks in\n  ovs_vport_cmd_msg_size() for readability.\n- Drop parenthetical from the OVS_VPORT_ATTR_UPCALL_PID comment.\n- Add lore links for previous versions.\nv4: https://lore.kernel.org/netdev/20260415125121.110874-2-bestswngs@gmail.com\n- Use nr_cpu_ids instead of num_possible_cpus() for consistency with\n  the per-CPU dispatch on the datapath side.\n- Annotate ovs_vport_cmd_msg_size() per-attribute; split nested sums.\nv3: https://lore.kernel.org/netdev/20260413035514.2113886-3-bestswngs@gmail.com\n- Cap at num_possible_cpus(); add ovs_vport_cmd_msg_size(); keep\n  BUG_ON(); fix Fixes tag.\nv2: https://lore.kernel.org/netdev/20260411141448.1479933-3-bestswngs@gmail.com\n- Dynamically size reply skb; drop WARN_ON_ONCE, return plain errors.\nv1: https://lore.kernel.org/netdev/20260411055915.1224902-2-bestswngs@gmail.com\n---\n net/openvswitch/datapath.c | 35 +++++++++++++++++++++++++++++++++--\n net/openvswitch/vport.c    |  3 +++\n 2 files changed, 36 insertions(+), 2 deletions(-)","diff":"diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c\nindex e209099218b4..bbbde50fc649 100644\n--- a/net/openvswitch/datapath.c\n+++ b/net/openvswitch/datapath.c\n@@ -2184,9 +2184,40 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,\n \treturn err;\n }\n \n+static size_t ovs_vport_cmd_msg_size(void)\n+{\n+\tsize_t msgsize = NLMSG_ALIGN(sizeof(struct ovs_header));\n+\n+\tmsgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_PORT_NO */\n+\tmsgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_TYPE */\n+\tmsgsize += nla_total_size(IFNAMSIZ);    /* OVS_VPORT_ATTR_NAME */\n+\tmsgsize += nla_total_size(sizeof(u32)); /* OVS_VPORT_ATTR_IFINDEX */\n+\tmsgsize += nla_total_size(sizeof(s32)); /* OVS_VPORT_ATTR_NETNSID */\n+\n+\t/* OVS_VPORT_ATTR_STATS */\n+\tmsgsize += nla_total_size_64bit(sizeof(struct ovs_vport_stats));\n+\n+\t/* OVS_VPORT_ATTR_UPCALL_STATS(OVS_VPORT_UPCALL_ATTR_SUCCESS +\n+\t *                             OVS_VPORT_UPCALL_ATTR_FAIL)\n+\t */\n+\tmsgsize += nla_total_size(nla_total_size_64bit(sizeof(u64)) +\n+\t\t\t\t  nla_total_size_64bit(sizeof(u64)));\n+\n+\t/* OVS_VPORT_ATTR_UPCALL_PID */\n+\tmsgsize += nla_total_size(nr_cpu_ids * sizeof(u32));\n+\n+\t/* OVS_VPORT_ATTR_OPTIONS(OVS_TUNNEL_ATTR_DST_PORT +\n+\t *                        OVS_TUNNEL_ATTR_EXTENSION(OVS_VXLAN_EXT_GBP))\n+\t */\n+\tmsgsize += nla_total_size(nla_total_size(sizeof(u16)) +\n+\t\t\t\t  nla_total_size(nla_total_size(0)));\n+\n+\treturn msgsize;\n+}\n+\n static struct sk_buff *ovs_vport_cmd_alloc_info(void)\n {\n-\treturn nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);\n+\treturn genlmsg_new(ovs_vport_cmd_msg_size(), GFP_KERNEL);\n }\n \n /* Called with ovs_mutex, only via ovs_dp_notify_wq(). */\n@@ -2196,7 +2227,7 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport *vport, struct net *net,\n \tstruct sk_buff *skb;\n \tint retval;\n \n-\tskb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);\n+\tskb = ovs_vport_cmd_alloc_info();\n \tif (!skb)\n \t\treturn ERR_PTR(-ENOMEM);\n \ndiff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c\nindex 23f629e94a36..56b2e2d1a749 100644\n--- a/net/openvswitch/vport.c\n+++ b/net/openvswitch/vport.c\n@@ -406,6 +406,9 @@ int ovs_vport_set_upcall_portids(struct vport *vport, const struct nlattr *ids)\n \tif (!nla_len(ids) || nla_len(ids) % sizeof(u32))\n \t\treturn -EINVAL;\n \n+\tif (nla_len(ids) / sizeof(u32) > nr_cpu_ids)\n+\t\treturn -EINVAL;\n+\n \told = ovsl_dereference(vport->upcall_portids);\n \n \tvport_portids = kmalloc(sizeof(*vport_portids) + nla_len(ids),\n","prefixes":["ovs-dev","net","v5"]}