{"id":2231591,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2231591/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/patch/20260430213349.407991-1-i.maximets@ovn.org/","project":{"id":47,"url":"http://patchwork.ozlabs.org/api/1.1/projects/47/?format=json","name":"Open vSwitch","link_name":"openvswitch","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"git@github.com:openvswitch/ovs.git","webscm_url":"https://github.com/openvswitch/ovs"},"msgid":"<20260430213349.407991-1-i.maximets@ovn.org>","date":"2026-04-30T21:32:50","name":"[ovs-dev,net] openvswitch: vport: fix race between tunnel creation and linking","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"be60357383d8fb41b6a7bd476051d4026d1db2dd","submitter":{"id":76798,"url":"http://patchwork.ozlabs.org/api/1.1/people/76798/?format=json","name":"Ilya Maximets","email":"i.maximets@ovn.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/openvswitch/patch/20260430213349.407991-1-i.maximets@ovn.org/mbox/","series":[{"id":502393,"url":"http://patchwork.ozlabs.org/api/1.1/series/502393/?format=json","web_url":"http://patchwork.ozlabs.org/project/openvswitch/list/?series=502393","date":"2026-04-30T21:32:50","name":"[ovs-dev,net] openvswitch: vport: fix race between tunnel creation and linking","version":1,"mbox":"http://patchwork.ozlabs.org/series/502393/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231591/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231591/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)","smtp4.osuosl.org;\n dmarc=none (p=none dis=none) header.from=ovn.org"],"Received":["from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g66r523Svz1yHZ\n\tfor ; Fri, 01 May 2026 07:34:11 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp2.osuosl.org (Postfix) with ESMTP id 8B7F240E75;\n\tThu, 30 Apr 2026 21:34:09 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id L4Wjp-jt7Zc0; Thu, 30 Apr 2026 21:34:08 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp2.osuosl.org (Postfix) with ESMTPS id 448C24059F;\n\tThu, 30 Apr 2026 21:34:08 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id 28085C04E8;\n\tThu, 30 Apr 2026 21:34:08 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 4FBB3C04E7\n for ; Thu, 30 Apr 2026 21:34:06 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id 2FF1641DB5\n for ; Thu, 30 Apr 2026 21:34:06 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id rvnktHfij71I for ;\n Thu, 30 Apr 2026 21:34:05 +0000 (UTC)","from mail-wr1-f67.google.com (mail-wr1-f67.google.com\n [209.85.221.67])\n by smtp4.osuosl.org (Postfix) with ESMTPS id E90C541DB3\n for ; Thu, 30 Apr 2026 21:34:04 +0000 (UTC)","by mail-wr1-f67.google.com with SMTP id\n ffacd0b85a97d-43d7e23defbso833227f8f.0\n for ; Thu, 30 Apr 2026 14:34:04 -0700 (PDT)","from im-t490s.redhat.com (89-24-32-159.nat.epc.tmcz.cz.\n [89.24.32.159]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-44a986aa3a5sm360701f8f.26.2026.04.30.14.34.01\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 14:34:02 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.9.56;\n helo=lists.linuxfoundation.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp2.osuosl.org 448C24059F","OpenDKIM Filter v2.11.0 smtp4.osuosl.org E90C541DB3"],"Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=209.85.221.67;\n helo=mail-wr1-f67.google.com; envelope-from=i.maximets.ovn@gmail.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org E90C541DB3","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777584843; x=1778189643;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=sfmPhFElhLAwy6YMf8rD+Yyjnbfd1EzluOPK8WXa+TM=;\n b=M4O9uoDT1e003Ts8SGRJ6uclnSW4RS/NnJLZRK9UNml7uRZoZugaxD1e+ZYMxCihlz\n LADsnSLuyYemo5xaNL+17Z9V2ctB5qO2rsX5Z6FaqpI525k64KKDYPh5YgpkGDsQGA2X\n DpHx0ubdZNyc3AtENuXjseKHdSc0mJSyeBfZtZsfCWwx78kXn2eORcQgpIOKZJ5uacs/\n oO8brL2mKCDma1VZ/wmHobgWTZyRdRcPgRsELF6e7w1yEpXk6L5szSIU+AJqBCnVjUzx\n sk2BSwnZDVp05Go/bn+faGpwt6i6/pAiMMU9N1Fq//zgDoXp2hVpMBGdZPXtte0Iq3TB\n NMiA==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9Lze4LrtTilSPZmXAXv5c/3f6RGiB87r4XPrferwFbOOay2/rddoq8mhSr4rzgFvn5dIU=@openvswitch.org","X-Gm-Message-State":"AOJu0YwBefvMvf4v/4SpWfLP2PguD5m4Y5uytuqcXiE55475SWYCaogc\n QbXnqbbkLkjgp/WVxdrOBrGjllcfWGgDXOz32s4YcP3twzNaeWBF4nD4","X-Gm-Gg":"AeBDievpnJeM8yrCb/cD3uyz629xvOS09HHSSoYKTfzRTiI5/DQd6v/99Xm1lQeFDcS\n xr/PxKsb/BYYdN+he+HAWd1Ssrbe2+azlfya29iJOm7TiH4MMSKMOai0YfjYKX44liYzi+o4aa2\n u0/ZjVj3g7VJDlqP9sEz7I+xGN/2VM3kZIP5jEfivOUgd4z16Rf7zpsJzPRDylPYz1LBWvt1y70\n SPXiWfLN7Q+RjzneSJoSE0g23ohXKEPb/4vZJiRkuPimeozTbWD8uv0TkUOqxud1t6klNSn9yTk\n zLwNPdoRv8yj7oSHnkB4cqD5iuSUNZwE6ziaB/6hxKaGCm4HWYJauaMJh6fVHdB1MBBj+Df8HGK\n pzqfSl4oQysxUfMkzjj4xjjgJMi5Lq+n+v7ijph1bAJP7+25YKjnIaAZVo3Art5cNM/6pC19GC6\n wOSbQjpcC/+LXVaaZjiT/9FWQG+JYTBjPbtXtaTK5UJ2eKu5+qszQHdAOIcrp9+tAVwqwyanLKh\n lpxY8D4","X-Received":"by 2002:a5d:5f82:0:b0:43d:c95b:c46f with SMTP id\n ffacd0b85a97d-44a88cdf06fmr572444f8f.38.1777584842576;\n Thu, 30 Apr 2026 14:34:02 -0700 (PDT)","From":"Ilya Maximets ","To":"netdev@vger.kernel.org","Date":"Thu, 30 Apr 2026 23:32:50 +0200","Message-ID":"<20260430213349.407991-1-i.maximets@ovn.org>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","Subject":"[ovs-dev] [PATCH net] openvswitch: vport: fix race between tunnel\n creation and linking","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Cc":"dev@openvswitch.org, Yifan Wu ,\n Xin Liu , linux-kernel@vger.kernel.org,\n Ilya Maximets , Juefei Pu ,\n Yang Yang , Eric Dumazet ,\n Simon Horman , Jakub Kicinski ,\n Paolo Abeni , Yuan Tan ,\n \"David S. Miller\" ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" "},"content":"When a tunnel vport is created it first creates the tunnel device, e.g.,\nwith geneve_dev_create_fb(), then it calls ovs_netdev_link() to take a\nreference and link it to the device that represents openvswitch datapath.\n\nThe creation of the device is happening under RTNL, but then RTNL is\nreleased and re-acquired to find the device by name. It is technically\npossible for the tunnel device to be re-named or deleted within that\nwindow while RTNL is not held, and some other device created in its\nplace. This will cause a non-tunnel device to be referenced in the\nvport and tunnel-specific functions used on it, e.g. vxlan_get_options()\nthat directly casts the private netdev data into a struct vxlan_dev\ncausing an invalid memory access:\n\n BUG: KASAN: slab-use-after-free in vxlan_get_options+0x323/0x3a0\n vxlan_get_options+0x323/0x3a0\n ovs_vport_cmd_new+0x6e3/0xd30\n\nFix that by taking a reference to the just created device before\nreleasing RTNL. This ensures that the device in the vport is always\nthe one that was just created. The search by name is only needed\nfor a standard vport-netdev that links pre-existing devices, so that\nfunctionality and device type checks are moved to netdev_create().\n\nIt is also awkward that ovs_netdev_link() takes ownership of the vport\nand destroys it on failure. It doesn't know the type of the port it is\ndealing with, so we need to pass down the indicator that it's a tunnel,\nso the link can be properly deleted on failure.\n\nIt's possible to refactor the logic to make the ovs_netdev_link() do\nonly the linking part and let the callers perform a proper destruction,\nbut it will be much more code for each legacy tunnel port type, so it\nis not worth it for the bug fix.\n\nFixes: 614732eaa12d (\"openvswitch: Use regular VXLAN net_device device\")\nReported-by: Yuan Tan \nReported-by: Yifan Wu \nReported-by: Juefei Pu \nReported-by: Xin Liu \nReported-by: Yang Yang \nSigned-off-by: Ilya Maximets \n---\n net/openvswitch/vport-geneve.c | 5 ++-\n net/openvswitch/vport-gre.c | 5 ++-\n net/openvswitch/vport-netdev.c | 58 ++++++++++++++++++++--------------\n net/openvswitch/vport-netdev.h | 2 +-\n net/openvswitch/vport-vxlan.c | 5 ++-\n 5 files changed, 48 insertions(+), 27 deletions(-)","diff":"diff --git a/net/openvswitch/vport-geneve.c b/net/openvswitch/vport-geneve.c\nindex b10e1602c6b14..cb5ea4424ffc8 100644\n--- a/net/openvswitch/vport-geneve.c\n+++ b/net/openvswitch/vport-geneve.c\n@@ -97,6 +97,9 @@ static struct vport *geneve_tnl_create(const struct vport_parms *parms)\n \t\tgoto error;\n \t}\n \n+\tvport->dev = dev;\n+\tnetdev_hold(vport->dev, &vport->dev_tracker, GFP_KERNEL);\n+\n \trtnl_unlock();\n \treturn vport;\n error:\n@@ -111,7 +114,7 @@ static struct vport *geneve_create(const struct vport_parms *parms)\n \tif (IS_ERR(vport))\n \t\treturn vport;\n \n-\treturn ovs_netdev_link(vport, parms->name);\n+\treturn ovs_netdev_link(vport, true);\n }\n \n static struct vport_ops ovs_geneve_vport_ops = {\ndiff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c\nindex 4014c9b5eb798..6cb5a697b396a 100644\n--- a/net/openvswitch/vport-gre.c\n+++ b/net/openvswitch/vport-gre.c\n@@ -63,6 +63,9 @@ static struct vport *gre_tnl_create(const struct vport_parms *parms)\n \t\treturn ERR_PTR(err);\n \t}\n \n+\tvport->dev = dev;\n+\tnetdev_hold(vport->dev, &vport->dev_tracker, GFP_KERNEL);\n+\n \trtnl_unlock();\n \treturn vport;\n }\n@@ -75,7 +78,7 @@ static struct vport *gre_create(const struct vport_parms *parms)\n \tif (IS_ERR(vport))\n \t\treturn vport;\n \n-\treturn ovs_netdev_link(vport, parms->name);\n+\treturn ovs_netdev_link(vport, true);\n }\n \n static struct vport_ops ovs_gre_vport_ops = {\ndiff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c\nindex 12055af832dc0..a92ca8b37f96a 100644\n--- a/net/openvswitch/vport-netdev.c\n+++ b/net/openvswitch/vport-netdev.c\n@@ -73,37 +73,21 @@ static struct net_device *get_dpdev(const struct datapath *dp)\n \treturn local->dev;\n }\n \n-struct vport *ovs_netdev_link(struct vport *vport, const char *name)\n+struct vport *ovs_netdev_link(struct vport *vport, bool tunnel)\n {\n \tint err;\n \n-\tvport->dev = dev_get_by_name(ovs_dp_get_net(vport->dp), name);\n-\tif (!vport->dev) {\n+\tif (WARN_ON_ONCE(!vport->dev)) {\n \t\terr = -ENODEV;\n \t\tgoto error_free_vport;\n \t}\n-\t/* Ensure that the device exists and that the provided\n-\t * name is not one of its aliases.\n-\t */\n-\tif (strcmp(name, ovs_vport_name(vport))) {\n-\t\terr = -ENODEV;\n-\t\tgoto error_put;\n-\t}\n-\tnetdev_tracker_alloc(vport->dev, &vport->dev_tracker, GFP_KERNEL);\n-\tif (vport->dev->flags & IFF_LOOPBACK ||\n-\t (vport->dev->type != ARPHRD_ETHER &&\n-\t vport->dev->type != ARPHRD_NONE) ||\n-\t ovs_is_internal_dev(vport->dev)) {\n-\t\terr = -EINVAL;\n-\t\tgoto error_put;\n-\t}\n \n \trtnl_lock();\n \terr = netdev_master_upper_dev_link(vport->dev,\n \t\t\t\t\t get_dpdev(vport->dp),\n \t\t\t\t\t NULL, NULL, NULL);\n \tif (err)\n-\t\tgoto error_unlock;\n+\t\tgoto error_put_unlock;\n \n \terr = netdev_rx_handler_register(vport->dev, netdev_frame_hook,\n \t\t\t\t\t vport);\n@@ -119,10 +103,11 @@ struct vport *ovs_netdev_link(struct vport *vport, const char *name)\n \n error_master_upper_dev_unlink:\n \tnetdev_upper_dev_unlink(vport->dev, get_dpdev(vport->dp));\n-error_unlock:\n-\trtnl_unlock();\n-error_put:\n+error_put_unlock:\n+\tif (tunnel && vport->dev->reg_state == NETREG_REGISTERED)\n+\t\trtnl_delete_link(vport->dev, 0, NULL);\n \tnetdev_put(vport->dev, &vport->dev_tracker);\n+\trtnl_unlock();\n error_free_vport:\n \tovs_vport_free(vport);\n \treturn ERR_PTR(err);\n@@ -132,12 +117,39 @@ EXPORT_SYMBOL_GPL(ovs_netdev_link);\n static struct vport *netdev_create(const struct vport_parms *parms)\n {\n \tstruct vport *vport;\n+\tint err;\n \n \tvport = ovs_vport_alloc(0, &ovs_netdev_vport_ops, parms);\n \tif (IS_ERR(vport))\n \t\treturn vport;\n \n-\treturn ovs_netdev_link(vport, parms->name);\n+\tvport->dev = dev_get_by_name(ovs_dp_get_net(vport->dp), parms->name);\n+\tif (!vport->dev) {\n+\t\terr = -ENODEV;\n+\t\tgoto error_free_vport;\n+\t}\n+\tnetdev_tracker_alloc(vport->dev, &vport->dev_tracker, GFP_KERNEL);\n+\n+\t/* Ensure that the provided name is not an alias. */\n+\tif (strcmp(parms->name, ovs_vport_name(vport))) {\n+\t\terr = -ENODEV;\n+\t\tgoto error_put;\n+\t}\n+\n+\tif (vport->dev->flags & IFF_LOOPBACK ||\n+\t (vport->dev->type != ARPHRD_ETHER &&\n+\t vport->dev->type != ARPHRD_NONE) ||\n+\t ovs_is_internal_dev(vport->dev)) {\n+\t\terr = -EINVAL;\n+\t\tgoto error_put;\n+\t}\n+\n+\treturn ovs_netdev_link(vport, false);\n+error_put:\n+\tnetdev_put(vport->dev, &vport->dev_tracker);\n+error_free_vport:\n+\tovs_vport_free(vport);\n+\treturn ERR_PTR(err);\n }\n \n static void vport_netdev_free(struct rcu_head *rcu)\ndiff --git a/net/openvswitch/vport-netdev.h b/net/openvswitch/vport-netdev.h\nindex c5d83a43bfc49..6c0d7366f9862 100644\n--- a/net/openvswitch/vport-netdev.h\n+++ b/net/openvswitch/vport-netdev.h\n@@ -13,7 +13,7 @@\n \n struct vport *ovs_netdev_get_vport(struct net_device *dev);\n \n-struct vport *ovs_netdev_link(struct vport *vport, const char *name);\n+struct vport *ovs_netdev_link(struct vport *vport, bool tunnel);\n void ovs_netdev_detach_dev(struct vport *);\n \n int __init ovs_netdev_init(void);\ndiff --git a/net/openvswitch/vport-vxlan.c b/net/openvswitch/vport-vxlan.c\nindex 0b881b043bcf4..c1b37b50d29e1 100644\n--- a/net/openvswitch/vport-vxlan.c\n+++ b/net/openvswitch/vport-vxlan.c\n@@ -126,6 +126,9 @@ static struct vport *vxlan_tnl_create(const struct vport_parms *parms)\n \t\tgoto error;\n \t}\n \n+\tvport->dev = dev;\n+\tnetdev_hold(vport->dev, &vport->dev_tracker, GFP_KERNEL);\n+\n \trtnl_unlock();\n \treturn vport;\n error:\n@@ -140,7 +143,7 @@ static struct vport *vxlan_create(const struct vport_parms *parms)\n \tif (IS_ERR(vport))\n \t\treturn vport;\n \n-\treturn ovs_netdev_link(vport, parms->name);\n+\treturn ovs_netdev_link(vport, true);\n }\n \n static struct vport_ops ovs_vxlan_netdev_vport_ops = {\n","prefixes":["ovs-dev","net"]}