From nobody Fri Apr 3 22:48:59 2026 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05AA43233E8 for ; Mon, 23 Mar 2026 07:15:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774250102; cv=none; b=ucUxjzveddX3g1+EwH+19vY7Ul9EkLjvnU8/0Y92bOazewutIjL88RpByB70TKkxYQdH8D7nnQZqhLusBeR3dKB/AgkoSSAHsDguRNuK79fQz67UbJx4cL+zaJfMXWiRutO5Z+Ml1kZ2czmvFdp4GuIFUJvLF+m29CtAYFJYKhI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774250102; c=relaxed/simple; bh=nS5YSmsfOD7aEX4hK7Fh5ZRAlwlLPFOOPgx0dMNsJRw=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=JJAHKLHr/6gQUcaKtD516okDjmRXl/9S4T1mULZdcxThYbEQiadynE7pqCYQtxIUCBHzmuaaY7nTXgEUf5vO9vLlCkshMLIW4GCK4KSNqzlUUpaIrP8prYqZ0GRXxPOVRD+OjMCHis5v/NGi5B1TO5ATQN6QEBwU684a3PC4i6s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KoFfIx3q; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KoFfIx3q" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2aecf52fa69so7716425ad.0 for ; Mon, 23 Mar 2026 00:15:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774250100; x=1774854900; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Hfa1gkQSswNZUNLl/QA1bWJwEj7rdftvilP6P+Ic8oA=; b=KoFfIx3qlck5IzDIK0TCTM4Nfv88dlimvlOGgjFyHwILwFMjZ112Qem1AYb3NrWrbJ eMSL4NbZMWIxxheDtvrWQBIHch4vAdnC/GvNy8BHDB8w0W1Vhx6VU9Aq6c158zCcKCnW EAQuj+dn1I24Hbwwn3TZUog41KNNvOBVIHxxcmRFdjlrumCsUCTm+oLKqkvY4B0wFjPD zb6Il7HpF9sT089GW81XuSxJRGA5VuQHUvugSiz5XED5a4uyB4SOlUlbT1A4qsmetJFc CSrxCl4uIv/jzeUX2vb8iS2HfsviniODaULjHk033x+Lue2b48a+df2IrltP+XgR/zVy NTJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774250100; x=1774854900; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Hfa1gkQSswNZUNLl/QA1bWJwEj7rdftvilP6P+Ic8oA=; b=lNBKW1vr9mhirSEqEFZ+AHr0fYyztazs8LZM+Krmgwohqmqp/4thcy46qpuNlRPnlw 1U93I5ezVpECaFpphv63XAdCHSn4rcU7mqodsIhTQrkFSh7zA2e8IBL9YfbjVv0rOBVx temXdodJ1EMNOuYpEV8IebOn0KmtO4rfQOI0SsdJu6I3fiGkIvjWgNNfjecgCeMeRnK5 XDo6YL+t7XajC3syJ/QjudsHnMciQKqPNJSlPR1wUa9iF1B801lBguM/H6Kg5/OnSVdu e/G/o7jpS6AAIWgee6X0SiHrRN0J5CxBlwS+wGm1TGNKCBAXZa0+tCh3yrJ2x79aD2Uf 7ZPg== X-Forwarded-Encrypted: i=1; AJvYcCVH74x+qOHcrW17fvZvxXRlqRKors/31bmzauSRkyBsLk226+d+nDfDDDby9HXCDHy1t/vR/A5jfOeLVhM=@vger.kernel.org X-Gm-Message-State: AOJu0YzedQkRop94MhwulzcKJasPYogn07C8pWJ0Ck+Vu+f/txgpWLWl uBDlyVHOrKavSTdiHQX4kSUaYTy0pNdfRO7mAc4IgwAgMYuoWMUU1fpMZ86G/7Wt X-Gm-Gg: ATEYQzwO+LCx2QiHlOVBA8ZEALSpT5yMZ8gfjRq40vUtCpevRuFTXrNMZn9C5PS/1hW 3nqH2y67+hns792IUU1M6Iw5udZ/sQKvzgTILQtV0mTOxdg2ZKZy4+S8/RWvMy+mGRJdJ5N8ydK wND8FoEWs0zs9iJgc0gS0Guv3dRb8hp2RdsFdFoCtWBlp2WDE74J3KWexEEkqdy45/9zIBO3q8P 64+kTYXyPeZ1V13TMtYWC6myLcjUsk9rJlQVSExP5xbPLHEh9v2l8IhZJvf28IQFcPgfslJ3cdj Ix1alAU8dGvOdaMklVlvyzUUeyDmIOLPYfYh3+JQaatCZGBXJb1av7QHDYp3ZLhfkEl/DAAPDjv UCiXlYqol2xZOtXnixAILxxNTX382vPashJxYI4UljvOziUnpAiLtxCBSsjh4llICptQHk59kBz on1vvx2/C76PHuwv9opZqL6BdkHDNDzFQC X-Received: by 2002:a17:903:46c4:b0:2b0:8025:efbe with SMTP id d9443c01a7336-2b0827c70b9mr63145255ad.8.1774250099832; Mon, 23 Mar 2026 00:14:59 -0700 (PDT) Received: from localhost.localdomain ([189.1.242.96]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b0836747dcsm94690125ad.64.2026.03.23.00.14.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Mar 2026 00:14:59 -0700 (PDT) From: sunichi To: aconole@redhat.com, echaudro@redhat.com, i.maximets@ovn.org Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org, sunichi Subject: [PATCH] net/openvswitch: fix trigger-able BUG_ON after ovs_vport_cmd_fill_info Date: Mon, 23 Mar 2026 15:14:35 +0800 Message-Id: <20260323071435.1945543-1-sunyiqixm@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ovs_vport_set_upcall_portids() does not validate the length of the user-supplied OVS_VPORT_ATTR_UPCALL_PID netlink attribute. A sufficiently large portid list can overflow the reply skb allocated with NLMSG_DEFAULT_SIZE in causing ovs_vport_cmd_fill_info() to return -EMSGSIZE and triggering the unconditional BUG_ON(), which panics the kernel on most distributions. Any local user with CAP_NET_ADMIN (or an equivalent unprivileged namespace capability where applicable) can exploit this to perform a denial-of-service against the host. Replace BUG_ON with WARN_ON_ONCE to prevent kernel panic. Signed-off-by: sunichi --- net/openvswitch/datapath.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c index e209099218b4..50c2945081a1 100644 --- a/net/openvswitch/datapath.c +++ b/net/openvswitch/datapath.c @@ -2202,7 +2202,8 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport= *vport, struct net *net, =20 retval =3D ovs_vport_cmd_fill_info(vport, skb, net, portid, seq, 0, cmd, GFP_KERNEL); - BUG_ON(retval < 0); + if (WARN_ON_ONCE(retval < 0)) + return ERR_PTR(-EMSGSIZE); =20 return skb; } @@ -2358,7 +2359,9 @@ static int ovs_vport_cmd_new(struct sk_buff *skb, str= uct genl_info *info) else netdev_set_rx_headroom(vport->dev, dp->max_headroom); =20 - BUG_ON(err < 0); + if (WARN_ON_ONCE(err < 0)) + goto exit_unlock_free; + ovs_unlock(); =20 ovs_notify(&dp_vport_genl_family, reply, info); @@ -2411,7 +2414,8 @@ static int ovs_vport_cmd_set(struct sk_buff *skb, str= uct genl_info *info) err =3D ovs_vport_cmd_fill_info(vport, reply, genl_info_net(info), info->snd_portid, info->snd_seq, 0, OVS_VPORT_CMD_SET, GFP_KERNEL); - BUG_ON(err < 0); + if (WARN_ON_ONCE(err < 0)) + goto exit_unlock_free; =20 ovs_unlock(); ovs_notify(&dp_vport_genl_family, reply, info); @@ -2451,7 +2455,8 @@ static int ovs_vport_cmd_del(struct sk_buff *skb, str= uct genl_info *info) err =3D ovs_vport_cmd_fill_info(vport, reply, genl_info_net(info), info->snd_portid, info->snd_seq, 0, OVS_VPORT_CMD_DEL, GFP_KERNEL); - BUG_ON(err < 0); + if (WARN_ON_ONCE(err < 0)) + goto exit_unlock_free; =20 /* the vport deletion may trigger dp headroom update */ dp =3D vport->dp; @@ -2498,7 +2503,9 @@ static int ovs_vport_cmd_get(struct sk_buff *skb, str= uct genl_info *info) err =3D ovs_vport_cmd_fill_info(vport, reply, genl_info_net(info), info->snd_portid, info->snd_seq, 0, OVS_VPORT_CMD_GET, GFP_ATOMIC); - BUG_ON(err < 0); + if (WARN_ON_ONCE(err < 0)) + goto exit_unlock_free; + rcu_read_unlock(); =20 return genlmsg_reply(reply, info); --=20 2.34.1