Patch "openvswitch: use RCU protection in ovs_vport_cmd_fill_info()" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 18 Feb 2025 07:48:23 -0500

This is a note to let you know that I've just added the patch titled

    openvswitch: use RCU protection in ovs_vport_cmd_fill_info()

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     openvswitch-use-rcu-protection-in-ovs_vport_cmd_fill.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 79c150fd1fa76b369bdb6e88ebcf0ba41ecb24b7
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Fri Feb 7 13:58:37 2025 +0000

    openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
    
    [ Upstream commit 90b2f49a502fa71090d9f4fe29a2f51fe5dff76d ]
    
    ovs_vport_cmd_fill_info() can be called without RTNL or RCU.
    
    Use RCU protection and dev_net_rcu() to avoid potential UAF.
    
    Fixes: 9354d4520342 ("openvswitch: reliable interface indentification in port dumps")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Link: https://patch.msgid.link/20250207135841.1948589-6-edumazet@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 4c537e74b18c7..20a57a3dc2813 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1912,6 +1912,7 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
 {
 	struct ovs_header *ovs_header;
 	struct ovs_vport_stats vport_stats;
+	struct net *net_vport;
 	int err;
 
 	ovs_header = genlmsg_put(skb, portid, seq, &dp_vport_genl_family,
@@ -1928,12 +1929,15 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
 	    nla_put_u32(skb, OVS_VPORT_ATTR_IFINDEX, vport->dev->ifindex))
 		goto nla_put_failure;
 
-	if (!net_eq(net, dev_net(vport->dev))) {
-		int id = peernet2id_alloc(net, dev_net(vport->dev), gfp);
+	rcu_read_lock();
+	net_vport = dev_net_rcu(vport->dev);
+	if (!net_eq(net, net_vport)) {
+		int id = peernet2id_alloc(net, net_vport, GFP_ATOMIC);
 
 		if (nla_put_s32(skb, OVS_VPORT_ATTR_NETNSID, id))
-			goto nla_put_failure;
+			goto nla_put_failure_unlock;
 	}
+	rcu_read_unlock();
 
 	ovs_vport_get_stats(vport, &vport_stats);
 	if (nla_put_64bit(skb, OVS_VPORT_ATTR_STATS,
@@ -1951,6 +1955,8 @@ static int ovs_vport_cmd_fill_info(struct vport *vport, struct sk_buff *skb,
 	genlmsg_end(skb, ovs_header);
 	return 0;
 
+nla_put_failure_unlock:
+	rcu_read_unlock();
 nla_put_failure:
 	err = -EMSGSIZE;
 error:







