From: Aaron Conole <aconole@redhat.com>
To: Adrian Moreno via dev <ovs-dev@openvswitch.org>
Cc: netdev@vger.kernel.org, Adrian Moreno <amorenoz@redhat.com>,
"open list:OPENVSWITCH" <dev@openvswitch.org>,
Paolo Abeni <pabeni@redhat.com>,
Pravin B Shelar <pshelar@nicira.com>,
Ilya Maximets <i.maximets@ovn.org>,
open list <linux-kernel@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
Simon Horman <horms@kernel.org>,
Jarno Rajahalme <jrajahalme@nicira.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Minxi Hou <houminxi@gmail.com>
Subject: Re: [ovs-dev] [PATCH net] net: openvswitch: fix possible kfree_skb of ERR_PTR
Date: Thu, 04 Jun 2026 11:36:16 -0400 [thread overview]
Message-ID: <f7tzf1agvwv.fsf@redhat.com> (raw)
In-Reply-To: <20260604121946.942164-1-amorenoz@redhat.com> (Adrian Moreno via dev's message of "Thu, 4 Jun 2026 14:19:46 +0200")
Hi Adrian,
Adrian Moreno via dev <ovs-dev@openvswitch.org> writes:
> After the patch in the "Fixes" tag, the allocation of the "reply" skb
> can happen either before or after locking the ovs_mutex.
>
> However, error cleanups still follow the classical reversed order,
> assuming "reply" is allocated before locking: it is freed after unlocking.
>
> If "reply" allocation happens after locking the mutex and it fails,
> "reply" is left with an ERR_PTR, and execution jumps to the correspondent
> cleanup stage which will try to free an invalid pointer.
>
> Fix this by setting the pointer to NULL after having saved its error
> value.
>
> Fixes: 893f139b9a6c ("openvswitch: Minimize ovs_flow_cmd_new|set
> critical sections.")
>
> Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
> ---
Good catch - I guess this should only happen when modifying an existing
flow without putting any actions (and that would be only from an
implicit drop case since the actions list would be empty). CC'ing
Minxi, since he's recently had interest in the selftests area and may be
able to help with writing a test case for the scenario.
Reviewed-by: Aaron Conole <aconole@redhat.com>
prev parent reply other threads:[~2026-06-04 15:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 12:19 [PATCH net] net: openvswitch: fix possible kfree_skb of ERR_PTR Adrian Moreno
2026-06-04 15:36 ` Aaron Conole [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7tzf1agvwv.fsf@redhat.com \
--to=aconole@redhat.com \
--cc=amorenoz@redhat.com \
--cc=davem@davemloft.net \
--cc=dev@openvswitch.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=houminxi@gmail.com \
--cc=i.maximets@ovn.org \
--cc=jrajahalme@nicira.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ovs-dev@openvswitch.org \
--cc=pabeni@redhat.com \
--cc=pshelar@nicira.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox