mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
83861c48ba
When a tunnel vport is created it first creates the tunnel device, e.g.,
with geneve_dev_create_fb(), then it calls ovs_netdev_link() to take a
reference and link it to the device that represents openvswitch datapath.
The creation of the device is happening under RTNL, but then RTNL is
released and re-acquired to find the device by name. It is technically
possible for the tunnel device to be re-named or deleted within that
window while RTNL is not held, and some other device created in its
place. This will cause a non-tunnel device to be referenced in the
vport and tunnel-specific functions used on it, e.g. vxlan_get_options()
that directly casts the private netdev data into a struct vxlan_dev
causing an invalid memory access:
BUG: KASAN: slab-use-after-free in vxlan_get_options+0x323/0x3a0
vxlan_get_options+0x323/0x3a0
ovs_vport_cmd_new+0x6e3/0xd30
Fix that by taking a reference to the just created device before
releasing RTNL. This ensures that the device in the vport is always
the one that was just created. The search by name is only needed
for a standard vport-netdev that links pre-existing devices, so that
functionality and device type checks are moved to netdev_create().
It is also awkward that ovs_netdev_link() takes ownership of the vport
and destroys it on failure. It doesn't know the type of the port it is
dealing with, so we need to pass down the indicator that it's a tunnel,
so the link can be properly deleted on failure.
It's possible to refactor the logic to make the ovs_netdev_link() do
only the linking part and let the callers perform a proper destruction,
but it will be much more code for each legacy tunnel port type, so it
is not worth it for the bug fix.
Fixes: 614732eaa1 ("openvswitch: Use regular VXLAN net_device device")
Reported-by: Yuan Tan <tanyuan98@outlook.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: Yang Yang <n05ec@lzu.edu.cn>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Link: https://patch.msgid.link/20260430213349.407991-1-i.maximets@ovn.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
173 lines
3.8 KiB
C
173 lines
3.8 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (c) 2014 Nicira, Inc.
|
|
* Copyright (c) 2013 Cisco Systems, Inc.
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/openvswitch.h>
|
|
#include <linux/module.h>
|
|
#include <net/udp.h>
|
|
#include <net/ip_tunnels.h>
|
|
#include <net/rtnetlink.h>
|
|
#include <net/vxlan.h>
|
|
|
|
#include "datapath.h"
|
|
#include "vport.h"
|
|
#include "vport-netdev.h"
|
|
|
|
static struct vport_ops ovs_vxlan_netdev_vport_ops;
|
|
|
|
static int vxlan_get_options(const struct vport *vport, struct sk_buff *skb)
|
|
{
|
|
struct vxlan_dev *vxlan = netdev_priv(vport->dev);
|
|
__be16 dst_port = vxlan->cfg.dst_port;
|
|
|
|
if (nla_put_u16(skb, OVS_TUNNEL_ATTR_DST_PORT, ntohs(dst_port)))
|
|
return -EMSGSIZE;
|
|
|
|
if (vxlan->cfg.flags & VXLAN_F_GBP) {
|
|
struct nlattr *exts;
|
|
|
|
exts = nla_nest_start_noflag(skb, OVS_TUNNEL_ATTR_EXTENSION);
|
|
if (!exts)
|
|
return -EMSGSIZE;
|
|
|
|
if (vxlan->cfg.flags & VXLAN_F_GBP &&
|
|
nla_put_flag(skb, OVS_VXLAN_EXT_GBP))
|
|
return -EMSGSIZE;
|
|
|
|
nla_nest_end(skb, exts);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static const struct nla_policy exts_policy[OVS_VXLAN_EXT_MAX + 1] = {
|
|
[OVS_VXLAN_EXT_GBP] = { .type = NLA_FLAG, },
|
|
};
|
|
|
|
static int vxlan_configure_exts(struct vport *vport, struct nlattr *attr,
|
|
struct vxlan_config *conf)
|
|
{
|
|
struct nlattr *exts[OVS_VXLAN_EXT_MAX + 1];
|
|
int err;
|
|
|
|
if (nla_len(attr) < sizeof(struct nlattr))
|
|
return -EINVAL;
|
|
|
|
err = nla_parse_nested_deprecated(exts, OVS_VXLAN_EXT_MAX, attr,
|
|
exts_policy, NULL);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
if (exts[OVS_VXLAN_EXT_GBP])
|
|
conf->flags |= VXLAN_F_GBP;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct vport *vxlan_tnl_create(const struct vport_parms *parms)
|
|
{
|
|
struct net *net = ovs_dp_get_net(parms->dp);
|
|
struct nlattr *options = parms->options;
|
|
struct net_device *dev;
|
|
struct vport *vport;
|
|
struct nlattr *a;
|
|
int err;
|
|
struct vxlan_config conf = {
|
|
.no_share = true,
|
|
.flags = VXLAN_F_COLLECT_METADATA | VXLAN_F_UDP_ZERO_CSUM6_RX,
|
|
/* Don't restrict the packets that can be sent by MTU */
|
|
.mtu = IP_MAX_MTU,
|
|
};
|
|
|
|
if (!options) {
|
|
err = -EINVAL;
|
|
goto error;
|
|
}
|
|
|
|
a = nla_find_nested(options, OVS_TUNNEL_ATTR_DST_PORT);
|
|
if (a && nla_len(a) == sizeof(u16)) {
|
|
conf.dst_port = htons(nla_get_u16(a));
|
|
} else {
|
|
/* Require destination port from userspace. */
|
|
err = -EINVAL;
|
|
goto error;
|
|
}
|
|
|
|
vport = ovs_vport_alloc(0, &ovs_vxlan_netdev_vport_ops, parms);
|
|
if (IS_ERR(vport))
|
|
return vport;
|
|
|
|
a = nla_find_nested(options, OVS_TUNNEL_ATTR_EXTENSION);
|
|
if (a) {
|
|
err = vxlan_configure_exts(vport, a, &conf);
|
|
if (err) {
|
|
ovs_vport_free(vport);
|
|
goto error;
|
|
}
|
|
}
|
|
|
|
rtnl_lock();
|
|
dev = vxlan_dev_create(net, parms->name, NET_NAME_USER, &conf);
|
|
if (IS_ERR(dev)) {
|
|
rtnl_unlock();
|
|
ovs_vport_free(vport);
|
|
return ERR_CAST(dev);
|
|
}
|
|
|
|
err = dev_change_flags(dev, dev->flags | IFF_UP, NULL);
|
|
if (err < 0) {
|
|
rtnl_delete_link(dev, 0, NULL);
|
|
rtnl_unlock();
|
|
ovs_vport_free(vport);
|
|
goto error;
|
|
}
|
|
|
|
vport->dev = dev;
|
|
netdev_hold(vport->dev, &vport->dev_tracker, GFP_KERNEL);
|
|
|
|
rtnl_unlock();
|
|
return vport;
|
|
error:
|
|
return ERR_PTR(err);
|
|
}
|
|
|
|
static struct vport *vxlan_create(const struct vport_parms *parms)
|
|
{
|
|
struct vport *vport;
|
|
|
|
vport = vxlan_tnl_create(parms);
|
|
if (IS_ERR(vport))
|
|
return vport;
|
|
|
|
return ovs_netdev_link(vport, true);
|
|
}
|
|
|
|
static struct vport_ops ovs_vxlan_netdev_vport_ops = {
|
|
.type = OVS_VPORT_TYPE_VXLAN,
|
|
.create = vxlan_create,
|
|
.destroy = ovs_netdev_tunnel_destroy,
|
|
.get_options = vxlan_get_options,
|
|
.send = dev_queue_xmit,
|
|
};
|
|
|
|
static int __init ovs_vxlan_tnl_init(void)
|
|
{
|
|
return ovs_vport_ops_register(&ovs_vxlan_netdev_vport_ops);
|
|
}
|
|
|
|
static void __exit ovs_vxlan_tnl_exit(void)
|
|
{
|
|
ovs_vport_ops_unregister(&ovs_vxlan_netdev_vport_ops);
|
|
}
|
|
|
|
module_init(ovs_vxlan_tnl_init);
|
|
module_exit(ovs_vxlan_tnl_exit);
|
|
|
|
MODULE_DESCRIPTION("OVS: VXLAN switching port");
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_ALIAS("vport-type-4");
|