Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4665101pxy; Tue, 27 Apr 2021 09:52:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycsGVB6tj9CPw1T6hBiy7K9Kn//zbTT19B4XCu6z+vhlpN34BveSL6PY2eDPtJzTwp2lVW X-Received: by 2002:a17:906:6896:: with SMTP id n22mr25171889ejr.316.1619542369339; Tue, 27 Apr 2021 09:52:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619542369; cv=none; d=google.com; s=arc-20160816; b=1Em4bOHQUaU4+pTqTgZAav3vpFjEMZbB6OAZRvB4nnUpfh34g3wsgPxPoz1VKcifTE 0TKi1DFQv0ziQWctbCOagGD6WaXJUuJhRK5x5yrL2sZ4kld+U4YiX6gnxjyo6fsHwjYi 07qu2D0V5DkxvINfPNVpy6jGFOl5+Qhsruoe2mrEMDeYugBk2HhCf2YMS8eGuBDEodis gdOIe7fR8pGH9wEKc7du+Kxl5QWF2PTht3HE9ctMF5K0+QwCb7UM4OAnqOCTWitKkRWD gsQ7cCfpUJG9FtCtVAeO6jgcnxY6dPtGdi0GmR1oe9yzpWJrQy/PQbEu1u1WOL6NaA3E tz9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=BrKyRSBIee4FkCd+JqUXa+qOAqp6U8O1XzFlvMm/Wl0=; b=b03xIa59dWlDmxTZ3t0MoRnCc0mA01JtLyyE9NU6Bec5aHJjrEY4v0a85UadyeuPAo do7hAjnbIpNOn986sMdrEnTEhAKEhgzuO1RrLxQxnsdNeVGhLLat0/7O9oxdbkK2b3up 39Sb6DquohD3ilZKehO9EaW0XBbHcYlqRRCwbzTQvgUGUdIUzy3agW5RptXSpb2dJo0y /Aivm7z5efLf31bDGZueU5lIorALJW4fK+alhZyis92VlqJbfLSOKDHbnWISBs/1F6Yp C8E7mi9hgqLEdqbD7MCbrqh9G+6sP0HkLt+wTTvigrBCEnqT08CRVFRAYYlUGtW67RDg WHYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=q67kPTJK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l26si2547503edj.110.2021.04.27.09.52.24; Tue, 27 Apr 2021 09:52:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=q67kPTJK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237947AbhD0Qtp (ORCPT + 99 others); Tue, 27 Apr 2021 12:49:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:38150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237714AbhD0QtM (ORCPT ); Tue, 27 Apr 2021 12:49:12 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CC65061027; Tue, 27 Apr 2021 16:48:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1619542109; bh=Zf4nW1uoa9/CCo7LdD1TpEcDkI4hFISg6GkZnsY5BV8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=q67kPTJKUzb2HQWu6Y0JX9C1mdjLVFOnlVLflS1oENwLmIY/oon2kjdwvkKglhQVn LnH+tfnlWs5RzIZu2NmXQabFwB+C5cappjR5u2Fhm5080MDjZyYkkGoVmYeHl5ZNEa e2UdvjZoWmZhRkgeYilIwRvE6BdLxWNdfizlNxkc= Date: Tue, 27 Apr 2021 18:48:27 +0200 From: Greg Kroah-Hartman To: Joe Stringer Cc: Matteo Croce , LKML , Kangjie Lu , "David S . Miller" , netdev Subject: Re: [PATCH 126/190] Revert "net: openvswitch: fix a NULL pointer dereference" Message-ID: References: <20210421130105.1226686-1-gregkh@linuxfoundation.org> <20210421130105.1226686-127-gregkh@linuxfoundation.org> <20210422015957.4f6d4dfa@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 21, 2021 at 09:09:56PM -0700, Joe Stringer wrote: > On Wed, Apr 21, 2021 at 5:01 PM Matteo Croce wrote: > > > > On Wed, 21 Apr 2021 15:00:01 +0200 > > Greg Kroah-Hartman wrote: > > > > > This reverts commit 6f19893b644a9454d85e593b5e90914e7a72b7dd. > > > > > > Commits from @umn.edu addresses have been found to be submitted in > > > "bad faith" to try to test the kernel community's ability to review > > > "known malicious" changes. The result of these submissions can be > > > found in a paper published at the 42nd IEEE Symposium on Security and > > > Privacy entitled, "Open Source Insecurity: Stealthily Introducing > > > Vulnerabilities via Hypocrite Commits" written by Qiushi Wu > > > (University of Minnesota) and Kangjie Lu (University of Minnesota). > > > > > > Because of this, all submissions from this group must be reverted from > > > the kernel tree and will need to be re-reviewed again to determine if > > > they actually are a valid fix. Until that work is complete, remove > > > this change to ensure that no problems are being introduced into the > > > codebase. > > > > > > Cc: Kangjie Lu > > > Cc: David S. Miller > > > Signed-off-by: Greg Kroah-Hartman > > > --- > > > net/openvswitch/datapath.c | 4 ---- > > > 1 file changed, 4 deletions(-) > > > > > > diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c > > > index 9d6ef6cb9b26..99e63f4bbcaf 100644 > > > --- a/net/openvswitch/datapath.c > > > +++ b/net/openvswitch/datapath.c > > > @@ -443,10 +443,6 @@ static int queue_userspace_packet(struct > > > datapath *dp, struct sk_buff *skb, > > > upcall = genlmsg_put(user_skb, 0, 0, &dp_packet_genl_family, > > > 0, upcall_info->cmd); > > > - if (!upcall) { > > > - err = -EINVAL; > > > - goto out; > > > - } > > > upcall->dp_ifindex = dp_ifindex; > > > > > > err = ovs_nla_put_key(key, key, OVS_PACKET_ATTR_KEY, false, > > > user_skb); > > > > This patch seems good to me, but given the situation I'd like another > > pair of eyes on it, at least. > > The revert LGTM. > > A few lines above: > > len = upcall_msg_size(upcall_info, hlen - cutlen, > OVS_CB(skb)->acts_origlen); > user_skb = genlmsg_new(len, GFP_ATOMIC); > if (!user_skb) { > err = -ENOMEM; > goto out; > } > > upcall_msg_size() calculates the expected size of the buffer, > including at the very least a nlmsg-aligned sizeof(struct ovs_header), > plus other constants and also potential (likely) variable lengths > based on the current flow context. > > genlmsg_new() adds the (nlmsg-aligned) nlmsg header length to the > calculated length when allocating the buffer, and if the memory > allocation fails here then the error is already returned. > > I don't then see a way for genlmsg_put() to fail per the hunk in the > commit here given that its buffer reservation is calculated based on: > > nlh = nlmsg_put(skb, portid, seq, family->id, GENL_HDRLEN + > family->hdrsize, flags); > > Where family->hdrsize would be sizeof(struct ovs_header) since > dp_packet_genl_family is the family passed into the genlmsg_put() > call: > > static struct genl_family dp_packet_genl_family __ro_after_init = { > .hdrsize = sizeof(struct ovs_header), > > Even if there were some allocation bug here to be fixed (due to > miscalculating the buffer size in the first place), I don't see how > the extra error path in the included patch could catch such an error. > The original patch doesn't seem necessarily problematic, but it > doesn't seem like it adds anything of value either (or at least, > nothing a comment couldn't clearly explain). > > Cheers, > Joe Many thanks for the review, now dropping this revert from my tree. greg k-h