Re: [PATCH net] net: openvswitch: fix possible kfree_skb of ERR_PTR

Next message: Herve Codina: "Re: [PATCH v7 0/3] lan966x pci device: Add support for SFPs, i2c part"
Previous message: Bibo Mao: "Re: [PATCH] LoongArch: KVM: return full old CSR value from kvm_emu_xchg_csr()"
In reply to: Jakub Kicinski: "Re: [ovs-dev] [PATCH net] net: openvswitch: fix possible kfree_skb of ERR_PTR"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eelco Chaudron

Date: Fri Jun 05 2026 - 02:40:53 EST

On 4 Jun 2026, at 14:19, Adrian Moreno wrote:

> After the patch in the "Fixes" tag, the allocation of the "reply" skb
> can happen either before or after locking the ovs_mutex.
>
> However, error cleanups still follow the classical reversed order,
> assuming "reply" is allocated before locking: it is freed after unlocking.
>
> If "reply" allocation happens after locking the mutex and it fails,
> "reply" is left with an ERR_PTR, and execution jumps to the correspondent
> cleanup stage which will try to free an invalid pointer.
>
> Fix this by setting the pointer to NULL after having saved its error
> value.
>
> Fixes: 893f139b9a6c ("openvswitch: Minimize ovs_flow_cmd_new|set critical sections.")
>
> Signed-off-by: Adrian Moreno <amorenoz@xxxxxxxxxx>

Thanks Adrian for finding and fixing this! The change looks good to me.

Acked-by: Eelco Chaudron <echaudro@xxxxxxxxxx>