From: Felix Fietkau <nbd@nbd.name>
To: netdev@vger.kernel.org, John Crispin <john@phrozen.org>,
Sean Wang <sean.wang@mediatek.com>,
Mark Lee <Mark-MC.Lee@mediatek.com>,
Lorenzo Bianconi <lorenzo@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH net v2 3/5] net: ethernet: mtk_eth_soc: fix flow_offload related refcount bug
Date: Tue, 27 Dec 2022 15:08:05 +0100 [thread overview]
Message-ID: <20221227140807.48413-3-nbd@nbd.name> (raw)
In-Reply-To: <20221227140807.48413-1-nbd@nbd.name>
Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call
flow_block_cb_incref unconditionally, even for a newly allocated cb.
Fixes a use-after-free bug
Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
.../net/ethernet/mediatek/mtk_ppe_offload.c | 21 ++++++++++++-------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
index 81afd5ee3fbf..412d215b9571 100644
--- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
+++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
@@ -554,6 +554,7 @@ mtk_eth_setup_tc_block(struct net_device *dev, struct flow_block_offload *f)
struct mtk_eth *eth = mac->hw;
static LIST_HEAD(block_cb_list);
struct flow_block_cb *block_cb;
+ bool register_block = false;
flow_setup_cb_t *cb;
if (!eth->soc->offload_version)
@@ -568,16 +569,20 @@ mtk_eth_setup_tc_block(struct net_device *dev, struct flow_block_offload *f)
switch (f->command) {
case FLOW_BLOCK_BIND:
block_cb = flow_block_cb_lookup(f->block, cb, dev);
- if (block_cb) {
- flow_block_cb_incref(block_cb);
- return 0;
+ if (!block_cb) {
+ block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
+ if (IS_ERR(block_cb))
+ return PTR_ERR(block_cb);
+
+ register_block = true;
}
- block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
- if (IS_ERR(block_cb))
- return PTR_ERR(block_cb);
- flow_block_cb_add(block_cb, f);
- list_add_tail(&block_cb->driver_list, &block_cb_list);
+ flow_block_cb_incref(block_cb);
+
+ if (register_block) {
+ flow_block_cb_add(block_cb, f);
+ list_add_tail(&block_cb->driver_list, &block_cb_list);
+ }
return 0;
case FLOW_BLOCK_UNBIND:
block_cb = flow_block_cb_lookup(f->block, cb, dev);
--
2.38.1
WARNING: multiple messages have this Message-ID (diff)
From: Felix Fietkau <nbd@nbd.name>
To: netdev@vger.kernel.org, John Crispin <john@phrozen.org>,
Sean Wang <sean.wang@mediatek.com>,
Mark Lee <Mark-MC.Lee@mediatek.com>,
Lorenzo Bianconi <lorenzo@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH net v2 3/5] net: ethernet: mtk_eth_soc: fix flow_offload related refcount bug
Date: Tue, 27 Dec 2022 15:08:05 +0100 [thread overview]
Message-ID: <20221227140807.48413-3-nbd@nbd.name> (raw)
In-Reply-To: <20221227140807.48413-1-nbd@nbd.name>
Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call
flow_block_cb_incref unconditionally, even for a newly allocated cb.
Fixes a use-after-free bug
Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
.../net/ethernet/mediatek/mtk_ppe_offload.c | 21 ++++++++++++-------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
index 81afd5ee3fbf..412d215b9571 100644
--- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
+++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
@@ -554,6 +554,7 @@ mtk_eth_setup_tc_block(struct net_device *dev, struct flow_block_offload *f)
struct mtk_eth *eth = mac->hw;
static LIST_HEAD(block_cb_list);
struct flow_block_cb *block_cb;
+ bool register_block = false;
flow_setup_cb_t *cb;
if (!eth->soc->offload_version)
@@ -568,16 +569,20 @@ mtk_eth_setup_tc_block(struct net_device *dev, struct flow_block_offload *f)
switch (f->command) {
case FLOW_BLOCK_BIND:
block_cb = flow_block_cb_lookup(f->block, cb, dev);
- if (block_cb) {
- flow_block_cb_incref(block_cb);
- return 0;
+ if (!block_cb) {
+ block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
+ if (IS_ERR(block_cb))
+ return PTR_ERR(block_cb);
+
+ register_block = true;
}
- block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
- if (IS_ERR(block_cb))
- return PTR_ERR(block_cb);
- flow_block_cb_add(block_cb, f);
- list_add_tail(&block_cb->driver_list, &block_cb_list);
+ flow_block_cb_incref(block_cb);
+
+ if (register_block) {
+ flow_block_cb_add(block_cb, f);
+ list_add_tail(&block_cb->driver_list, &block_cb_list);
+ }
return 0;
case FLOW_BLOCK_UNBIND:
block_cb = flow_block_cb_lookup(f->block, cb, dev);
--
2.38.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-12-27 14:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-27 14:08 [PATCH net v2 1/5] net: ethernet: mtk_eth_soc: account for vlan in rx header length Felix Fietkau
2022-12-27 14:08 ` Felix Fietkau
2022-12-27 14:08 ` [PATCH net v2 2/5] net: ethernet: mtk_eth_soc: work around issue with sending small fragments Felix Fietkau
2022-12-27 14:08 ` Felix Fietkau
2022-12-27 14:08 ` Felix Fietkau [this message]
2022-12-27 14:08 ` [PATCH net v2 3/5] net: ethernet: mtk_eth_soc: fix flow_offload related refcount bug Felix Fietkau
2022-12-27 14:08 ` [PATCH net v2 4/5] net: ethernet: mtk_eth_soc: drop generic vlan rx offload, only use DSA untagging Felix Fietkau
2022-12-27 14:08 ` Felix Fietkau
2022-12-27 14:08 ` Felix Fietkau
2022-12-30 4:07 ` Jakub Kicinski
2022-12-30 4:07 ` Jakub Kicinski
2022-12-30 4:07 ` Jakub Kicinski
2022-12-27 14:08 ` [PATCH net v2 5/5] net: ethernet: mtk_eth_soc: ppe: fix L2 offloading with DSA untagging offload enabled Felix Fietkau
2022-12-27 14:08 ` Felix Fietkau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221227140807.48413-3-nbd@nbd.name \
--to=nbd@nbd.name \
--cc=Mark-MC.Lee@mediatek.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john@phrozen.org \
--cc=kuba@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=lorenzo@kernel.org \
--cc=matthias.bgg@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=sean.wang@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.