From: Jakub Kicinski <kuba@kernel.org>
To: Simon Horman <simon.horman@corigine.com>
Cc: Felix Fietkau <nbd@nbd.name>, netdev@vger.kernel.org
Subject: Re: [PATCH net 1/2] net: ethernet: mtk_eth_soc: fix flow block refcounting
Date: Wed, 22 Mar 2023 22:37:13 -0700 [thread overview]
Message-ID: <20230322223713.4e339b35@kernel.org> (raw)
In-Reply-To: <ZBsR0C/3+0ZsWnhf@corigine.com>
On Wed, 22 Mar 2023 15:33:52 +0100 Simon Horman wrote:
> On Tue, Mar 21, 2023 at 02:37:18PM +0100, Felix Fietkau wrote:
> > Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call
> > flow_block_cb_incref unconditionally, even for a newly allocated cb.
> > Fixes a use-after-free bug. Also fix the accidentally inverted refcount
> > check on unbind.
>
> Firstly, it's usually best to have one fix per patch.
Or at least reword the commit message to make it look like it's fixing
the refcounting logic?
> > block_cb = flow_block_cb_lookup(f->block, cb, dev);
> > - if (block_cb) {
> > - flow_block_cb_incref(block_cb);
> > - return 0;
> > + if (!block_cb) {
> > + block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
> > + if (IS_ERR(block_cb))
> > + return PTR_ERR(block_cb);
> > +
> > + register_block = true;
> > }
> > - block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
> > - if (IS_ERR(block_cb))
> > - return PTR_ERR(block_cb);
> >
> > - flow_block_cb_add(block_cb, f);
> > - list_add_tail(&block_cb->driver_list, &block_cb_list);
> > + flow_block_cb_incref(block_cb);
> > +
> > + if (register_block) {
> > + flow_block_cb_add(block_cb, f);
> > + list_add_tail(&block_cb->driver_list, &block_cb_list);
> > + }
> > return 0;
>
> I think the existing code was more idiomatic, and could
> be maintained by simply adding a call to flow_block_cb_incref()
> before the call to flow_block_cb_add().
>
> @@ -576,6 +576,7 @@ mtk_eth_setup_tc_block(struct net_device *dev, struct flow_block_offload *f)
> if (IS_ERR(block_cb))
> return PTR_ERR(block_cb);
>
> + flow_block_cb_incref(block_cb);
> flow_block_cb_add(block_cb, f);
> list_add_tail(&block_cb->driver_list, &block_cb_list);
> return 0;
That'd be my go to fix as well, FWIW.
Alternatively - the block cannot be removed until FLOW_BLOCK_UNBIND is
called, right? So the register_block bool can be skipped and
refcount taken after flow_block_cb_add() / list_add_tail().
That way at least the new block handling doesn't have to be split
into two chunks.
next prev parent reply other threads:[~2023-03-23 5:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-21 13:37 [PATCH net 1/2] net: ethernet: mtk_eth_soc: fix flow block refcounting Felix Fietkau
2023-03-21 13:37 ` [PATCH net 2/2] net: ethernet: mtk_eth_soc: fix L2 offloading with DSA untag offload enabled Felix Fietkau
2023-03-22 14:33 ` [PATCH net 1/2] net: ethernet: mtk_eth_soc: fix flow block refcounting Simon Horman
2023-03-23 5:37 ` Jakub Kicinski [this message]
2023-03-23 8:55 ` Felix Fietkau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230322223713.4e339b35@kernel.org \
--to=kuba@kernel.org \
--cc=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=simon.horman@corigine.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.